web-agent-bridge 3.0.0 → 3.2.0

package/server/routes/universal.js

@@ -11,7 +11,15 @@ const express = require('express');
 const router = express.Router();
 const scraper = require('../services/universal-scraper');
 const priceIntel = require('../services/price-intelligence');
-const fairness = require('../services/fairness-engine');
+let fairness;
+try { fairness = require('../services/fairness-engine'); } catch {
+  fairness = {
+    calculateFairnessScore: () => ({ score: 0, label: 'unrated' }),
+    rankWithFairness: (_items) => _items,
+    detectDarkPatterns: () => [],
+    getTopFairSites: () => []
+  };
+}
 
 // ─── POST /api/universal/extract ─────────────────────────────────────
 // Extract prices/products from a URL (server-side fetch)

package/server/routes/wab-api.js

@@ -14,12 +14,22 @@ const { findSiteById, findSiteByLicense, recordAnalytic, db } = require('../mode
 const { broadcastAnalytic } = require('../ws');
 const { wabAuthenticateLimiter, wabActionLimiter, searchLimiter } = require('../middleware/rateLimits');
 const { auditLog } = require('../services/security');
-const {
-  calculateNeutralityScore,
-  fairnessWeightedSearch,
-  getDirectoryListings,
-  generateFairnessReport
-} = require('../services/fairness');
+
+// Fairness module is proprietary — provide stubs when not available
+let calculateNeutralityScore, fairnessWeightedSearch, getDirectoryListings, generateFairnessReport;
+try {
+  ({
+    calculateNeutralityScore,
+    fairnessWeightedSearch,
+    getDirectoryListings,
+    generateFairnessReport
+  } = require('../services/fairness'));
+} catch {
+  calculateNeutralityScore = () => ({ score: 0, label: 'unrated' });
+  fairnessWeightedSearch = (_q, candidates) => candidates;
+  getDirectoryListings = () => [];
+  generateFairnessReport = () => ({ status: 'unavailable' });
+}
 
 const WAB_VERSION = '1.2.0';
 const PROTOCOL_VERSION = '1.0';

package/server/services/api-key-engine.js

@@ -0,0 +1,261 @@
+/**
+ * WAB API Key Engine
+ * Authentication, authorization, rate limiting, and quota management
+ * for all WAB advanced modules.
+ *
+ * Powered by WAB — Web Agent Bridge
+ * https://www.webagentbridge.com
+ */
+
+'use strict';
+
+const crypto = require('crypto');
+
+// ─── Plan Definitions ─────────────────────────────────────────────────────────
+const PLANS = {
+  FREE: {
+    name: 'Free',
+    price_usd: 0,
+    requests_per_day: 100,
+    requests_per_minute: 10,
+    modules_allowed: ['dark-pattern', 'price', 'protocol', 'bounty'],
+    features: {
+      agent_firewall: false, notary: false, dark_pattern: true,
+      collective_bargaining: false, gov_intelligence: false,
+      price_time_machine: true, neural: false, protocol: true,
+      bounty: true, affiliate: false,
+    },
+    support: 'community',
+    data_retention_days: 7,
+  },
+  PRO: {
+    name: 'Pro',
+    price_usd: 29,
+    requests_per_day: 10000,
+    requests_per_minute: 100,
+    modules_allowed: ['agent-firewall', 'dark-pattern', 'neural', 'bounty', 'affiliate', 'protocol', 'price', 'bargaining'],
+    features: {
+      agent_firewall: true, notary: false, dark_pattern: true,
+      collective_bargaining: true, gov_intelligence: false,
+      price_time_machine: true, neural: true, protocol: true,
+      bounty: true, affiliate: true,
+    },
+    support: 'email',
+    data_retention_days: 90,
+  },
+  BUSINESS: {
+    name: 'Business',
+    price_usd: 149,
+    requests_per_day: 100000,
+    requests_per_minute: 500,
+    modules_allowed: ['all'],
+    features: {
+      agent_firewall: true, notary: true, dark_pattern: true,
+      collective_bargaining: true, gov_intelligence: true,
+      price_time_machine: true, neural: true, protocol: true,
+      bounty: true, affiliate: true,
+    },
+    support: 'priority',
+    data_retention_days: 365,
+  },
+  ENTERPRISE: {
+    name: 'Enterprise',
+    price_usd: null,
+    requests_per_day: Infinity,
+    requests_per_minute: Infinity,
+    modules_allowed: ['all'],
+    features: {
+      agent_firewall: true, notary: true, dark_pattern: true,
+      collective_bargaining: true, gov_intelligence: true,
+      price_time_machine: true, neural: true, protocol: true,
+      bounty: true, affiliate: true,
+    },
+    support: 'dedicated',
+    data_retention_days: Infinity,
+    custom_sla: true,
+    on_premise: true,
+  },
+  INTERNAL: {
+    name: 'Internal',
+    price_usd: 0,
+    requests_per_day: Infinity,
+    requests_per_minute: Infinity,
+    modules_allowed: ['all'],
+    features: Object.fromEntries(
+      ['agent_firewall','notary','dark_pattern','collective_bargaining','gov_intelligence',
+       'price_time_machine','neural','protocol','bounty','affiliate'].map(k => [k, true])
+    ),
+    support: 'internal',
+    data_retention_days: Infinity,
+  },
+};
+
+const keyStore = new Map();
+const usageStore = new Map();
+const rateLimitStore = new Map();
+
+class WABKeyEngine {
+  constructor() {
+    this.internalKey = this._seedInternalKeys();
+  }
+
+  _seedInternalKeys() {
+    const internalKey = 'wab_internal_' + crypto.randomBytes(16).toString('hex');
+    keyStore.set(internalKey, {
+      key: internalKey, key_id: 'kid_internal_001', plan: 'INTERNAL',
+      owner: 'WAB Core Team', email: 'dev@webagentbridge.com',
+      environment: 'internal', created_at: new Date().toISOString(),
+      last_used: null, active: true, scopes: ['*'],
+    });
+    return internalKey;
+  }
+
+  generateKey(options = {}) {
+    const { plan = 'FREE', owner, email, environment = 'live', scopes = [], metadata = {} } = options;
+    if (!PLANS[plan]) throw new Error(`Invalid plan: ${plan}`);
+    if (!owner) throw new Error('owner is required');
+    if (!email) throw new Error('email is required');
+
+    const planPrefix = plan.toLowerCase().substring(0, 3);
+    const randomPart = crypto.randomBytes(20).toString('hex');
+    const apiKey = `wab_${environment}_${planPrefix}_${randomPart}`;
+    const keyId = 'kid_' + crypto.randomBytes(8).toString('hex');
+    const webhookSecret = 'whsec_' + crypto.randomBytes(24).toString('hex');
+
+    const keyRecord = {
+      key: apiKey, key_id: keyId, plan, plan_details: PLANS[plan],
+      owner, email, environment,
+      created_at: new Date().toISOString(),
+      expires_at: plan === 'FREE' ? new Date(Date.now() + 365 * 86400000).toISOString() : null,
+      last_used: null, active: true,
+      scopes: scopes.length > 0 ? scopes : this._defaultScopes(plan),
+      webhook_secret: webhookSecret, metadata, total_requests: 0,
+    };
+
+    keyStore.set(apiKey, keyRecord);
+    usageStore.set(apiKey, { today: 0, this_month: 0, total: 0, by_module: {}, by_day: {}, last_reset: new Date().toDateString() });
+
+    return {
+      api_key: apiKey, key_id: keyId, webhook_secret: webhookSecret, plan,
+      plan_details: { name: PLANS[plan].name, requests_per_day: PLANS[plan].requests_per_day, requests_per_minute: PLANS[plan].requests_per_minute, modules_allowed: PLANS[plan].modules_allowed },
+      created_at: keyRecord.created_at, expires_at: keyRecord.expires_at,
+    };
+  }
+
+  validate(apiKey, module = null) {
+    if (!apiKey) return { valid: false, error: 'API key is required', code: 'MISSING_KEY' };
+    const record = keyStore.get(apiKey);
+    if (!record) return { valid: false, error: 'Invalid API key', code: 'INVALID_KEY' };
+    if (!record.active) return { valid: false, error: 'API key has been revoked', code: 'REVOKED_KEY' };
+    if (record.expires_at && new Date(record.expires_at) < new Date()) {
+      return { valid: false, error: 'API key has expired', code: 'EXPIRED_KEY' };
+    }
+
+    if (module) {
+      const plan = PLANS[record.plan];
+      const hasAccess = plan.modules_allowed.includes('all') || plan.modules_allowed.includes(module);
+      if (!hasAccess) {
+        return { valid: false, error: `Module '${module}' not available on ${plan.name} plan`, code: 'INSUFFICIENT_PLAN',
+          upgrade_url: 'https://www.webagentbridge.com/#pricing', current_plan: plan.name, required_plan: this._getMinPlanForModule(module) };
+      }
+    }
+
+    const rateCheck = this._checkRateLimit(apiKey, record.plan);
+    if (!rateCheck.allowed) {
+      return { valid: false, error: 'Rate limit exceeded', code: 'RATE_LIMIT_EXCEEDED', retry_after_seconds: rateCheck.retry_after, limit: rateCheck.limit };
+    }
+
+    const usage = usageStore.get(apiKey);
+    this._resetDailyIfNeeded(apiKey, usage);
+    const plan = PLANS[record.plan];
+    if (usage.today >= plan.requests_per_day) {
+      return { valid: false, error: 'Daily quota exceeded', code: 'QUOTA_EXCEEDED', used: usage.today, limit: plan.requests_per_day, upgrade_url: 'https://www.webagentbridge.com/#pricing' };
+    }
+
+    this._recordUsage(apiKey, module);
+    return { valid: true, key_id: record.key_id, plan: record.plan, plan_name: plan.name, owner: record.owner, environment: record.environment, features: plan.features,
+      usage: { today: usage.today + 1, limit_today: plan.requests_per_day, remaining_today: plan.requests_per_day - usage.today - 1 } };
+  }
+
+  revoke(apiKey, reason = 'user_request') {
+    const record = keyStore.get(apiKey);
+    if (!record) return { success: false, error: 'Key not found' };
+    record.active = false; record.revoked_at = new Date().toISOString(); record.revoke_reason = reason;
+    return { success: true, message: 'Key revoked', revoked_at: record.revoked_at };
+  }
+
+  rotate(oldKey) {
+    const record = keyStore.get(oldKey);
+    if (!record) return { success: false, error: 'Key not found' };
+    this.revoke(oldKey, 'rotation');
+    return { success: true, ...this.generateKey({ plan: record.plan, owner: record.owner, email: record.email, environment: record.environment, metadata: { ...record.metadata, rotated_from: record.key_id } }) };
+  }
+
+  getUsage(apiKey) {
+    const record = keyStore.get(apiKey);
+    if (!record) return { error: 'Key not found' };
+    const usage = usageStore.get(apiKey) || {};
+    this._resetDailyIfNeeded(apiKey, usage);
+    const plan = PLANS[record.plan];
+    return { key_id: record.key_id, plan: record.plan, plan_name: plan.name, today: usage.today, this_month: usage.this_month, total: usage.total,
+      limit_per_day: plan.requests_per_day, limit_per_minute: plan.requests_per_minute, remaining_today: Math.max(0, plan.requests_per_day - usage.today),
+      by_module: usage.by_module, last_used: record.last_used, created_at: record.created_at };
+  }
+
+  listKeys(adminKey) {
+    const adminRecord = keyStore.get(adminKey);
+    if (!adminRecord || adminRecord.plan !== 'INTERNAL') return { error: 'Admin access required' };
+    return { total: keyStore.size, keys: Array.from(keyStore.values()).map(r => ({
+      key_id: r.key_id, plan: r.plan, owner: r.owner, email: r.email, environment: r.environment, active: r.active,
+      created_at: r.created_at, last_used: r.last_used, total_requests: r.total_requests || 0 })) };
+  }
+
+  getPlans() {
+    return Object.entries(PLANS).filter(([k]) => k !== 'INTERNAL').map(([key, plan]) => ({
+      id: key, name: plan.name, price_usd: plan.price_usd, requests_per_day: plan.requests_per_day,
+      requests_per_minute: plan.requests_per_minute, features: plan.features, support: plan.support }));
+  }
+
+  _checkRateLimit(apiKey, plan) {
+    const limit = PLANS[plan].requests_per_minute;
+    if (limit === Infinity) return { allowed: true };
+    const now = Date.now(); const window = 60000;
+    const rl = rateLimitStore.get(apiKey) || { count: 0, windowStart: now };
+    if (now - rl.windowStart > window) { rl.count = 0; rl.windowStart = now; }
+    if (rl.count >= limit) { return { allowed: false, retry_after: Math.ceil((rl.windowStart + window - now) / 1000), limit }; }
+    rl.count++; rateLimitStore.set(apiKey, rl);
+    return { allowed: true };
+  }
+
+  _recordUsage(apiKey, module) {
+    const record = keyStore.get(apiKey); const usage = usageStore.get(apiKey);
+    const today = new Date().toISOString().split('T')[0];
+    usage.today++; usage.this_month++; usage.total++;
+    if (module) usage.by_module[module] = (usage.by_module[module] || 0) + 1;
+    usage.by_day[today] = (usage.by_day[today] || 0) + 1;
+    record.last_used = new Date().toISOString();
+    record.total_requests = (record.total_requests || 0) + 1;
+  }
+
+  _resetDailyIfNeeded(apiKey, usage) {
+    const today = new Date().toDateString();
+    if (usage.last_reset !== today) { usage.today = 0; usage.last_reset = today; usageStore.set(apiKey, usage); }
+  }
+
+  _defaultScopes(plan) {
+    if (plan === 'FREE') return ['read'];
+    if (plan === 'PRO') return ['read', 'write'];
+    return ['read', 'write', 'admin'];
+  }
+
+  _getMinPlanForModule(module) {
+    const map = { 'agent-firewall': 'PRO', 'notary': 'BUSINESS', 'dark-pattern': 'FREE', 'bargaining': 'PRO', 'gov': 'BUSINESS', 'price': 'FREE', 'neural': 'PRO', 'protocol': 'FREE', 'bounty': 'FREE', 'affiliate': 'PRO' };
+    return map[module] || 'PRO';
+  }
+
+  _nextMidnight() {
+    const d = new Date(); d.setDate(d.getDate() + 1); d.setHours(0, 0, 0, 0); return d.toISOString();
+  }
+}
+
+module.exports = { WABKeyEngine, PLANS };

package/server/services/lfd.js

@@ -277,11 +277,10 @@ class RecipeExecutor {
       errors: [],
     };
 
-    // Variable substitution in steps
+    // Variable substitution in steps — substitute in all string fields
     if (Object.keys(execution.variables).length > 0) {
       for (const step of execution.steps) {
-        if (step.value) step.value = this._substituteVars(step.value, execution.variables);
-        if (step.url) step.url = this._substituteVars(step.url, execution.variables);
+        this._substituteStepVars(step, execution.variables);
       }
     }
 
@@ -379,6 +378,23 @@ class RecipeExecutor {
     return str.replace(/\{\{(\w+)\}\}/g, (_, key) => vars[key] !== undefined ? String(vars[key]) : `{{${key}}}`);
   }
 
+  _substituteStepVars(step, vars) {
+    if (step.value) step.value = this._substituteVars(step.value, vars);
+    if (step.url) step.url = this._substituteVars(step.url, vars);
+    if (step.selector) step.selector = this._substituteVars(step.selector, vars);
+    if (step.description) step.description = this._substituteVars(step.description, vars);
+    if (step.fallback) {
+      if (step.fallback.text) step.fallback.text = this._substituteVars(step.fallback.text, vars);
+      if (step.fallback.xpath) step.fallback.xpath = this._substituteVars(step.fallback.xpath, vars);
+      if (step.fallback.ariaLabel) step.fallback.ariaLabel = this._substituteVars(step.fallback.ariaLabel, vars);
+    }
+    if (step.options && typeof step.options === 'object') {
+      for (const k of Object.keys(step.options)) {
+        if (typeof step.options[k] === 'string') step.options[k] = this._substituteVars(step.options[k], vars);
+      }
+    }
+  }
+
   getStats() {
     const execs = [...this.executions.values()];
     return {
@@ -447,6 +463,9 @@ class LfdEngine {
   stopRecording(sessionId) {
     const session = this.sessions.get(sessionId);
     if (!session) throw new Error('Recording session not found');
+    if (session.status !== 'recording' && session.status !== 'paused') {
+      throw new Error(`Cannot stop recording in state: ${session.status}`);
+    }
     session.complete();
 
     // Auto-convert to recipe

package/server/services/modules/affiliate-intelligence.js

@@ -0,0 +1,93 @@
+/**
+ * WAB Affiliate Intelligence (10-affiliate-intelligence) — PUBLIC API, PRIVATE DB
+ * Detects affiliate link manipulation and cookie stuffing.
+ * API is open, detection database is closed.
+ *
+ * Powered by WAB — Web Agent Bridge
+ * https://www.webagentbridge.com
+ */
+
+'use strict';
+
+const crypto = require('crypto');
+const url = require('url');
+
+const scanStore = new Map();
+
+let affiliateDb;
+try { affiliateDb = require('./affiliate-db'); } catch { affiliateDb = null; }
+
+const KNOWN_AFFILIATE_PARAMS = ['ref', 'aff', 'affiliate', 'partner', 'utm_source', 'tag', 'associate', 'clickid', 'subid', 'irclickid', 'gclid', 'fbclid'];
+const COOKIE_STUFFING_INDICATORS = ['iframe[style*="display:none"]', 'iframe[width="0"]', 'img[src*="click"]', 'img[width="1"][height="1"]'];
+
+function createRouter(express) {
+  const router = express.Router();
+
+  router.post('/scan-url', (req, res) => {
+    const { target_url } = req.body;
+    if (!target_url) return res.status(400).json({ error: 'target_url required' });
+
+    try {
+      const parsed = new URL(target_url);
+      const affiliateParams = [];
+      for (const [key, value] of parsed.searchParams) {
+        if (KNOWN_AFFILIATE_PARAMS.includes(key.toLowerCase())) {
+          affiliateParams.push({ param: key, value, type: 'affiliate_tracking' });
+        }
+      }
+
+      const hasRedirect = /\/(click|go|redirect|track|aff|out)\//i.test(parsed.pathname);
+      let manipulation = null;
+      if (affiliateDb) {
+        manipulation = affiliateDb.checkManipulation(target_url, affiliateParams);
+      }
+
+      const scanId = 'ASCAN-' + crypto.randomBytes(6).toString('hex').toUpperCase();
+      const result = {
+        scan_id: scanId, url: target_url, hostname: parsed.hostname,
+        affiliate_params: affiliateParams, has_affiliate: affiliateParams.length > 0,
+        has_redirect_chain: hasRedirect, manipulation_detected: manipulation,
+        risk_level: affiliateParams.length > 2 ? 'HIGH' : affiliateParams.length > 0 ? 'MEDIUM' : 'LOW',
+        scanned_at: new Date().toISOString(),
+      };
+      scanStore.set(scanId, result);
+      res.json(result);
+    } catch (e) {
+      res.status(400).json({ error: 'Invalid URL: ' + e.message });
+    }
+  });
+
+  router.post('/scan-html', (req, res) => {
+    const { html, page_url } = req.body;
+    if (!html) return res.status(400).json({ error: 'html content required' });
+
+    const findings = [];
+    for (const indicator of COOKIE_STUFFING_INDICATORS) {
+      const tag = indicator.split('[')[0];
+      const attrMatch = indicator.match(/\[([^\]]+)\]/g) || [];
+      if (new RegExp(`<${tag}[^>]*${attrMatch.map(a => a.slice(1, -1).replace('*', '.*')).join('[^>]*')}`, 'gi').test(html)) {
+        findings.push({ type: 'COOKIE_STUFFING', indicator, severity: 'HIGH' });
+      }
+    }
+
+    const hiddenIframes = (html.match(/<iframe[^>]*(?:display\s*:\s*none|width\s*=\s*["']?0|height\s*=\s*["']?0)[^>]*>/gi) || []).length;
+    const trackingPixels = (html.match(/<img[^>]*(?:width\s*=\s*["']?1["']?\s+height\s*=\s*["']?1|height\s*=\s*["']?1["']?\s+width\s*=\s*["']?1)[^>]*>/gi) || []).length;
+
+    res.json({
+      page_url: page_url || 'unknown', cookie_stuffing_indicators: findings,
+      hidden_iframes: hiddenIframes, tracking_pixels: trackingPixels,
+      risk_level: findings.length > 0 || hiddenIframes > 2 ? 'HIGH' : trackingPixels > 5 ? 'MEDIUM' : 'LOW',
+      scanned_at: new Date().toISOString(),
+    });
+  });
+
+  router.get('/stats', (req, res) => {
+    let high = 0, manipulations = 0;
+    for (const s of scanStore.values()) { if (s.risk_level === 'HIGH') high++; if (s.manipulation_detected) manipulations++; }
+    res.json({ total_scans: scanStore.size, high_risk: high, manipulations_detected: manipulations });
+  });
+
+  return router;
+}
+
+module.exports = { createRouter };

package/server/services/modules/agent-firewall.js

@@ -0,0 +1,90 @@
+/**
+ * WAB Agent Firewall (01-agent-firewall) — PUBLIC API, PRIVATE DETECTION LOGIC
+ * Scans URLs and content for prompt injections, phishing, and dark patterns.
+ * API is open, deep detection rules are closed.
+ *
+ * Powered by WAB — Web Agent Bridge
+ * https://www.webagentbridge.com
+ */
+
+'use strict';
+
+const crypto = require('crypto');
+
+const BASIC_THREATS = [
+  /ignore\s+(all\s+)?previous\s+instructions/gi,
+  /you\s+are\s+now\s+in\s+developer\s+mode/gi,
+  /disregard\s+(your\s+)?(prior\s+|previous\s+)?instructions/gi,
+  /<\s*script[^>]*>.*?<\/\s*script\s*>/gis,
+  /transfer\s+\$?\d+.*?to\s+(?:wallet|account|address)/gi,
+  /data:text\/html.*base64/gi,
+  /javascript:void/gi,
+];
+
+const MALICIOUS_DOMAINS = new Set([
+  'paypa1.com', 'amaz0n.com', 'g00gle.com', 'faceb00k.com',
+  'secure-paypal-login.com', 'amazon-security-alert.com',
+]);
+
+let deepDetection;
+try { deepDetection = require('./firewall-engine'); } catch { deepDetection = null; }
+
+const scanLog = [];
+
+function createRouter(express) {
+  const router = express.Router();
+
+  router.post('/scan', (req, res) => {
+    const { url: targetUrl, content, agent_id } = req.body;
+    const startTime = Date.now();
+
+    const urlThreats = [];
+    const contentThreats = [];
+    let riskScore = 0;
+
+    if (targetUrl) {
+      try {
+        const parsed = new URL(targetUrl);
+        const hostname = parsed.hostname.toLowerCase();
+        if (MALICIOUS_DOMAINS.has(hostname)) { urlThreats.push({ type: 'MALICIOUS_DOMAIN', severity: 'CRITICAL', detail: hostname }); riskScore += 40; }
+        if (/[^\x00-\x7F]/.test(hostname)) { urlThreats.push({ type: 'HOMOGRAPH_ATTACK', severity: 'HIGH', detail: hostname }); riskScore += 25; }
+        if (/(?:password|token|apikey|secret)=/i.test(targetUrl)) { urlThreats.push({ type: 'DATA_EXFILTRATION', severity: 'HIGH', detail: 'Sensitive params in URL' }); riskScore += 25; }
+      } catch { urlThreats.push({ type: 'INVALID_URL', severity: 'LOW' }); }
+    }
+
+    if (content && typeof content === 'string') {
+      for (const pattern of BASIC_THREATS) {
+        const matches = content.match(pattern);
+        if (matches) { contentThreats.push({ type: 'PROMPT_INJECTION', matches: matches.slice(0, 3), count: matches.length }); riskScore += 30; }
+      }
+      if (deepDetection) {
+        const deep = deepDetection.analyze(content, targetUrl);
+        contentThreats.push(...(deep.threats || []));
+        riskScore += deep.score || 0;
+      }
+    }
+
+    riskScore = Math.min(100, riskScore);
+    const verdict = riskScore === 0 ? 'CLEAN' : riskScore > 50 ? 'BLOCKED' : 'WARNING';
+    const scanId = crypto.randomBytes(8).toString('hex');
+
+    scanLog.push({ scan_id: scanId, url: targetUrl, verdict, risk_score: riskScore, timestamp: new Date().toISOString() });
+    if (scanLog.length > 5000) scanLog.splice(0, scanLog.length - 5000);
+
+    res.json({
+      scan_id: scanId, verdict, risk_score: riskScore,
+      url_threats: urlThreats, content_threats: contentThreats,
+      processing_time_ms: Date.now() - startTime, scanned_at: new Date().toISOString(),
+    });
+  });
+
+  router.get('/stats', (req, res) => {
+    let blocked = 0, warnings = 0;
+    for (const s of scanLog) { if (s.verdict === 'BLOCKED') blocked++; if (s.verdict === 'WARNING') warnings++; }
+    res.json({ total_scans: scanLog.length, blocked, warnings, clean: scanLog.length - blocked - warnings });
+  });
+
+  return router;
+}
+
+module.exports = { createRouter };

package/server/services/modules/bounty.js

@@ -0,0 +1,89 @@
+/**
+ * WAB Bounty Network (09-bounty-network) — PUBLIC API, PRIVATE VERIFICATION RULES
+ * Bug bounty and threat reporting network.
+ * Report interface is open, verification rules are closed.
+ *
+ * Powered by WAB — Web Agent Bridge
+ * https://www.webagentbridge.com
+ */
+
+'use strict';
+
+const crypto = require('crypto');
+
+const reportStore = new Map();
+const rewardStore = new Map();
+
+const CATEGORIES = ['dark_pattern', 'price_manipulation', 'fake_reviews', 'hidden_fees', 'data_harvesting', 'accessibility_violation', 'misleading_ads', 'forced_subscription'];
+const SEVERITY_REWARDS = { LOW: 10, MEDIUM: 50, HIGH: 200, CRITICAL: 500 };
+
+let verifyReport;
+try { verifyReport = require('./bounty-verification'); } catch { verifyReport = null; }
+
+function createRouter(express) {
+  const router = express.Router();
+
+  router.post('/report', (req, res) => {
+    const { platform, url: targetUrl, category, description, evidence_html, reporter_token } = req.body;
+    if (!platform || !targetUrl || !category || !description) {
+      return res.status(400).json({ error: 'platform, url, category, and description required' });
+    }
+    if (!CATEGORIES.includes(category)) {
+      return res.status(400).json({ error: `Invalid category. Valid: ${CATEGORIES.join(', ')}` });
+    }
+
+    const reportId = 'RPT-' + crypto.randomBytes(8).toString('hex').toUpperCase();
+    const reporterHash = crypto.createHmac('sha256', process.env.WAB_SECRET || 'wab-bounty-salt')
+      .update(reporter_token || crypto.randomBytes(16).toString('hex')).digest('hex').substring(0, 16);
+
+    const report = {
+      report_id: reportId, platform, url: targetUrl, category, description,
+      reporter_hash: reporterHash, severity: null, reward_usd: 0,
+      status: 'SUBMITTED', submitted_at: new Date().toISOString(),
+      verified: false, verification_notes: null,
+    };
+
+    if (verifyReport) {
+      const verification = verifyReport(report, evidence_html);
+      report.severity = verification.severity;
+      report.verified = verification.verified;
+      report.reward_usd = verification.verified ? (SEVERITY_REWARDS[verification.severity] || 0) : 0;
+      report.status = verification.verified ? 'VERIFIED' : 'PENDING_REVIEW';
+    } else {
+      report.status = 'PENDING_REVIEW';
+    }
+
+    reportStore.set(reportId, report);
+    res.status(201).json(report);
+  });
+
+  router.get('/report/:id', (req, res) => {
+    const report = reportStore.get(req.params.id);
+    if (!report) return res.status(404).json({ error: 'Report not found' });
+    res.json(report);
+  });
+
+  router.get('/categories', (req, res) => {
+    res.json({ categories: CATEGORIES, severity_rewards_usd: SEVERITY_REWARDS });
+  });
+
+  router.get('/leaderboard', (req, res) => {
+    const reporters = {};
+    for (const r of reportStore.values()) {
+      if (r.verified) { reporters[r.reporter_hash] = (reporters[r.reporter_hash] || 0) + r.reward_usd; }
+    }
+    const leaderboard = Object.entries(reporters).map(([hash, total]) => ({ reporter_hash: hash, total_rewards_usd: total }))
+      .sort((a, b) => b.total_rewards_usd - a.total_rewards_usd).slice(0, 20);
+    res.json({ leaderboard });
+  });
+
+  router.get('/stats', (req, res) => {
+    let verified = 0, totalReward = 0;
+    for (const r of reportStore.values()) { if (r.verified) { verified++; totalReward += r.reward_usd; } }
+    res.json({ total_reports: reportStore.size, verified_reports: verified, total_rewards_usd: totalReward, categories: CATEGORIES.length });
+  });
+
+  return router;
+}
+
+module.exports = { createRouter };