web-agent-bridge 3.0.0 → 3.3.0

package/server/index.js

@@ -34,6 +34,11 @@ const adminPremiumRoutes = require('./routes/admin-premium');
 const workspaceRoutes = require('./routes/agent-workspace');
 const universalRoutes = require('./routes/universal');
 const runtimeRoutes = require('./routes/runtime');
+const demoShowcaseRoutes = require('./routes/demo-showcase');
+const demoStoreRoutes = require('./routes/demo-store');
+const gatewayRoutes = require('./routes/gateway');
+let growthRoutes;
+try { growthRoutes = require('./routes/growth'); } catch { growthRoutes = require('express').Router(); }
 const { handleWebhookRequest } = require('./services/stripe');
 const { runtime } = require('./runtime');
 
@@ -69,28 +74,106 @@ const styleSrc = process.env.CSP_ALLOW_UNSAFE_INLINE === 'false'
   ? ["'self'"]
   : ["'self'", "'unsafe-inline'"];
 
+// Per-request CSP nonce — exposed as res.locals.cspNonce for new pages opting into strict CSP.
+app.use((req, res, next) => {
+  res.locals.cspNonce = require('crypto').randomBytes(16).toString('base64');
+  next();
+});
+
+// CSP — tightened: HTTPS-only iframes, upgrade-insecure-requests, report endpoint.
+const cspReportUri = '/api/security/csp-report';
 app.use(
   helmet({
     contentSecurityPolicy: {
       directives: {
         defaultSrc: ["'self'"],
-        scriptSrc,
+        scriptSrc: [...scriptSrc, (req, res) => `'nonce-${res.locals.cspNonce}'`],
         scriptSrcAttr: scriptSrc,
         styleSrc: [...styleSrc, 'https://fonts.googleapis.com'],
         imgSrc: ["'self'", 'data:', 'https:'],
-        connectSrc: ["'self'", 'ws:', 'wss:'],
+        connectSrc: ["'self'", 'https:', 'ws:', 'wss:'],
         fontSrc: ["'self'", 'https://fonts.gstatic.com', 'https:', 'data:'],
-        frameSrc: ["'self'", 'https:', 'http:'],
+        frameSrc: ["'self'", 'https:'],
         frameAncestors: ["'none'"],
         objectSrc: ["'none'"],
         baseUri: ["'self'"],
-        formAction: ["'self'"]
+        formAction: ["'self'"],
+        upgradeInsecureRequests: process.env.NODE_ENV === 'production' ? [] : null,
+        reportUri: [cspReportUri]
       }
     },
-    crossOriginEmbedderPolicy: false
+    crossOriginEmbedderPolicy: false,
+    referrerPolicy: { policy: 'strict-origin-when-cross-origin' }
   })
 );
 
+// Companion strict Report-Only CSP — surfaces every inline-script violation
+// without breaking existing pages, so we can migrate page-by-page to nonces.
+app.use((req, res, next) => {
+  const nonce = res.locals.cspNonce;
+  const strict = [
+    "default-src 'self'",
+    `script-src 'self' 'nonce-${nonce}' 'strict-dynamic'`,
+    "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+    "img-src 'self' data: https:",
+    "connect-src 'self' https: wss:",
+    "font-src 'self' https://fonts.gstatic.com data:",
+    "frame-src 'self' https:",
+    "frame-ancestors 'none'",
+    "object-src 'none'",
+    "base-uri 'self'",
+    "form-action 'self'",
+    "upgrade-insecure-requests",
+    `report-uri ${cspReportUri}`
+  ].join('; ');
+  res.setHeader('Content-Security-Policy-Report-Only', strict);
+  next();
+});
+
+// CSP violation report sink (capped, in-memory ring buffer + console).
+const _cspReports = [];
+app.post('/api/security/csp-report', express.json({ type: ['application/csp-report', 'application/json'], limit: '32kb' }), (req, res) => {
+  const report = req.body && (req.body['csp-report'] || req.body);
+  if (report) {
+    _cspReports.push({ at: new Date().toISOString(), ip: req.ip, report });
+    if (_cspReports.length > 500) _cspReports.shift();
+    if (process.env.NODE_ENV !== 'production') {
+      console.warn('[CSP]', report['violated-directive'] || report.violatedDirective, '→', report['blocked-uri'] || report.blockedURI);
+    }
+  }
+  res.status(204).end();
+});
+app.get('/api/security/csp-report/recent', (req, res) => {
+  res.json({ count: _cspReports.length, reports: _cspReports.slice(-50) });
+});
+
+// ── Reward-guard + cross-site redactor admin views (token-gated) ──
+function _adminAuth(req, res, next) {
+  const want = process.env.WAB_ADMIN_TOKEN;
+  if (!want) return res.status(503).json({ error: 'WAB_ADMIN_TOKEN not configured' });
+  const got = req.headers['x-wab-admin-token'] || req.query.token;
+  if (got !== want) return res.status(401).json({ error: 'admin token required' });
+  next();
+}
+app.get('/api/security/reward-audit/recent', _adminAuth, (req, res) => {
+  try {
+    const guard = require('./security/reward-guard');
+    res.json({ stats: guard.getStats(), recent: guard.getRecentAudits(50, req.query.decision || null) });
+  } catch (err) { res.status(500).json({ error: err.message }); }
+});
+app.get('/api/security/cross-site-transfers/recent', _adminAuth, (req, res) => {
+  try {
+    const r = require('./security/cross-site-redactor');
+    res.json({ recent: r.getRecentTransfers(50, req.query.from || null) });
+  } catch (err) { res.status(500).json({ error: err.message }); }
+});
+app.get('/api/security/url-policy/recent', _adminAuth, (req, res) => {
+  try {
+    const p = require('./security/url-policy');
+    res.json({ recent: p.getRecentAudits(50, req.query.decision || null) });
+  } catch (err) { res.status(500).json({ error: err.message }); }
+});
+
 app.post('/api/billing/webhook', express.raw({ type: 'application/json' }), async (req, res) => {
   try {
     await handleWebhookRequest(req);
@@ -122,7 +205,13 @@ const licenseLimiter = rateLimit({
   }
 });
 
-app.use(express.static(path.join(__dirname, '..', 'public')));
+app.use(express.static(path.join(__dirname, '..', 'public'), {
+  setHeaders(res, filePath) {
+    if (filePath.endsWith('.html')) {
+      res.setHeader('Cache-Control', 'no-cache, must-revalidate');
+    }
+  }
+}));
 app.use('/script', express.static(path.join(__dirname, '..', 'script')));
 
 app.use('/api/auth', apiLimiter, authRoutes);
@@ -137,11 +226,37 @@ app.use('/api/ads', apiLimiter, adsRoutes);
 app.use('/api/wab', wabApiRoutes);
 app.use('/api/noscript', apiLimiter, noscriptRoutes);
 app.use('/api/discovery', apiLimiter, discoveryRoutes);
+// Also expose well-known discovery endpoints at the canonical root paths so
+// agents can find them without the /api/discovery prefix (RFC 8615).
+app.use('/', apiLimiter, discoveryRoutes);
 app.use('/api/premium', apiLimiter, premiumRoutes);
 app.use('/api/admin/premium', apiLimiter, adminPremiumRoutes);
 app.use('/api/workspace', apiLimiter, workspaceRoutes);
 app.use('/api/universal', apiLimiter, universalRoutes);
 app.use('/api/os', apiLimiter, runtimeRoutes);
+app.use('/api/demo', apiLimiter, demoShowcaseRoutes);
+app.use('/api/growth', apiLimiter, growthRoutes);
+app.use('/api/v1', gatewayRoutes);
+
+// Convenience alias: /api/negotiate/* → /api/sovereign/negotiation/*
+app.get('/api/negotiate', apiLimiter, (req, res) => {
+  res.json({
+    engine: 'WAB Negotiation Engine',
+    endpoints: {
+      'POST /api/negotiate/rules': 'Create negotiation rules (auth required)',
+      'GET  /api/negotiate/rules/:siteId': 'Get rules for a site',
+      'PUT  /api/negotiate/rules/:ruleId': 'Update a rule (auth required)',
+      'POST /api/negotiate/sessions': 'Open negotiation session',
+      'POST /api/negotiate/sessions/:id/propose': 'Agent counter-offer',
+      'POST /api/negotiate/sessions/:id/confirm': 'Confirm deal',
+      'GET  /api/negotiate/stats/:siteId': 'Negotiation stats',
+    },
+  });
+});
+app.use('/api/negotiate', apiLimiter, (req, res, next) => {
+  req.url = '/negotiation' + req.url;
+  sovereignRoutes(req, res, next);
+});
 
 // ─── WAB Search Engine ────────────────────────────────────────────────
 
@@ -180,45 +295,82 @@ app.get('/api/search/stats', apiLimiter, (req, res) => {
   res.json(stats);
 });
 
-app.get('/dashboard', (req, res) => {
+// Prevent browsers from caching HTML page routes
+function noCache(req, res, next) {
+  res.set('Cache-Control', 'no-cache, must-revalidate');
+  next();
+}
+
+app.get('/dashboard', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'dashboard.html'));
 });
-app.get('/mesh-dashboard', (req, res) => {
+app.get('/mesh-dashboard', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'mesh-dashboard.html'));
 });
-app.get('/commander-dashboard', (req, res) => {
+app.get('/commander-dashboard', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'commander-dashboard.html'));
 });
-app.get('/docs', (req, res) => {
+app.get('/docs', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'docs.html'));
 });
-app.get('/login', (req, res) => {
+app.get('/login', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'login.html'));
 });
-app.get('/register', (req, res) => {
+app.get('/register', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'register.html'));
 });
-app.get('/admin/login', (req, res) => {
+app.get('/admin/login', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'admin', 'login.html'));
 });
-app.get('/admin', (req, res) => {
+app.get('/admin', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'admin', 'dashboard.html'));
 });
-app.get('/privacy', (req, res) => {
+app.get('/admin/snapshots', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'admin', 'snapshots.html'));
+});
+app.get('/privacy', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'privacy.html'));
 });
-app.get('/terms', (req, res) => {
+app.get('/terms', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'terms.html'));
 });
-app.get('/cookies', (req, res) => {
+app.get('/cookies', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'cookies.html'));
 });
-app.get('/browser', (req, res) => {
+app.get('/browser', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'browser.html'));
 });
-app.get('/workspace', (req, res) => {
+app.get('/workspace', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'agent-workspace.html'));
 });
+app.get('/growth', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'growth.html'));
+});
+app.get('/score', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'score.html'));
+});
+app.get('/sovereign', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'sovereign.html'));
+});
+app.get('/api', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'api.html'));
+});
+
+app.get('/phone-shield', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'phone-shield.html'));
+});
+
+app.get('/dns', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'dns.html'));
+});
+
+// /integrations — bilingual deploy landing page
+app.get('/integrations', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'integrations.html'));
+});
+
+// /demo — interactive WAB Demo Store (new)
+app.use('/demo', demoStoreRoutes);
 
 // Browser downloads
 app.use('/downloads', express.static(path.join(__dirname, '..', 'downloads'), {
@@ -338,6 +490,10 @@ app.use(`/v${pkg.version.split('.')[0]}`, express.static(path.join(__dirname, '.
 app.use('/latest', express.static(path.join(__dirname, '..', 'script')));
 
 app.get('*', (req, res) => {
+  // API routes always return JSON 404
+  if (req.path.startsWith('/api/')) {
+    return res.status(404).json({ error: 'Not found', path: req.path });
+  }
   if (req.accepts('html')) {
     res.sendFile(path.join(__dirname, '..', 'public', 'index.html'));
   } else {