web-agent-bridge 3.10.0 → 3.12.0

package/server/routes/revocations.js

@@ -0,0 +1,183 @@
+/**
+ * Site Revocations API (v3.11.0)
+ *
+ *   • Public  — anyone can read the transparency log + check a domain's status.
+ *   • Owner   — site owners can self-disable, reinstate their own disable,
+ *               and submit appeals against suspensions / revocations.
+ *   • Admin   — open suspensions/revocations, decide appeals, manual reinstate.
+ */
+
+'use strict';
+
+const express = require('express');
+const router = express.Router();
+
+const { authenticateToken } = require('../middleware/auth');
+const { authenticateAdmin } = require('../middleware/adminAuth');
+const { db } = require('../models/db');
+const rev = require('../services/revocations');
+
+function _handle(res, fn) {
+  try {
+    const out = fn();
+    res.json({ ok: true, data: out });
+  } catch (e) {
+    const status = e.statusCode || 500;
+    res.status(status).json({ ok: false, error: e.code || 'internal_error', message: e.message });
+  }
+}
+
+// ─── PUBLIC ──────────────────────────────────────────────────────────────────
+
+/** GET /api/revocations/transparency  — public log */
+router.get('/transparency', (req, res) => {
+  _handle(res, () => rev.listPublic({
+    limit: parseInt(req.query.limit, 10) || 50,
+    offset: parseInt(req.query.offset, 10) || 0,
+  }));
+});
+
+/** GET /api/revocations/status?domain=example.com  — public per-domain status */
+router.get('/status', (req, res) => {
+  const domain = String(req.query.domain || '').trim().toLowerCase();
+  if (!domain) return res.status(400).json({ ok: false, error: 'domain required' });
+  const r = rev.getActiveByDomain(domain);
+  res.json({
+    ok: true,
+    data: {
+      domain,
+      revoked: !!r,
+      revocation: r ? {
+        id: r.id,
+        type: r.type,
+        reason_code: r.reason_code,
+        reason_text: r.reason_text,
+        evidence_url: r.evidence_url,
+        decided_at: r.decided_at,
+        appeal_deadline: r.appeal_deadline,
+        status: r.status,
+      } : null,
+    },
+  });
+});
+
+// ─── OWNER (authenticated user) ──────────────────────────────────────────────
+
+/** POST /api/revocations/sites/:siteId/disable  — owner self-disable */
+router.post('/sites/:siteId/disable', authenticateToken, express.json({ limit: '8kb' }), (req, res) => {
+  _handle(res, () => {
+    const site = db.prepare(`SELECT * FROM sites WHERE id = ?`).get(req.params.siteId);
+    if (!site) { const e = new Error('site not found'); e.statusCode = 404; e.code = 'not_found'; throw e; }
+    if (site.user_id !== req.user.id) {
+      const e = new Error('forbidden'); e.statusCode = 403; e.code = 'forbidden'; throw e;
+    }
+    return rev.openRevocation({
+      siteId: site.id,
+      type: 'owner_disable',
+      reasonCode: 'owner_request',
+      reasonText: (req.body.reason_text && String(req.body.reason_text).trim())
+        || 'Owner requested self-disable.',
+      decidedBy: `owner:${req.user.id}`,
+    });
+  });
+});
+
+/** POST /api/revocations/:id/appeal  — owner appeal */
+router.post('/:id/appeal', authenticateToken, express.json({ limit: '32kb' }), (req, res) => {
+  _handle(res, () => rev.submitAppeal({
+    revocationId: req.params.id,
+    ownerUserId: req.user.id,
+    statement: String(req.body.statement || ''),
+    remediationProof: req.body.remediation_proof || null,
+  }));
+});
+
+/** POST /api/revocations/:id/reinstate  — owner re-enables their own disable */
+router.post('/:id/reinstate', authenticateToken, express.json({ limit: '4kb' }), (req, res) => {
+  _handle(res, () => {
+    const r = rev.getById(req.params.id);
+    if (!r) { const e = new Error('not found'); e.statusCode = 404; e.code = 'not_found'; throw e; }
+    if (r.type !== 'owner_disable') {
+      const e = new Error('only owner_disable can be self-reinstated'); e.statusCode = 403; e.code = 'forbidden'; throw e;
+    }
+    const site = db.prepare(`SELECT * FROM sites WHERE id = ?`).get(r.site_id);
+    if (!site || site.user_id !== req.user.id) {
+      const e = new Error('forbidden'); e.statusCode = 403; e.code = 'forbidden'; throw e;
+    }
+    return rev.reinstate({
+      revocationId: r.id, actorId: req.user.id, actorType: 'user',
+      reason: req.body.reason || 'owner_reinstated',
+    });
+  });
+});
+
+/** GET /api/revocations/:id  — owner/admin can view */
+router.get('/:id', authenticateToken, (req, res) => {
+  const r = rev.getById(req.params.id);
+  if (!r) return res.status(404).json({ ok: false, error: 'not_found' });
+  const site = db.prepare(`SELECT user_id FROM sites WHERE id = ?`).get(r.site_id);
+  if (!site || site.user_id !== req.user.id) {
+    return res.status(403).json({ ok: false, error: 'forbidden' });
+  }
+  res.json({ ok: true, data: { ...r, appeal: rev.getAppeal(r.id) } });
+});
+
+// ─── ADMIN ───────────────────────────────────────────────────────────────────
+
+/** GET /api/revocations/admin/list  */
+router.get('/admin/list', authenticateAdmin, (req, res) => {
+  _handle(res, () => rev.listAdmin({
+    status: req.query.status || undefined,
+    type: req.query.type || undefined,
+    limit: parseInt(req.query.limit, 10) || 100,
+    offset: parseInt(req.query.offset, 10) || 0,
+  }));
+});
+
+/** POST /api/revocations/admin/open  */
+router.post('/admin/open', authenticateAdmin, express.json({ limit: '16kb' }), (req, res) => {
+  _handle(res, () => {
+    const b = req.body || {};
+    let siteId = b.site_id;
+    if (!siteId && b.domain) {
+      const site = db.prepare(`SELECT id FROM sites WHERE domain = ? LIMIT 1`).get(String(b.domain).toLowerCase());
+      siteId = site ? site.id : null;
+    }
+    if (!siteId) { const e = new Error('site_id or domain required'); e.statusCode = 400; e.code = 'bad_request'; throw e; }
+    return rev.openRevocation({
+      siteId,
+      type: b.type || 'suspended',
+      reasonCode: b.reason_code,
+      reasonText: b.reason_text,
+      evidenceUrl: b.evidence_url || null,
+      decidedBy: `admin:${req.admin.id}`,
+    });
+  });
+});
+
+/** POST /api/revocations/admin/:id/decide  — decide an appeal */
+router.post('/admin/:id/decide', authenticateAdmin, express.json({ limit: '8kb' }), (req, res) => {
+  _handle(res, () => rev.decideAppeal({
+    revocationId: req.params.id,
+    decision: req.body.decision,
+    decisionReason: req.body.decision_reason || null,
+    adminId: req.admin.id,
+  }));
+});
+
+/** POST /api/revocations/admin/:id/reinstate  — manual reinstate */
+router.post('/admin/:id/reinstate', authenticateAdmin, express.json({ limit: '4kb' }), (req, res) => {
+  _handle(res, () => rev.reinstate({
+    revocationId: req.params.id,
+    actorId: req.admin.id,
+    actorType: 'admin',
+    reason: req.body.reason || null,
+  }));
+});
+
+/** POST /api/revocations/admin/sweep  — manually trigger expired-appeal sweep */
+router.post('/admin/sweep', authenticateAdmin, (req, res) => {
+  _handle(res, () => ({ swept: rev.sweepExpired() }));
+});
+
+module.exports = router;

package/server/routes/transactions.js

@@ -25,6 +25,7 @@ const express = require('express');
 const router  = express.Router();
 
 const { authenticateToken } = require('../middleware/auth');
+const { atpStrictLimiter } = require('../middleware/rateLimits');
 const transactions = require('../services/transactions');
 const { db } = require('../models/db');
 
@@ -63,7 +64,7 @@ function send(res, fn) {
 }
 
 // ─── Intents ─────────────────────────────────────────────────────────────────
-router.post('/intents', authenticateToken, express.json({ limit: '32kb' }), (req, res) => {
+router.post('/intents', atpStrictLimiter, authenticateToken, express.json({ limit: '32kb' }), (req, res) => {
   const q = checkDailyIntentQuota(req.user.id);
   if (!q.ok) {
     return res.status(429).json({
@@ -125,7 +126,7 @@ function loadTxOwned(txId, userId) {
   return { tx, intent };
 }
 
-router.post('/transactions', authenticateToken, express.json({ limit: '32kb' }), (req, res) => {
+router.post('/transactions', atpStrictLimiter, authenticateToken, express.json({ limit: '32kb' }), (req, res) => {
   send(res, () => {
     const intent = loadIntentAuthorized(req.body.intent_id, req.user.id);
     const idem = req.headers['idempotency-key'] || req.body.idempotency_key;

package/server/services/canonical-json.js

@@ -0,0 +1,103 @@
+/**
+ * RFC 8785 — JSON Canonicalization Scheme (JCS)
+ * ───────────────────────────────────────────────────────────────────────────
+ * Produces a deterministic byte sequence for any JSON-serialisable value,
+ * suitable for hashing or signing.  Implements:
+ *
+ *   • Object keys sorted lexicographically by UTF-16 code units (per RFC 8785 §3.2.3).
+ *   • Numbers serialised per ES2017 ECMAScript ToString (RFC 8785 §3.2.2.2),
+ *     with finite-only checks (Infinity / NaN are rejected — RFC 8259 §6).
+ *   • Strings escaped with the minimal RFC 8259 §7 form (control chars + \" + \\).
+ *   • Booleans / null encoded as `true` / `false` / `null`.
+ *   • Arrays preserve element order.
+ *
+ * This is intentionally dependency-free so it can be used by signing paths,
+ * audit-log HMAC chains, and ATP receipt verification without pulling extra
+ * packages.  Performance is O(n log n) over object keys.
+ *
+ * Anti-features (deliberate):
+ *   • Does NOT support `undefined`, functions, symbols, BigInt — throws.
+ *   • Does NOT escape non-ASCII; output is valid UTF-8 by construction.
+ *   • Does NOT pretty-print.
+ */
+
+'use strict';
+
+const HEX = '0123456789abcdef';
+
+function _escapeString(s) {
+  // RFC 8785 §3.2.2.1 → RFC 8259 §7: minimal escaping.
+  let out = '"';
+  for (let i = 0; i < s.length; i++) {
+    const c = s.charCodeAt(i);
+    if (c === 0x22) out += '\\"';
+    else if (c === 0x5c) out += '\\\\';
+    else if (c === 0x08) out += '\\b';
+    else if (c === 0x09) out += '\\t';
+    else if (c === 0x0a) out += '\\n';
+    else if (c === 0x0c) out += '\\f';
+    else if (c === 0x0d) out += '\\r';
+    else if (c < 0x20) {
+      out += '\\u00' + HEX[(c >> 4) & 0xf] + HEX[c & 0xf];
+    } else {
+      out += s[i];
+    }
+  }
+  return out + '"';
+}
+
+function _serializeNumber(n) {
+  // RFC 8785 §3.2.2.2: ECMAScript ToString. Reject non-finite per RFC 8259.
+  if (!Number.isFinite(n)) {
+    throw new TypeError(`canonical-json: non-finite number not allowed (${n})`);
+  }
+  if (n === 0) return '0';            // collapses -0 → "0"
+  return String(n);
+}
+
+function canonicalize(value) {
+  if (value === null) return 'null';
+
+  const t = typeof value;
+
+  if (t === 'boolean') return value ? 'true' : 'false';
+  if (t === 'number')  return _serializeNumber(value);
+  if (t === 'string')  return _escapeString(value);
+
+  if (t === 'bigint' || t === 'function' || t === 'symbol' || t === 'undefined') {
+    throw new TypeError(`canonical-json: unsupported type ${t}`);
+  }
+
+  if (Array.isArray(value)) {
+    let out = '[';
+    for (let i = 0; i < value.length; i++) {
+      if (i > 0) out += ',';
+      const v = value[i];
+      out += v === undefined ? 'null' : canonicalize(v);  // align with JSON.stringify
+    }
+    return out + ']';
+  }
+
+  // Plain object — sort keys by UTF-16 code units (default String sort).
+  if (t === 'object') {
+    // Strip undefined values (per JSON spec) before sorting.
+    const keys = Object.keys(value).filter((k) => value[k] !== undefined).sort();
+    let out = '{';
+    for (let i = 0; i < keys.length; i++) {
+      if (i > 0) out += ',';
+      const k = keys[i];
+      out += _escapeString(k) + ':' + canonicalize(value[k]);
+    }
+    return out + '}';
+  }
+
+  throw new TypeError(`canonical-json: unsupported value ${value}`);
+}
+
+/** Convenience: return a SHA-256 hex digest over the canonical form. */
+function canonicalDigest(value, algo = 'sha256') {
+  const crypto = require('crypto');
+  return crypto.createHash(algo).update(canonicalize(value), 'utf8').digest('hex');
+}
+
+module.exports = { canonicalize, canonicalDigest };

package/server/services/commission-billing.js

@@ -0,0 +1,279 @@
+'use strict';
+
+/**
+ * ATP Commission Billing — v3.10.1
+ *
+ * Converts `pending` rows in atp_commissions into real Stripe invoices.
+ *
+ * Strategy:
+ *   - Group pending commissions by merchant_user_id + currency.
+ *   - One Stripe invoice per (merchant, currency) per cycle.
+ *   - One Stripe invoice item per commission row, so the merchant sees
+ *     a line-by-line breakdown.
+ *   - Mark rows `invoiced` and stamp the stripe invoice id into `notes`
+ *     inside the same transaction.
+ *
+ * Idempotency:
+ *   - Skips rows whose merchant has no Stripe customer yet.
+ *   - Aborts a merchant's batch on any Stripe error; rows stay `pending`.
+ *   - dry-run mode just returns the plan without touching Stripe or the DB.
+ *
+ * Trigger:
+ *   - Admin endpoint POST /api/admin/commissions/run-billing
+ *   - Optional periodic timer (env WAB_COMMISSION_BILLING_INTERVAL_HOURS).
+ */
+
+const { db, getStripeCustomer } = require('../models/db');
+
+function getMinAgeDays() {
+  const n = parseInt(process.env.WAB_COMMISSION_MIN_AGE_DAYS, 10);
+  if (Number.isFinite(n) && n >= 0 && n <= 365) return n;
+  return 0; // by default bill anything that's pending
+}
+
+function getMinAmountCents() {
+  const n = parseInt(process.env.WAB_COMMISSION_MIN_INVOICE_CENTS, 10);
+  if (Number.isFinite(n) && n >= 0) return n;
+  return 100; // 1 EUR/USD floor — Stripe rejects sub-50c invoices anyway
+}
+
+/**
+ * Build the per-merchant batches that would be billed in this cycle.
+ * Returns an array: [{ merchantUserId, currency, rows[], totalCents, stripeCustomerId|null, skipReason|null }]
+ */
+function planBillingCycle() {
+  const minAgeDays = getMinAgeDays();
+  const ageClause = minAgeDays > 0
+    ? `AND datetime(created_at) < datetime('now', '-${minAgeDays} days')`
+    : '';
+
+  const groups = db.prepare(`
+    SELECT merchant_user_id, currency,
+           COUNT(*) AS n,
+           COALESCE(SUM(commission_cents), 0) AS total_cents
+      FROM atp_commissions
+     WHERE status = 'pending'
+       ${ageClause}
+     GROUP BY merchant_user_id, currency
+     ORDER BY total_cents DESC
+  `).all();
+
+  const minAmount = getMinAmountCents();
+
+  const batches = [];
+  for (const g of groups) {
+    if (g.total_cents < minAmount) {
+      batches.push({
+        merchantUserId: g.merchant_user_id,
+        currency: g.currency,
+        rows: [],
+        totalCents: g.total_cents,
+        rowCount: g.n,
+        stripeCustomerId: null,
+        skipReason: `below_min_invoice (${g.total_cents}c < ${minAmount}c)`,
+      });
+      continue;
+    }
+    const cust = getStripeCustomer(g.merchant_user_id);
+    if (!cust || !cust.stripe_customer_id) {
+      batches.push({
+        merchantUserId: g.merchant_user_id,
+        currency: g.currency,
+        rows: [],
+        totalCents: g.total_cents,
+        rowCount: g.n,
+        stripeCustomerId: null,
+        skipReason: 'no_stripe_customer',
+      });
+      continue;
+    }
+    const rows = db.prepare(`
+      SELECT id, transaction_id, gross_amount_cents, commission_cents, commission_bps, created_at
+        FROM atp_commissions
+       WHERE merchant_user_id = ? AND currency = ? AND status = 'pending'
+       ${ageClause}
+       ORDER BY created_at ASC
+    `).all(g.merchant_user_id, g.currency);
+
+    batches.push({
+      merchantUserId: g.merchant_user_id,
+      currency: g.currency,
+      rows,
+      totalCents: g.total_cents,
+      rowCount: rows.length,
+      stripeCustomerId: cust.stripe_customer_id,
+      skipReason: null,
+    });
+  }
+  return batches;
+}
+
+/**
+ * Execute a billing cycle. When dryRun=true, returns the plan without
+ * touching Stripe or the DB.
+ */
+async function runBillingCycle({ dryRun = false } = {}) {
+  const startedAt = new Date().toISOString();
+  const batches = planBillingCycle();
+  const summary = {
+    started_at: startedAt,
+    dry_run: !!dryRun,
+    batches_total: batches.length,
+    batches_billed: 0,
+    batches_skipped: 0,
+    rows_invoiced: 0,
+    total_commission_cents: 0,
+    invoices: [],
+    errors: [],
+  };
+
+  if (dryRun) {
+    summary.batches_skipped = batches.filter((b) => b.skipReason).length;
+    summary.batches_billed  = batches.length - summary.batches_skipped;
+    summary.rows_invoiced   = batches.reduce((s, b) => s + (b.skipReason ? 0 : b.rowCount), 0);
+    summary.total_commission_cents = batches.reduce(
+      (s, b) => s + (b.skipReason ? 0 : b.totalCents),
+      0,
+    );
+    summary.plan = batches.map((b) => ({
+      merchant_user_id: b.merchantUserId,
+      currency: b.currency,
+      rows: b.rowCount,
+      total_cents: b.totalCents,
+      stripe_customer_id: b.stripeCustomerId,
+      skip_reason: b.skipReason,
+    }));
+    summary.finished_at = new Date().toISOString();
+    return summary;
+  }
+
+  const { getStripe, isStripeConfigured } = require('./stripe');
+  if (!isStripeConfigured()) {
+    summary.errors.push({ reason: 'stripe_not_configured' });
+    summary.finished_at = new Date().toISOString();
+    return summary;
+  }
+  const stripe = getStripe();
+
+  for (const batch of batches) {
+    if (batch.skipReason) {
+      summary.batches_skipped++;
+      continue;
+    }
+
+    try {
+      // 1) One invoice item per commission row → merchant gets a full ledger.
+      for (const r of batch.rows) {
+        await stripe.invoiceItems.create({
+          customer: batch.stripeCustomerId,
+          amount: r.commission_cents,
+          currency: (batch.currency || 'eur').toLowerCase(),
+          description: `WAB ATP commission (${(r.commission_bps / 100).toFixed(2)}%) · tx ${r.transaction_id} · ${r.created_at}`,
+          metadata: {
+            wab_commission_id: r.id,
+            wab_transaction_id: r.transaction_id,
+            wab_kind: 'atp_commission',
+          },
+        });
+      }
+
+      // 2) Finalize a single invoice for all the items above.
+      const invoice = await stripe.invoices.create({
+        customer: batch.stripeCustomerId,
+        collection_method: 'charge_automatically',
+        auto_advance: true,
+        description: `WAB ATP merchant commission · ${batch.rowCount} transactions`,
+        metadata: {
+          wab_kind: 'atp_commission_batch',
+          wab_merchant_user_id: batch.merchantUserId,
+          wab_currency: batch.currency,
+          wab_row_count: String(batch.rowCount),
+        },
+      });
+
+      // 3) Mark all rows invoiced inside a single DB transaction.
+      const ids = batch.rows.map((r) => r.id);
+      const stamp = `stripe_invoice:${invoice.id}@${new Date().toISOString()}`;
+      const markTx = db.transaction((commIds) => {
+        const upd = db.prepare(`
+          UPDATE atp_commissions
+             SET status = 'invoiced',
+                 notes = COALESCE(notes || ' | ', '') || ?,
+                 updated_at = datetime('now')
+           WHERE id = ? AND status = 'pending'
+        `);
+        for (const id of commIds) upd.run(stamp, id);
+      });
+      markTx(ids);
+
+      summary.batches_billed++;
+      summary.rows_invoiced += batch.rowCount;
+      summary.total_commission_cents += batch.totalCents;
+      summary.invoices.push({
+        merchant_user_id: batch.merchantUserId,
+        currency: batch.currency,
+        rows: batch.rowCount,
+        total_cents: batch.totalCents,
+        stripe_invoice_id: invoice.id,
+        stripe_invoice_status: invoice.status,
+      });
+    } catch (e) {
+      summary.errors.push({
+        merchant_user_id: batch.merchantUserId,
+        currency: batch.currency,
+        message: e && e.message ? e.message : String(e),
+      });
+    }
+  }
+
+  summary.finished_at = new Date().toISOString();
+  return summary;
+}
+
+/**
+ * Webhook hook — called from stripe.js when an invoice tied to a wab
+ * commission batch is paid or fails. Flips matching atp_commissions rows
+ * to 'collected' (paid) or leaves at 'invoiced' (failed → manual).
+ */
+function onStripeInvoicePaid(invoice) {
+  try {
+    const meta = invoice && invoice.metadata;
+    if (!meta || meta.wab_kind !== 'atp_commission_batch') return 0;
+    const r = db.prepare(`
+      UPDATE atp_commissions
+         SET status = 'collected',
+             notes  = COALESCE(notes || ' | ', '') || ?,
+             updated_at = datetime('now')
+       WHERE status = 'invoiced'
+         AND notes LIKE ?
+    `).run(`paid:${invoice.id}@${new Date().toISOString()}`, `%stripe_invoice:${invoice.id}%`);
+    return r.changes;
+  } catch (e) {
+    console.error('[commission-billing] onStripeInvoicePaid failed:', e.message);
+    return 0;
+  }
+}
+
+let _timer = null;
+function startPeriodicBilling() {
+  const hours = parseFloat(process.env.WAB_COMMISSION_BILLING_INTERVAL_HOURS);
+  if (!Number.isFinite(hours) || hours <= 0) return null;
+  const ms = Math.max(60_000, hours * 3_600_000);
+  if (_timer) clearInterval(_timer);
+  _timer = setInterval(() => {
+    runBillingCycle({ dryRun: false })
+      .then((s) => console.log(
+        `[commission-billing] cycle done: billed=${s.batches_billed} rows=${s.rows_invoiced} total_cents=${s.total_commission_cents} errors=${s.errors.length}`,
+      ))
+      .catch((e) => console.error('[commission-billing] cycle failed:', e.message));
+  }, ms);
+  if (_timer.unref) _timer.unref();
+  return { intervalHours: hours };
+}
+
+module.exports = {
+  planBillingCycle,
+  runBillingCycle,
+  onStripeInvoicePaid,
+  startPeriodicBilling,
+};