web-agent-bridge 3.10.1 → 3.13.0

package/server/routes/revocations.js

@@ -0,0 +1,183 @@
+/**
+ * Site Revocations API (v3.11.0)
+ *
+ *   • Public  — anyone can read the transparency log + check a domain's status.
+ *   • Owner   — site owners can self-disable, reinstate their own disable,
+ *               and submit appeals against suspensions / revocations.
+ *   • Admin   — open suspensions/revocations, decide appeals, manual reinstate.
+ */
+
+'use strict';
+
+const express = require('express');
+const router = express.Router();
+
+const { authenticateToken } = require('../middleware/auth');
+const { authenticateAdmin } = require('../middleware/adminAuth');
+const { db } = require('../models/db');
+const rev = require('../services/revocations');
+
+function _handle(res, fn) {
+  try {
+    const out = fn();
+    res.json({ ok: true, data: out });
+  } catch (e) {
+    const status = e.statusCode || 500;
+    res.status(status).json({ ok: false, error: e.code || 'internal_error', message: e.message });
+  }
+}
+
+// ─── PUBLIC ──────────────────────────────────────────────────────────────────
+
+/** GET /api/revocations/transparency  — public log */
+router.get('/transparency', (req, res) => {
+  _handle(res, () => rev.listPublic({
+    limit: parseInt(req.query.limit, 10) || 50,
+    offset: parseInt(req.query.offset, 10) || 0,
+  }));
+});
+
+/** GET /api/revocations/status?domain=example.com  — public per-domain status */
+router.get('/status', (req, res) => {
+  const domain = String(req.query.domain || '').trim().toLowerCase();
+  if (!domain) return res.status(400).json({ ok: false, error: 'domain required' });
+  const r = rev.getActiveByDomain(domain);
+  res.json({
+    ok: true,
+    data: {
+      domain,
+      revoked: !!r,
+      revocation: r ? {
+        id: r.id,
+        type: r.type,
+        reason_code: r.reason_code,
+        reason_text: r.reason_text,
+        evidence_url: r.evidence_url,
+        decided_at: r.decided_at,
+        appeal_deadline: r.appeal_deadline,
+        status: r.status,
+      } : null,
+    },
+  });
+});
+
+// ─── OWNER (authenticated user) ──────────────────────────────────────────────
+
+/** POST /api/revocations/sites/:siteId/disable  — owner self-disable */
+router.post('/sites/:siteId/disable', authenticateToken, express.json({ limit: '8kb' }), (req, res) => {
+  _handle(res, () => {
+    const site = db.prepare(`SELECT * FROM sites WHERE id = ?`).get(req.params.siteId);
+    if (!site) { const e = new Error('site not found'); e.statusCode = 404; e.code = 'not_found'; throw e; }
+    if (site.user_id !== req.user.id) {
+      const e = new Error('forbidden'); e.statusCode = 403; e.code = 'forbidden'; throw e;
+    }
+    return rev.openRevocation({
+      siteId: site.id,
+      type: 'owner_disable',
+      reasonCode: 'owner_request',
+      reasonText: (req.body.reason_text && String(req.body.reason_text).trim())
+        || 'Owner requested self-disable.',
+      decidedBy: `owner:${req.user.id}`,
+    });
+  });
+});
+
+/** POST /api/revocations/:id/appeal  — owner appeal */
+router.post('/:id/appeal', authenticateToken, express.json({ limit: '32kb' }), (req, res) => {
+  _handle(res, () => rev.submitAppeal({
+    revocationId: req.params.id,
+    ownerUserId: req.user.id,
+    statement: String(req.body.statement || ''),
+    remediationProof: req.body.remediation_proof || null,
+  }));
+});
+
+/** POST /api/revocations/:id/reinstate  — owner re-enables their own disable */
+router.post('/:id/reinstate', authenticateToken, express.json({ limit: '4kb' }), (req, res) => {
+  _handle(res, () => {
+    const r = rev.getById(req.params.id);
+    if (!r) { const e = new Error('not found'); e.statusCode = 404; e.code = 'not_found'; throw e; }
+    if (r.type !== 'owner_disable') {
+      const e = new Error('only owner_disable can be self-reinstated'); e.statusCode = 403; e.code = 'forbidden'; throw e;
+    }
+    const site = db.prepare(`SELECT * FROM sites WHERE id = ?`).get(r.site_id);
+    if (!site || site.user_id !== req.user.id) {
+      const e = new Error('forbidden'); e.statusCode = 403; e.code = 'forbidden'; throw e;
+    }
+    return rev.reinstate({
+      revocationId: r.id, actorId: req.user.id, actorType: 'user',
+      reason: req.body.reason || 'owner_reinstated',
+    });
+  });
+});
+
+/** GET /api/revocations/:id  — owner/admin can view */
+router.get('/:id', authenticateToken, (req, res) => {
+  const r = rev.getById(req.params.id);
+  if (!r) return res.status(404).json({ ok: false, error: 'not_found' });
+  const site = db.prepare(`SELECT user_id FROM sites WHERE id = ?`).get(r.site_id);
+  if (!site || site.user_id !== req.user.id) {
+    return res.status(403).json({ ok: false, error: 'forbidden' });
+  }
+  res.json({ ok: true, data: { ...r, appeal: rev.getAppeal(r.id) } });
+});
+
+// ─── ADMIN ───────────────────────────────────────────────────────────────────
+
+/** GET /api/revocations/admin/list  */
+router.get('/admin/list', authenticateAdmin, (req, res) => {
+  _handle(res, () => rev.listAdmin({
+    status: req.query.status || undefined,
+    type: req.query.type || undefined,
+    limit: parseInt(req.query.limit, 10) || 100,
+    offset: parseInt(req.query.offset, 10) || 0,
+  }));
+});
+
+/** POST /api/revocations/admin/open  */
+router.post('/admin/open', authenticateAdmin, express.json({ limit: '16kb' }), (req, res) => {
+  _handle(res, () => {
+    const b = req.body || {};
+    let siteId = b.site_id;
+    if (!siteId && b.domain) {
+      const site = db.prepare(`SELECT id FROM sites WHERE domain = ? LIMIT 1`).get(String(b.domain).toLowerCase());
+      siteId = site ? site.id : null;
+    }
+    if (!siteId) { const e = new Error('site_id or domain required'); e.statusCode = 400; e.code = 'bad_request'; throw e; }
+    return rev.openRevocation({
+      siteId,
+      type: b.type || 'suspended',
+      reasonCode: b.reason_code,
+      reasonText: b.reason_text,
+      evidenceUrl: b.evidence_url || null,
+      decidedBy: `admin:${req.admin.id}`,
+    });
+  });
+});
+
+/** POST /api/revocations/admin/:id/decide  — decide an appeal */
+router.post('/admin/:id/decide', authenticateAdmin, express.json({ limit: '8kb' }), (req, res) => {
+  _handle(res, () => rev.decideAppeal({
+    revocationId: req.params.id,
+    decision: req.body.decision,
+    decisionReason: req.body.decision_reason || null,
+    adminId: req.admin.id,
+  }));
+});
+
+/** POST /api/revocations/admin/:id/reinstate  — manual reinstate */
+router.post('/admin/:id/reinstate', authenticateAdmin, express.json({ limit: '4kb' }), (req, res) => {
+  _handle(res, () => rev.reinstate({
+    revocationId: req.params.id,
+    actorId: req.admin.id,
+    actorType: 'admin',
+    reason: req.body.reason || null,
+  }));
+});
+
+/** POST /api/revocations/admin/sweep  — manually trigger expired-appeal sweep */
+router.post('/admin/sweep', authenticateAdmin, (req, res) => {
+  _handle(res, () => ({ swept: rev.sweepExpired() }));
+});
+
+module.exports = router;

package/server/routes/transactions.js

@@ -25,6 +25,7 @@ const express = require('express');
 const router  = express.Router();
 
 const { authenticateToken } = require('../middleware/auth');
+const { atpStrictLimiter } = require('../middleware/rateLimits');
 const transactions = require('../services/transactions');
 const { db } = require('../models/db');
 
@@ -63,7 +64,7 @@ function send(res, fn) {
 }
 
 // ─── Intents ─────────────────────────────────────────────────────────────────
-router.post('/intents', authenticateToken, express.json({ limit: '32kb' }), (req, res) => {
+router.post('/intents', atpStrictLimiter, authenticateToken, express.json({ limit: '32kb' }), (req, res) => {
   const q = checkDailyIntentQuota(req.user.id);
   if (!q.ok) {
     return res.status(429).json({
@@ -125,7 +126,7 @@ function loadTxOwned(txId, userId) {
   return { tx, intent };
 }
 
-router.post('/transactions', authenticateToken, express.json({ limit: '32kb' }), (req, res) => {
+router.post('/transactions', atpStrictLimiter, authenticateToken, express.json({ limit: '32kb' }), (req, res) => {
   send(res, () => {
     const intent = loadIntentAuthorized(req.body.intent_id, req.user.id);
     const idem = req.headers['idempotency-key'] || req.body.idempotency_key;

package/server/services/canonical-json.js

@@ -0,0 +1,103 @@
+/**
+ * RFC 8785 — JSON Canonicalization Scheme (JCS)
+ * ───────────────────────────────────────────────────────────────────────────
+ * Produces a deterministic byte sequence for any JSON-serialisable value,
+ * suitable for hashing or signing.  Implements:
+ *
+ *   • Object keys sorted lexicographically by UTF-16 code units (per RFC 8785 §3.2.3).
+ *   • Numbers serialised per ES2017 ECMAScript ToString (RFC 8785 §3.2.2.2),
+ *     with finite-only checks (Infinity / NaN are rejected — RFC 8259 §6).
+ *   • Strings escaped with the minimal RFC 8259 §7 form (control chars + \" + \\).
+ *   • Booleans / null encoded as `true` / `false` / `null`.
+ *   • Arrays preserve element order.
+ *
+ * This is intentionally dependency-free so it can be used by signing paths,
+ * audit-log HMAC chains, and ATP receipt verification without pulling extra
+ * packages.  Performance is O(n log n) over object keys.
+ *
+ * Anti-features (deliberate):
+ *   • Does NOT support `undefined`, functions, symbols, BigInt — throws.
+ *   • Does NOT escape non-ASCII; output is valid UTF-8 by construction.
+ *   • Does NOT pretty-print.
+ */
+
+'use strict';
+
+const HEX = '0123456789abcdef';
+
+function _escapeString(s) {
+  // RFC 8785 §3.2.2.1 → RFC 8259 §7: minimal escaping.
+  let out = '"';
+  for (let i = 0; i < s.length; i++) {
+    const c = s.charCodeAt(i);
+    if (c === 0x22) out += '\\"';
+    else if (c === 0x5c) out += '\\\\';
+    else if (c === 0x08) out += '\\b';
+    else if (c === 0x09) out += '\\t';
+    else if (c === 0x0a) out += '\\n';
+    else if (c === 0x0c) out += '\\f';
+    else if (c === 0x0d) out += '\\r';
+    else if (c < 0x20) {
+      out += '\\u00' + HEX[(c >> 4) & 0xf] + HEX[c & 0xf];
+    } else {
+      out += s[i];
+    }
+  }
+  return out + '"';
+}
+
+function _serializeNumber(n) {
+  // RFC 8785 §3.2.2.2: ECMAScript ToString. Reject non-finite per RFC 8259.
+  if (!Number.isFinite(n)) {
+    throw new TypeError(`canonical-json: non-finite number not allowed (${n})`);
+  }
+  if (n === 0) return '0';            // collapses -0 → "0"
+  return String(n);
+}
+
+function canonicalize(value) {
+  if (value === null) return 'null';
+
+  const t = typeof value;
+
+  if (t === 'boolean') return value ? 'true' : 'false';
+  if (t === 'number')  return _serializeNumber(value);
+  if (t === 'string')  return _escapeString(value);
+
+  if (t === 'bigint' || t === 'function' || t === 'symbol' || t === 'undefined') {
+    throw new TypeError(`canonical-json: unsupported type ${t}`);
+  }
+
+  if (Array.isArray(value)) {
+    let out = '[';
+    for (let i = 0; i < value.length; i++) {
+      if (i > 0) out += ',';
+      const v = value[i];
+      out += v === undefined ? 'null' : canonicalize(v);  // align with JSON.stringify
+    }
+    return out + ']';
+  }
+
+  // Plain object — sort keys by UTF-16 code units (default String sort).
+  if (t === 'object') {
+    // Strip undefined values (per JSON spec) before sorting.
+    const keys = Object.keys(value).filter((k) => value[k] !== undefined).sort();
+    let out = '{';
+    for (let i = 0; i < keys.length; i++) {
+      if (i > 0) out += ',';
+      const k = keys[i];
+      out += _escapeString(k) + ':' + canonicalize(value[k]);
+    }
+    return out + '}';
+  }
+
+  throw new TypeError(`canonical-json: unsupported value ${value}`);
+}
+
+/** Convenience: return a SHA-256 hex digest over the canonical form. */
+function canonicalDigest(value, algo = 'sha256') {
+  const crypto = require('crypto');
+  return crypto.createHash(algo).update(canonicalize(value), 'utf8').digest('hex');
+}
+
+module.exports = { canonicalize, canonicalDigest };

package/server/services/revocations.js

@@ -0,0 +1,378 @@
+/**
+ * Site Revocations & Appeals (v3.11.0)
+ * ───────────────────────────────────────────────────────────────────────────
+ * Governance primitive for transparently disabling WAB-registered domains
+ * with a 1-week owner appeal window and a public transparency log.
+ *
+ * Authority tiers:
+ *
+ *   1. owner_disable
+ *      The site owner self-pauses their domain. Instantaneous, no appeal
+ *      window (they can re-enable themselves at any time by calling
+ *      reinstate() on their own revocation).
+ *
+ *   2. suspended
+ *      Platform-issued temporary suspension (community report, automated
+ *      rule, partner takedown). Opens a 7-day appeal window during which
+ *      the owner may submit a rebuttal + remediation proof. After the
+ *      window the revocation auto-finalises unless overturned.
+ *
+ *   3. revoked
+ *      Permanent revocation. Reserved for hard breaches (proven fraud,
+ *      malware distribution, court order). Still gets a 7-day appeal —
+ *      due process matters more than throughput.
+ *
+ * Every decision is Ed25519-signed by the operator key (if configured) and
+ * mirrored into `audit_log` for HMAC-chained tamper-evidence.
+ */
+
+'use strict';
+
+const crypto = require('crypto');
+const { db } = require('../models/db');
+const { canonicalize } = require('./canonical-json');
+const { auditLog } = require('./security');
+
+const APPEAL_WINDOW_DAYS = Number(process.env.WAB_REVOCATION_APPEAL_DAYS || 7);
+const APPEAL_WINDOW_MS   = APPEAL_WINDOW_DAYS * 24 * 60 * 60 * 1000;
+const OPERATOR_KEY_B64   = process.env.WAB_OPERATOR_ED25519_PRIV || '';
+
+const VALID_TYPES   = new Set(['owner_disable', 'suspended', 'revoked']);
+const REASON_CODES  = new Set([
+  'fraud', 'abuse', 'policy_breach', 'malware', 'court_order',
+  'owner_request', 'security_incident', 'spam', 'impersonation', 'other',
+]);
+
+function _ulid(prefix) {
+  return `${prefix}_${Date.now().toString(36)}${crypto.randomBytes(8).toString('hex')}`;
+}
+
+function _signDecision(payload) {
+  if (!OPERATOR_KEY_B64) return null;
+  try {
+    const keyDer = Buffer.from(OPERATOR_KEY_B64, 'base64');
+    const key = crypto.createPrivateKey({ key: keyDer, format: 'der', type: 'pkcs8' });
+    const sig = crypto.sign(null, Buffer.from(canonicalize(payload), 'utf8'), key);
+    return sig.toString('base64');
+  } catch (e) {
+    console.warn('[revocations] signature failed (non-fatal):', e.message);
+    return null;
+  }
+}
+
+function _findSiteByDomain(domain) {
+  return db.prepare(`SELECT * FROM sites WHERE domain = ? LIMIT 1`).get(domain);
+}
+
+function _findSiteById(id) {
+  return db.prepare(`SELECT * FROM sites WHERE id = ? LIMIT 1`).get(id);
+}
+
+/**
+ * Open a new revocation against a site.
+ *
+ * @param {object} args
+ * @param {string} args.siteId
+ * @param {'owner_disable'|'suspended'|'revoked'} args.type
+ * @param {string} args.reasonCode
+ * @param {string} args.reasonText
+ * @param {string} args.decidedBy      e.g. 'admin:42', 'owner:user_id', 'system:rule_x'
+ * @param {string} [args.evidenceUrl]
+ * @returns the inserted row
+ */
+function openRevocation({ siteId, type, reasonCode, reasonText, decidedBy, evidenceUrl }) {
+  if (!VALID_TYPES.has(type))       throw Object.assign(new Error('invalid type'), { code: 'bad_type' });
+  if (!REASON_CODES.has(reasonCode)) throw Object.assign(new Error('invalid reason_code'), { code: 'bad_reason' });
+  if (!reasonText || reasonText.length < 8) {
+    throw Object.assign(new Error('reason_text must be at least 8 chars'), { code: 'bad_reason_text' });
+  }
+  const site = _findSiteById(siteId);
+  if (!site) throw Object.assign(new Error('site not found'), { code: 'not_found', statusCode: 404 });
+
+  // Block opening a duplicate active revocation of the same kind.
+  const existing = db.prepare(`
+    SELECT id FROM site_revocations
+     WHERE site_id = ? AND status IN ('pending_appeal','appealed','final')
+     LIMIT 1
+  `).get(siteId);
+  if (existing && type !== 'owner_disable') {
+    throw Object.assign(new Error('site already has an active revocation'),
+      { code: 'already_revoked', statusCode: 409 });
+  }
+
+  const id = _ulid('rev');
+  const now = new Date();
+  const appealDeadline = type === 'owner_disable'
+    ? null
+    : new Date(now.getTime() + APPEAL_WINDOW_MS).toISOString();
+
+  const payload = {
+    id, site_id: siteId, domain: site.domain, type,
+    reason_code: reasonCode, reason_text: reasonText,
+    evidence_url: evidenceUrl || null,
+    decided_by: decidedBy, decided_at: now.toISOString(),
+    appeal_deadline: appealDeadline,
+  };
+  const signature = _signDecision(payload);
+
+  db.prepare(`
+    INSERT INTO site_revocations
+      (id, site_id, domain, type, reason_code, reason_text, evidence_url,
+       decided_by, decided_at, appeal_deadline, status, signature)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `).run(
+    id, siteId, site.domain, type, reasonCode, reasonText, evidenceUrl || null,
+    decidedBy, now.toISOString(), appealDeadline,
+    type === 'owner_disable' ? 'final' : 'pending_appeal',
+    signature,
+  );
+
+  // Flip the site itself to inactive so downstream lookups stop trusting it.
+  db.prepare(`UPDATE sites SET active = 0 WHERE id = ?`).run(siteId);
+
+  auditLog({
+    actorType: decidedBy.startsWith('admin:') ? 'admin' : decidedBy.startsWith('owner:') ? 'user' : 'system',
+    actorId: decidedBy.split(':')[1] || decidedBy,
+    action: 'site_revocation_opened',
+    resource: 'site', resourceId: siteId,
+    details: { id, type, reason_code: reasonCode, domain: site.domain },
+    severity: type === 'revoked' ? 'critical' : 'warning',
+  });
+
+  return db.prepare(`SELECT * FROM site_revocations WHERE id = ?`).get(id);
+}
+
+/**
+ * Submit an owner appeal. Only the site owner may call this, and only
+ * within the appeal window. Re-submitting overwrites the open appeal.
+ */
+function submitAppeal({ revocationId, ownerUserId, statement, remediationProof }) {
+  if (!statement || statement.length < 16) {
+    throw Object.assign(new Error('statement must be at least 16 chars'),
+      { code: 'bad_statement', statusCode: 400 });
+  }
+  const rev = db.prepare(`SELECT * FROM site_revocations WHERE id = ?`).get(revocationId);
+  if (!rev) throw Object.assign(new Error('revocation not found'), { code: 'not_found', statusCode: 404 });
+
+  const site = _findSiteById(rev.site_id);
+  if (!site || site.user_id !== ownerUserId) {
+    throw Object.assign(new Error('forbidden'), { code: 'forbidden', statusCode: 403 });
+  }
+  if (rev.type === 'owner_disable') {
+    throw Object.assign(new Error('owner_disable cannot be appealed (use reinstate)'),
+      { code: 'not_appealable', statusCode: 400 });
+  }
+  if (!['pending_appeal', 'appealed'].includes(rev.status)) {
+    throw Object.assign(new Error(`revocation in '${rev.status}' is not appealable`),
+      { code: 'not_appealable', statusCode: 409 });
+  }
+  if (rev.appeal_deadline && new Date(rev.appeal_deadline).getTime() < Date.now()) {
+    // Auto-finalise stale appeals lazily.
+    db.prepare(`UPDATE site_revocations SET status='final', finalized_at=datetime('now'), updated_at=datetime('now') WHERE id=?`).run(revocationId);
+    throw Object.assign(new Error('appeal window expired'),
+      { code: 'appeal_expired', statusCode: 410 });
+  }
+
+  const existing = db.prepare(`SELECT id FROM revocation_appeals WHERE revocation_id = ?`).get(revocationId);
+  if (existing) {
+    db.prepare(`
+      UPDATE revocation_appeals
+         SET statement = ?, remediation_proof = ?, submitted_at = datetime('now'),
+             decision = NULL, decision_reason = NULL, decided_by = NULL, decided_at = NULL
+       WHERE revocation_id = ?
+    `).run(statement, remediationProof || null, revocationId);
+  } else {
+    db.prepare(`
+      INSERT INTO revocation_appeals (id, revocation_id, owner_user_id, statement, remediation_proof)
+      VALUES (?, ?, ?, ?, ?)
+    `).run(_ulid('app'), revocationId, ownerUserId, statement, remediationProof || null);
+  }
+
+  db.prepare(`UPDATE site_revocations SET status='appealed', updated_at=datetime('now') WHERE id=?`).run(revocationId);
+
+  auditLog({
+    actorType: 'user', actorId: String(ownerUserId),
+    action: 'revocation_appeal_submitted',
+    resource: 'site_revocation', resourceId: revocationId,
+    details: { domain: rev.domain },
+  });
+
+  return db.prepare(`
+    SELECT a.*, r.domain, r.type AS revocation_type
+      FROM revocation_appeals a
+      JOIN site_revocations r ON r.id = a.revocation_id
+     WHERE a.revocation_id = ?
+  `).get(revocationId);
+}
+
+/**
+ * Admin decision on an appeal.
+ *   decision = 'upheld'    → site reinstated
+ *   decision = 'rejected'  → revocation finalised
+ */
+function decideAppeal({ revocationId, decision, decisionReason, adminId }) {
+  if (!['upheld', 'rejected'].includes(decision)) {
+    throw Object.assign(new Error('decision must be upheld|rejected'),
+      { code: 'bad_decision', statusCode: 400 });
+  }
+  const rev = db.prepare(`SELECT * FROM site_revocations WHERE id = ?`).get(revocationId);
+  if (!rev) throw Object.assign(new Error('revocation not found'), { code: 'not_found', statusCode: 404 });
+  const appeal = db.prepare(`SELECT * FROM revocation_appeals WHERE revocation_id = ?`).get(revocationId);
+  if (!appeal) throw Object.assign(new Error('no appeal to decide'), { code: 'no_appeal', statusCode: 404 });
+  if (rev.status !== 'appealed') {
+    throw Object.assign(new Error(`revocation in '${rev.status}' has no open appeal`),
+      { code: 'no_open_appeal', statusCode: 409 });
+  }
+
+  db.prepare(`
+    UPDATE revocation_appeals
+       SET decision = ?, decision_reason = ?, decided_by = ?, decided_at = datetime('now')
+     WHERE revocation_id = ?
+  `).run(decision, decisionReason || null, String(adminId), revocationId);
+
+  if (decision === 'upheld') {
+    db.prepare(`
+      UPDATE site_revocations
+         SET status='overturned', reinstated_at=datetime('now'), reinstated_by=?, updated_at=datetime('now')
+       WHERE id=?
+    `).run(`admin:${adminId}`, revocationId);
+    db.prepare(`UPDATE sites SET active = 1 WHERE id = ?`).run(rev.site_id);
+  } else {
+    db.prepare(`
+      UPDATE site_revocations
+         SET status='final', finalized_at=datetime('now'), updated_at=datetime('now')
+       WHERE id=?
+    `).run(revocationId);
+  }
+
+  auditLog({
+    actorType: 'admin', actorId: String(adminId),
+    action: 'revocation_appeal_decided',
+    resource: 'site_revocation', resourceId: revocationId,
+    details: { decision, domain: rev.domain },
+    severity: decision === 'rejected' ? 'warning' : 'info',
+  });
+
+  return db.prepare(`SELECT * FROM site_revocations WHERE id = ?`).get(revocationId);
+}
+
+/**
+ * Manually reinstate (governance override or owner re-enabling their own disable).
+ */
+function reinstate({ revocationId, actorId, actorType = 'admin', reason }) {
+  const rev = db.prepare(`SELECT * FROM site_revocations WHERE id = ?`).get(revocationId);
+  if (!rev) throw Object.assign(new Error('revocation not found'), { code: 'not_found', statusCode: 404 });
+  if (rev.status === 'reinstated' || rev.status === 'overturned') {
+    return rev;  // idempotent
+  }
+
+  db.prepare(`
+    UPDATE site_revocations
+       SET status='reinstated', reinstated_at=datetime('now'), reinstated_by=?, updated_at=datetime('now')
+     WHERE id=?
+  `).run(`${actorType}:${actorId}`, revocationId);
+  db.prepare(`UPDATE sites SET active = 1 WHERE id = ?`).run(rev.site_id);
+
+  auditLog({
+    actorType, actorId: String(actorId),
+    action: 'site_revocation_reinstated',
+    resource: 'site_revocation', resourceId: revocationId,
+    details: { domain: rev.domain, reason: reason || null },
+  });
+
+  return db.prepare(`SELECT * FROM site_revocations WHERE id = ?`).get(revocationId);
+}
+
+/**
+ * Lazy sweep: any 'pending_appeal' whose deadline elapsed → 'final'.
+ * Called from periodic worker AND from getActiveByDomain to keep state honest.
+ */
+function sweepExpired() {
+  const r = db.prepare(`
+    UPDATE site_revocations
+       SET status='final', finalized_at=datetime('now'), updated_at=datetime('now')
+     WHERE status='pending_appeal'
+       AND appeal_deadline IS NOT NULL
+       AND datetime(appeal_deadline) <= datetime('now')
+  `).run();
+  return r.changes || 0;
+}
+
+/** Returns the active (blocking) revocation for a domain, or null. */
+function getActiveByDomain(domain) {
+  sweepExpired();
+  return db.prepare(`
+    SELECT * FROM site_revocations
+     WHERE domain = ? AND status IN ('pending_appeal','appealed','final')
+     ORDER BY decided_at DESC LIMIT 1
+  `).get(domain) || null;
+}
+
+/** Public transparency feed (newest first, redacts internal IDs). */
+function listPublic({ limit = 50, offset = 0 } = {}) {
+  const rows = db.prepare(`
+    SELECT id, domain, type, reason_code, reason_text, evidence_url,
+           decided_at, appeal_deadline, status, finalized_at, reinstated_at
+      FROM site_revocations
+     WHERE type != 'owner_disable'
+     ORDER BY decided_at DESC LIMIT ? OFFSET ?
+  `).all(Math.min(limit, 200), Math.max(offset, 0));
+  return rows;
+}
+
+/** Admin: full listing with optional filters. */
+function listAdmin({ status, type, limit = 100, offset = 0 } = {}) {
+  const where = [];
+  const params = [];
+  if (status) { where.push('status = ?'); params.push(status); }
+  if (type)   { where.push('type = ?');   params.push(type); }
+  const clause = where.length ? `WHERE ${where.join(' AND ')}` : '';
+  params.push(Math.min(limit, 500), Math.max(offset, 0));
+  return db.prepare(`
+    SELECT * FROM site_revocations
+     ${clause}
+     ORDER BY decided_at DESC LIMIT ? OFFSET ?
+  `).all(...params);
+}
+
+function getById(id) {
+  return db.prepare(`SELECT * FROM site_revocations WHERE id = ?`).get(id);
+}
+
+function getAppeal(revocationId) {
+  return db.prepare(`SELECT * FROM revocation_appeals WHERE revocation_id = ?`).get(revocationId);
+}
+
+/** Optional background worker — env-gated. */
+function startPeriodicSweep() {
+  const hours = Number(process.env.WAB_REVOCATION_SWEEP_INTERVAL_HOURS || 0);
+  if (!hours || hours < 0.1) return null;
+  const ms = hours * 60 * 60 * 1000;
+  const t = setInterval(() => {
+    try {
+      const n = sweepExpired();
+      if (n) console.log(`[revocations] swept ${n} expired appeal windows`);
+    } catch (e) {
+      console.error('[revocations] sweep failed:', e.message);
+    }
+  }, ms);
+  t.unref?.();
+  return { intervalHours: hours };
+}
+
+module.exports = {
+  openRevocation,
+  submitAppeal,
+  decideAppeal,
+  reinstate,
+  sweepExpired,
+  getActiveByDomain,
+  listPublic,
+  listAdmin,
+  getById,
+  getAppeal,
+  startPeriodicSweep,
+  APPEAL_WINDOW_DAYS,
+  VALID_TYPES,
+  REASON_CODES,
+};