web-agent-bridge 3.14.0 → 3.15.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "web-agent-bridge",
-  "version": "3.14.0",
+  "version": "3.15.0",
   "description": "Agent Transaction Bridge — the trust + transaction layer for agentic commerce. Signed intent contracts, idempotent transactions, Ed25519-verifiable receipts, explicit compensation. Plus the original WAB stack: sovereign browser, ShieldQR, SSL health, DNS discovery, agent mesh, and unified gateway for safe AI–website interaction.",
   "author": "Web Agent Bridge <dev@webagentbridge.com>",
   "main": "server/index.js",

package/server/routes/network.js

@@ -1,25 +1,46 @@
 'use strict';
 
 /**
- * Network-effect public endpoints (v3.14.0).
+ * Network-effect public endpoints (v3.14.0 + signed snapshots v3.15.0).
  *
- *   GET /api/trusted-domains.json — snapshot of currently-attested,
+ *   GET /api/trusted-domains.json — signed snapshot of currently-attested,
  *     non-revoked WAB sites. Cached 1 hour. Designed for agent bootstrap
  *     and third-party crawlers building "verified web" indexes.
  *   GET /api/trusted-domains.txt  — same data, newline-separated domains.
- *   GET /api/revocations/feed.json — JSON Feed 1.1 of the transparency log.
- *   GET /api/revocations/feed.xml  — Atom 1.0 of the transparency log.
+ *   GET /api/trusted-domains/archive.json — manifest of available daily snapshots.
+ *   GET /api/trusted-domains/:date.json    — historical signed snapshot.
+ *   GET /api/transparency/feed.json — JSON Feed 1.1 of the transparency log.
+ *   GET /api/transparency/feed.xml  — Atom 1.0 of the transparency log.
+ *   GET /api/operator-key.json — operator Ed25519 public key (b64 + JWK).
  *
  * Mounted at /api in server/index.js.
  */
 
 const express = require('express');
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
 const router = express.Router();
 const { db } = require('../models/db');
+const { canonicalize } = require('../services/canonical-json');
+const signer = require('../services/operator-signer');
 
 const SNAPSHOT_TTL_MS = 60 * 60 * 1000; // 1h
+const ARCHIVE_DIR = process.env.WAB_SNAPSHOT_DIR ||
+  path.join(__dirname, '..', '..',
+    (process.env.NODE_ENV === 'test' ? 'data-test' : 'data'),
+    'snapshots');
+
 let _snapshotCache = { ts: 0, data: null };
 
+function _ensureArchiveDir() {
+  try { fs.mkdirSync(ARCHIVE_DIR, { recursive: true }); } catch (_) { /* ignore */ }
+}
+
+function _todayUtc() {
+  return new Date().toISOString().slice(0, 10); // YYYY-MM-DD
+}
+
 function buildSnapshot() {
   // Active sites that have no active blocking revocation.
   let rows = [];
@@ -37,16 +58,18 @@ function buildSnapshot() {
       ORDER BY s.created_at ASC
     `).all();
   } catch (_) {
-    // site_revocations may not yet exist on a very first boot
     rows = db.prepare(`
       SELECT id, domain, name, description, tier, created_at
       FROM sites WHERE active = 1 ORDER BY created_at ASC
     `).all();
   }
 
-  return {
+  const generated_at = new Date().toISOString();
+  const date = generated_at.slice(0, 10);
+  const payload = {
     schema: 'wab-trusted-domains/v1',
-    generated_at: new Date().toISOString(),
+    generated_at,
+    date,
     total: rows.length,
     domains: rows.map(r => ({
       domain: r.domain,
@@ -57,6 +80,29 @@ function buildSnapshot() {
       badge_url: 'https://webagentbridge.com/api/discovery/badge/' + r.domain + '.svg'
     }))
   };
+
+  // Hash + sign over the canonical bytes of `payload` (without signature fields).
+  const canonical = canonicalize(payload);
+  const content_hash = 'sha256:' + crypto.createHash('sha256').update(canonical, 'utf8').digest('hex');
+  const signature = signer.sign(payload);
+
+  const out = Object.assign({}, payload, {
+    content_hash,
+    signature: signature
+      ? { alg: signer.ALGORITHM, value: signature, key_url: '/api/operator-key.json' }
+      : null,
+  });
+
+  // Persist today's snapshot to disk for time-machine queries (idempotent overwrite).
+  try {
+    _ensureArchiveDir();
+    const file = path.join(ARCHIVE_DIR, date + '.json');
+    fs.writeFileSync(file, JSON.stringify(out, null, 2) + '\n', 'utf8');
+  } catch (e) {
+    console.warn('[network] snapshot archive write failed (non-fatal):', e.message);
+  }
+
+  return out;
 }
 
 function getSnapshot() {
@@ -73,6 +119,8 @@ router.get('/trusted-domains.json', (req, res) => {
   const snap = getSnapshot();
   res.set('Cache-Control', 'public, max-age=3600, s-maxage=3600');
   res.set('X-WAB-Snapshot-Schema', snap.schema);
+  res.set('X-WAB-Snapshot-Hash', snap.content_hash);
+  if (snap.signature) res.set('X-WAB-Snapshot-Signature', snap.signature.value);
   res.json(snap);
 });
 
@@ -83,6 +131,75 @@ router.get('/trusted-domains.txt', (req, res) => {
   res.send(snap.domains.map(d => d.domain).join('\n') + '\n');
 });
 
+// ── Daily archive ────────────────────────────────────────────────────
+
+function _listArchiveDates() {
+  try {
+    _ensureArchiveDir();
+    return fs.readdirSync(ARCHIVE_DIR)
+      .filter(f => /^\d{4}-\d{2}-\d{2}\.json$/.test(f))
+      .map(f => f.replace(/\.json$/, ''))
+      .sort();
+  } catch (_) { return []; }
+}
+
+router.get('/trusted-domains/archive.json', (req, res) => {
+  // Touch today's snapshot to ensure at least today is archived.
+  getSnapshot();
+  const dates = _listArchiveDates();
+  const manifest = {
+    schema: 'wab-trusted-domains-archive/v1',
+    generated_at: new Date().toISOString(),
+    total: dates.length,
+    snapshots: dates.map(d => ({
+      date: d,
+      url: '/api/trusted-domains/' + d + '.json',
+    })),
+  };
+  const sig = signer.sign(manifest);
+  if (sig) manifest.signature = { alg: signer.ALGORITHM, value: sig, key_url: '/api/operator-key.json' };
+  res.set('Cache-Control', 'public, max-age=3600, s-maxage=3600');
+  res.json(manifest);
+});
+
+router.get('/trusted-domains/:date.json', (req, res) => {
+  const date = req.params.date;
+  if (!/^\d{4}-\d{2}-\d{2}$/.test(date)) {
+    return res.status(400).json({ error: 'invalid_date', hint: 'Use YYYY-MM-DD.' });
+  }
+  // Serve today live (so a fresh boot doesn't return 404 before the first snapshot).
+  if (date === _todayUtc()) {
+    return res.json(getSnapshot());
+  }
+  _ensureArchiveDir();
+  const file = path.join(ARCHIVE_DIR, date + '.json');
+  if (!fs.existsSync(file)) {
+    return res.status(404).json({ error: 'snapshot_not_found', date });
+  }
+  res.set('Cache-Control', 'public, max-age=86400, s-maxage=86400, immutable');
+  res.type('application/json; charset=utf-8');
+  res.send(fs.readFileSync(file, 'utf8'));
+});
+
+// ── Operator public key ──────────────────────────────────────────────
+
+router.get('/operator-key.json', (req, res) => {
+  const pub = signer.publicKey();
+  if (!pub) {
+    return res.status(503).json({ error: 'signing_not_configured' });
+  }
+  res.set('Cache-Control', 'public, max-age=86400, s-maxage=86400');
+  res.json({
+    schema: 'wab-operator-key/v1',
+    alg: signer.ALGORITHM,
+    public_key_b64: pub.b64,
+    jwk: pub.jwk,
+    issued_at: new Date().toISOString(),
+    notice: 'Use this key to verify signatures on /api/trusted-domains.json and /api/trusted-domains/*.json.',
+  });
+});
+
+
 // ── Revocation feeds ─────────────────────────────────────────────────
 
 function listRecentRevocations(limit) {

package/server/services/operator-signer.js

@@ -0,0 +1,98 @@
+'use strict';
+
+/**
+ * Operator signing service — Ed25519 + RFC 8785.
+ *
+ * Loads WAB_OPERATOR_ED25519_PRIV (PKCS8 base64-DER) once and exposes:
+ *   sign(payload)        — returns base64 Ed25519 signature over canonicalize(payload).
+ *   publicKey()          — returns the operator's public key as {b64, jwk} (raw 32-byte b64 + JWK).
+ *   isConfigured()       — whether a signing key is available.
+ *   ALGORITHM            — 'ed25519' constant.
+ *
+ * The same private key is already used by services/revocations.js to sign revocation
+ * decisions; this module unifies usage so other surfaces (snapshots, manifests) can
+ * sign with the same identity.
+ */
+
+const crypto = require('crypto');
+const { canonicalize } = require('./canonical-json');
+
+const ALGORITHM = 'ed25519';
+const PRIV_B64 = process.env.WAB_OPERATOR_ED25519_PRIV || '';
+
+let _priv = null;
+let _pub = null;
+
+function _load() {
+  if (_priv || !PRIV_B64) return;
+  try {
+    const der = Buffer.from(PRIV_B64, 'base64');
+    _priv = crypto.createPrivateKey({ key: der, format: 'der', type: 'pkcs8' });
+    const pubKey = crypto.createPublicKey(_priv);
+    const rawDer = pubKey.export({ format: 'der', type: 'spki' });
+    // SPKI for Ed25519 is 44 bytes; raw key is the last 32.
+    const raw = rawDer.slice(-32);
+    _pub = {
+      b64: raw.toString('base64'),
+      jwk: {
+        kty: 'OKP',
+        crv: 'Ed25519',
+        x: raw.toString('base64url'),
+        alg: 'EdDSA',
+        use: 'sig',
+      },
+    };
+  } catch (e) {
+    console.warn('[operator-signer] key load failed (non-fatal):', e.message);
+  }
+}
+
+function isConfigured() {
+  _load();
+  return !!_priv;
+}
+
+function sign(payload) {
+  _load();
+  if (!_priv) return null;
+  try {
+    const sig = crypto.sign(null, Buffer.from(canonicalize(payload), 'utf8'), _priv);
+    return sig.toString('base64');
+  } catch (e) {
+    console.warn('[operator-signer] sign failed:', e.message);
+    return null;
+  }
+}
+
+function publicKey() {
+  _load();
+  return _pub;
+}
+
+/**
+ * Verify a signature against a payload using the operator's public key.
+ * Returns true/false. Convenience helper for tests and self-verification.
+ */
+function verify(payload, signatureB64) {
+  _load();
+  if (!_pub) return false;
+  try {
+    const der = Buffer.from(PRIV_B64, 'base64');
+    const priv = crypto.createPrivateKey({ key: der, format: 'der', type: 'pkcs8' });
+    const pubKey = crypto.createPublicKey(priv);
+    return crypto.verify(
+      null,
+      Buffer.from(canonicalize(payload), 'utf8'),
+      pubKey,
+      Buffer.from(signatureB64, 'base64')
+    );
+  } catch (_) { return false; }
+}
+
+module.exports = {
+  ALGORITHM,
+  sign,
+  verify,
+  publicKey,
+  isConfigured,
+};