web-agent-bridge 3.15.0 → 3.17.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "web-agent-bridge",
-  "version": "3.15.0",
+  "version": "3.17.0",
   "description": "Agent Transaction Bridge — the trust + transaction layer for agentic commerce. Signed intent contracts, idempotent transactions, Ed25519-verifiable receipts, explicit compensation. Plus the original WAB stack: sovereign browser, ShieldQR, SSL health, DNS discovery, agent mesh, and unified gateway for safe AI–website interaction.",
   "author": "Web Agent Bridge <dev@webagentbridge.com>",
   "main": "server/index.js",

package/public/dashboard.html

@@ -39,6 +39,7 @@
         <a href="#" data-view="analytics">📈 Analytics</a>
         <a href="/providers">🔗 DNS Providers</a>
         <a href="/dashboard/shieldlink">🔗 ShieldLink</a>
+        <a href="/webhooks.html">📡 Webhooks</a>
         <a href="#" data-view="billing">💳 Billing</a>
         <a href="#" data-view="settings">⚙️ Settings</a>
         <a href="/docs" style="margin-top:20px;">📖 Documentation</a>

package/public/webhooks.html

@@ -0,0 +1,181 @@
+<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8" />
+<meta name="viewport" content="width=device-width,initial-scale=1" />
+<title>Webhooks · Web Agent Bridge</title>
+<link rel="stylesheet" href="/css/dashboard.css" />
+<style>
+  body { background: #f7f8fa; color: #111; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; margin: 0; }
+  .wrap { max-width: 980px; margin: 0 auto; padding: 32px 24px; }
+  h1 { margin: 0 0 8px; font-size: 28px; }
+  .lede { color: #555; margin: 0 0 28px; }
+  .card { background: #fff; border: 1px solid #e6e7ea; border-radius: 12px; padding: 20px; margin-bottom: 20px; box-shadow: 0 1px 2px rgba(0,0,0,.03); }
+  .row { display: flex; gap: 12px; flex-wrap: wrap; align-items: center; }
+  input, select, button { font: inherit; padding: 9px 12px; border-radius: 8px; border: 1px solid #cfd1d6; background: #fff; }
+  input { flex: 1 1 280px; min-width: 240px; }
+  button { background: #111; color: #fff; border-color: #111; cursor: pointer; }
+  button.ghost { background: #fff; color: #111; }
+  button.danger { background: #c0392b; border-color: #c0392b; }
+  table { width: 100%; border-collapse: collapse; }
+  th, td { padding: 10px 8px; text-align: left; border-bottom: 1px solid #eee; font-size: 14px; vertical-align: top; }
+  th { color: #666; font-weight: 600; font-size: 12px; text-transform: uppercase; letter-spacing: .03em; }
+  code, .mono { font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; font-size: 12px; }
+  .pill { display: inline-block; padding: 2px 8px; border-radius: 999px; font-size: 11px; font-weight: 600; }
+  .pill.ok { background: #e7f6ee; color: #146c43; }
+  .pill.off { background: #fdecea; color: #b71c1c; }
+  .pill.warn { background: #fff4e5; color: #8a5a00; }
+  .secret-box { background: #fff8e1; border: 1px solid #f1d27a; border-radius: 8px; padding: 12px; margin: 10px 0; }
+  .muted { color: #777; font-size: 13px; }
+  details summary { cursor: pointer; color: #2563eb; font-size: 13px; }
+  .empty { text-align: center; color: #888; padding: 28px; }
+</style>
+</head>
+<body>
+<div class="wrap">
+  <h1>Webhooks</h1>
+  <p class="lede">Subscribe to instant push notifications for revocation events. Each payload is HMAC-signed with your subscription secret and Ed25519-signed by the operator.</p>
+
+  <div class="card">
+    <h3 style="margin-top:0">Create subscription</h3>
+    <form id="createForm" class="row" autocomplete="off">
+      <input id="urlInput" type="url" placeholder="https://your-endpoint/webhooks" required />
+      <input id="descInput" type="text" placeholder="Optional description" style="flex: 0 1 220px" />
+      <button type="submit">Subscribe</button>
+    </form>
+    <p class="muted" style="margin: 10px 0 0">Receives <code>revocation.opened</code>, <code>revocation.reinstated</code>, <code>revocation.appeal_decided</code>. <a href="/api/webhooks/events" target="_blank">View events</a> · <a href="/api/operator-key.json" target="_blank">Operator public key</a></p>
+    <div id="secretBox" class="secret-box" style="display:none"></div>
+  </div>
+
+  <div class="card">
+    <div class="row" style="justify-content: space-between; margin-bottom: 12px">
+      <h3 style="margin: 0">Your subscriptions</h3>
+      <button class="ghost" onclick="loadSubs()">Refresh</button>
+    </div>
+    <table>
+      <thead><tr><th>URL</th><th>Events</th><th>Status</th><th>Last result</th><th></th></tr></thead>
+      <tbody id="subsBody"><tr><td colspan="5" class="empty">Loading…</td></tr></tbody>
+    </table>
+  </div>
+
+  <div class="card">
+    <h3 style="margin-top:0">Verifying a delivery</h3>
+    <p class="muted">Every request carries two signatures:</p>
+    <ol class="muted" style="line-height: 1.7">
+      <li><strong>HMAC-SHA256</strong> per subscription — header <code>X-WAB-Webhook-Signature: t=&lt;unix&gt;,v1=&lt;hex&gt;</code>. Recompute over <code>${'`${t}.${rawBody}`'}</code> with your secret.</li>
+      <li><strong>Ed25519 operator signature</strong> — header <code>X-WAB-Operator-Signature</code> + embedded <code>signature.value</code>. Fetch the public key at <code>/api/operator-key.json</code> and verify over the RFC 8785 canonicalisation of the envelope minus the <code>signature</code> field.</li>
+    </ol>
+  </div>
+</div>
+
+<script>
+const TOKEN = localStorage.getItem('wab_token');
+if (!TOKEN) { location.href = '/login.html?next=/webhooks.html'; }
+
+const H = { 'Authorization': `Bearer ${TOKEN}`, 'Content-Type': 'application/json' };
+
+async function api(method, path, body) {
+  const opts = { method, headers: H };
+  if (body !== undefined) opts.body = JSON.stringify(body);
+  const r = await fetch(path, opts);
+  const j = await r.json().catch(() => ({}));
+  if (!r.ok) throw new Error(j.message || j.error || `HTTP ${r.status}`);
+  return j.data;
+}
+
+function escape(s) {
+  return String(s == null ? '' : s).replace(/[&<>"]/g, (c) => ({ '&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;' })[c]);
+}
+
+function pill(active, lastError) {
+  if (!active) return '<span class="pill off">disabled</span>';
+  if (lastError) return '<span class="pill warn">warning</span>';
+  return '<span class="pill ok">active</span>';
+}
+
+async function loadSubs() {
+  const body = document.getElementById('subsBody');
+  body.innerHTML = '<tr><td colspan="5" class="empty">Loading…</td></tr>';
+  try {
+    const subs = await api('GET', '/api/webhooks');
+    if (!subs.length) {
+      body.innerHTML = '<tr><td colspan="5" class="empty">No subscriptions yet.</td></tr>';
+      return;
+    }
+    body.innerHTML = subs.map((s) => `
+      <tr>
+        <td><div class="mono">${escape(s.url)}</div>${s.description ? `<div class="muted">${escape(s.description)}</div>` : ''}</td>
+        <td><div class="muted">${s.events.map(escape).join('<br>')}</div></td>
+        <td>${pill(s.active, s.last_error)}</td>
+        <td>
+          ${s.last_success_at ? `<div class="muted">ok: ${escape(s.last_success_at)}</div>` : ''}
+          ${s.last_error_at ? `<div class="muted">err: ${escape(s.last_error_at)}</div>` : ''}
+          ${s.consecutive_failures ? `<div class="muted">${s.consecutive_failures} consecutive failures</div>` : ''}
+        </td>
+        <td style="text-align:right; white-space: nowrap">
+          <button class="ghost" onclick="toggle('${s.id}', ${!s.active})">${s.active ? 'Pause' : 'Resume'}</button>
+          <button class="ghost" onclick="showDeliveries('${s.id}')">Deliveries</button>
+          <button class="danger" onclick="del('${s.id}')">Delete</button>
+        </td>
+      </tr>
+      <tr id="deliv-${s.id}" style="display:none"><td colspan="5"><div id="deliv-body-${s.id}" class="muted">Loading deliveries…</div></td></tr>
+    `).join('');
+  } catch (e) {
+    body.innerHTML = `<tr><td colspan="5" class="empty">Error: ${escape(e.message)}</td></tr>`;
+  }
+}
+
+async function showDeliveries(id) {
+  const row = document.getElementById('deliv-' + id);
+  const target = document.getElementById('deliv-body-' + id);
+  if (row.style.display === 'table-row') { row.style.display = 'none'; return; }
+  row.style.display = 'table-row';
+  try {
+    const list = await api('GET', `/api/webhooks/${id}/deliveries?limit=20`);
+    if (!list.length) { target.innerHTML = 'No deliveries yet.'; return; }
+    target.innerHTML = '<table>' +
+      '<thead><tr><th>Event</th><th>Status</th><th>Attempts</th><th>Code</th><th>When</th><th>Error</th></tr></thead><tbody>' +
+      list.map((d) => `<tr>
+        <td class="mono">${escape(d.event_type)}</td>
+        <td>${escape(d.status)}</td>
+        <td>${d.attempts}</td>
+        <td>${d.last_status_code || ''}</td>
+        <td class="muted">${escape(d.delivered_at || d.created_at)}</td>
+        <td class="muted" style="max-width: 320px; word-break: break-word">${escape(d.last_error || '')}</td>
+      </tr>`).join('') + '</tbody></table>';
+  } catch (e) {
+    target.innerHTML = 'Error: ' + escape(e.message);
+  }
+}
+
+async function toggle(id, active) {
+  try { await api('PATCH', '/api/webhooks/' + id, { active }); loadSubs(); }
+  catch (e) { alert(e.message); }
+}
+
+async function del(id) {
+  if (!confirm('Delete this subscription?')) return;
+  try { await api('DELETE', '/api/webhooks/' + id); loadSubs(); }
+  catch (e) { alert(e.message); }
+}
+
+document.getElementById('createForm').addEventListener('submit', async (ev) => {
+  ev.preventDefault();
+  const url = document.getElementById('urlInput').value.trim();
+  const description = document.getElementById('descInput').value.trim() || null;
+  try {
+    const sub = await api('POST', '/api/webhooks', { url, description });
+    const box = document.getElementById('secretBox');
+    box.style.display = 'block';
+    box.innerHTML = '<strong>Subscription created.</strong> Save this secret now — it will not be shown again:' +
+      `<div class="mono" style="margin-top:8px; word-break: break-all; user-select: all">${escape(sub.secret)}</div>`;
+    document.getElementById('urlInput').value = '';
+    document.getElementById('descInput').value = '';
+    loadSubs();
+  } catch (e) { alert(e.message); }
+});
+
+loadSubs();
+</script>
+</body>
+</html>

package/server/index.js

@@ -327,6 +327,9 @@ app.use('/api/agent', apiLimiter, require('./routes/agent-prompt'));
 // (apiLimiter already applies via /api mount above; do not stack it here.)
 app.use('/api', require('./routes/network'));
 
+// ── Webhook Subscriptions v3.16.0 (Phase 4) — instant push for revocations ──
+app.use('/api/webhooks', apiLimiter, require('./routes/webhooks'));
+
 // ── WAB Commercial Foundations v3.8.0 (Partners · Trust Graph API · Governance SaaS · Enterprise Mesh) ──
 app.use('/api/partners',         apiLimiter, require('./routes/partners'));
 app.use('/api/keys',             apiLimiter, require('./routes/api-keys'));

package/server/migrations/025_revocation_webhooks.sql

@@ -0,0 +1,55 @@
+-- ─────────────────────────────────────────────────────────────────────────────
+-- Migration 025 — Webhook Subscriptions for Revocations (v3.16.0)
+--
+-- Lets ecosystem participants (agent frameworks, security tools, allow-list
+-- mirrors) subscribe to instant push notifications for revocation events
+-- instead of polling /api/trusted-domains.json every hour.
+--
+-- Delivery is best-effort with retries (3 attempts: t+0, t+30s, t+5m).
+-- Every delivery is HMAC-SHA256 signed using the subscription secret.
+-- ─────────────────────────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS webhook_subscriptions (
+  id            TEXT PRIMARY KEY,                       -- whsub_<ulid>
+  user_id       TEXT NOT NULL,
+  url           TEXT NOT NULL,                          -- HTTPS endpoint
+  secret        TEXT NOT NULL,                          -- shared HMAC secret (base64, 32 bytes)
+  events        TEXT NOT NULL DEFAULT 'revocation.opened,revocation.reinstated,revocation.appeal_decided',
+  active        INTEGER NOT NULL DEFAULT 1,
+  description   TEXT,
+  last_success_at TEXT,
+  last_error_at TEXT,
+  last_error    TEXT,
+  consecutive_failures INTEGER NOT NULL DEFAULT 0,
+  created_at    TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at    TEXT NOT NULL DEFAULT (datetime('now'))
+);
+
+CREATE INDEX IF NOT EXISTS idx_webhook_subs_user
+  ON webhook_subscriptions(user_id, active);
+
+CREATE INDEX IF NOT EXISTS idx_webhook_subs_active
+  ON webhook_subscriptions(active);
+
+CREATE TABLE IF NOT EXISTS webhook_deliveries (
+  id            TEXT PRIMARY KEY,                       -- whd_<ulid>
+  subscription_id TEXT NOT NULL,
+  event_id      TEXT NOT NULL,                          -- evt_<ulid>
+  event_type    TEXT NOT NULL,
+  payload       TEXT NOT NULL,                          -- raw JSON body sent
+  status        TEXT NOT NULL DEFAULT 'pending'
+                CHECK (status IN ('pending','success','failed')),
+  attempts      INTEGER NOT NULL DEFAULT 0,
+  last_status_code INTEGER,
+  last_error    TEXT,
+  next_retry_at TEXT,
+  created_at    TEXT NOT NULL DEFAULT (datetime('now')),
+  delivered_at  TEXT,
+  FOREIGN KEY (subscription_id) REFERENCES webhook_subscriptions(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_webhook_deliveries_sub
+  ON webhook_deliveries(subscription_id, created_at DESC);
+
+CREATE INDEX IF NOT EXISTS idx_webhook_deliveries_status
+  ON webhook_deliveries(status, next_retry_at);

package/server/routes/webhooks.js

@@ -0,0 +1,75 @@
+/**
+ * Webhook Subscriptions API (v3.16.0 — Phase 4)
+ *
+ *   POST   /api/webhooks                  — create subscription (returns secret once)
+ *   GET    /api/webhooks                  — list user's subscriptions
+ *   GET    /api/webhooks/:id              — get one
+ *   PATCH  /api/webhooks/:id              — update url/events/active/description
+ *   DELETE /api/webhooks/:id              — delete
+ *   GET    /api/webhooks/:id/deliveries   — recent delivery log
+ *   GET    /api/webhooks/events           — list supported event types
+ */
+
+'use strict';
+
+const express = require('express');
+const router = express.Router();
+
+const { authenticateToken } = require('../middleware/auth');
+const webhooks = require('../services/webhooks');
+
+function _handle(res, fn) {
+  try {
+    const out = fn();
+    res.json({ ok: true, data: out });
+  } catch (e) {
+    const status = e.statusCode || 500;
+    res.status(status).json({ ok: false, error: e.code || 'internal_error', message: e.message });
+  }
+}
+
+router.get('/events', (req, res) => {
+  res.json({ ok: true, data: { events: Array.from(webhooks.VALID_EVENTS) } });
+});
+
+router.post('/', authenticateToken, express.json({ limit: '8kb' }), (req, res) => {
+  _handle(res, () => webhooks.createSubscription({
+    userId: req.user.id,
+    url: req.body.url,
+    events: req.body.events,
+    description: req.body.description,
+  }));
+});
+
+router.get('/', authenticateToken, (req, res) => {
+  _handle(res, () => webhooks.listSubscriptions(req.user.id));
+});
+
+router.get('/:id', authenticateToken, (req, res) => {
+  _handle(res, () => webhooks.getSubscription({ id: req.params.id, userId: req.user.id }));
+});
+
+router.patch('/:id', authenticateToken, express.json({ limit: '8kb' }), (req, res) => {
+  _handle(res, () => webhooks.updateSubscription({
+    id: req.params.id,
+    userId: req.user.id,
+    url: req.body.url,
+    events: req.body.events,
+    active: req.body.active,
+    description: req.body.description,
+  }));
+});
+
+router.delete('/:id', authenticateToken, (req, res) => {
+  _handle(res, () => webhooks.deleteSubscription({ id: req.params.id, userId: req.user.id }));
+});
+
+router.get('/:id/deliveries', authenticateToken, (req, res) => {
+  _handle(res, () => webhooks.listDeliveries({
+    subscriptionId: req.params.id,
+    userId: req.user.id,
+    limit: parseInt(req.query.limit, 10) || 50,
+  }));
+});
+
+module.exports = router;

package/server/services/revocations.js

@@ -33,6 +33,29 @@ const { db } = require('../models/db');
 const { canonicalize } = require('./canonical-json');
 const { auditLog } = require('./security');
 
+function _emitWebhook(eventType, row) {
+  try {
+    const webhooks = require('./webhooks');
+    webhooks.emit(eventType, { revocation: _publicRevocationView(row) });
+  } catch (e) {
+    if (process.env.NODE_ENV !== 'test') {
+      console.warn('[revocations] webhook emit failed:', e.message);
+    }
+  }
+}
+
+function _publicRevocationView(r) {
+  if (!r) return null;
+  return {
+    id: r.id, domain: r.domain, type: r.type,
+    reason_code: r.reason_code, reason_text: r.reason_text,
+    evidence_url: r.evidence_url,
+    decided_at: r.decided_at, appeal_deadline: r.appeal_deadline,
+    status: r.status, finalized_at: r.finalized_at,
+    reinstated_at: r.reinstated_at,
+  };
+}
+
 const APPEAL_WINDOW_DAYS = Number(process.env.WAB_REVOCATION_APPEAL_DAYS || 7);
 const APPEAL_WINDOW_MS   = APPEAL_WINDOW_DAYS * 24 * 60 * 60 * 1000;
 const OPERATOR_KEY_B64   = process.env.WAB_OPERATOR_ED25519_PRIV || '';
@@ -139,7 +162,9 @@ function openRevocation({ siteId, type, reasonCode, reasonText, decidedBy, evide
     severity: type === 'revoked' ? 'critical' : 'warning',
   });
 
-  return db.prepare(`SELECT * FROM site_revocations WHERE id = ?`).get(id);
+  const inserted = db.prepare(`SELECT * FROM site_revocations WHERE id = ?`).get(id);
+  if (type !== 'owner_disable') _emitWebhook('revocation.opened', inserted);
+  return inserted;
 }
 
 /**
@@ -253,7 +278,10 @@ function decideAppeal({ revocationId, decision, decisionReason, adminId }) {
     severity: decision === 'rejected' ? 'warning' : 'info',
   });
 
-  return db.prepare(`SELECT * FROM site_revocations WHERE id = ?`).get(revocationId);
+  const updated = db.prepare(`SELECT * FROM site_revocations WHERE id = ?`).get(revocationId);
+  _emitWebhook('revocation.appeal_decided', { ...updated, _decision: decision });
+  if (decision === 'upheld') _emitWebhook('revocation.reinstated', updated);
+  return updated;
 }
 
 /**
@@ -280,7 +308,9 @@ function reinstate({ revocationId, actorId, actorType = 'admin', reason }) {
     details: { domain: rev.domain, reason: reason || null },
   });
 
-  return db.prepare(`SELECT * FROM site_revocations WHERE id = ?`).get(revocationId);
+  const updated = db.prepare(`SELECT * FROM site_revocations WHERE id = ?`).get(revocationId);
+  _emitWebhook('revocation.reinstated', updated);
+  return updated;
 }
 
 /**

package/server/services/webhooks.js

@@ -0,0 +1,373 @@
+/**
+ * Webhook Subscriptions Service (v3.16.0 — Phase 4)
+ * ───────────────────────────────────────────────────────────────────────────
+ * Lets users subscribe HTTPS endpoints to revocation events for instant push
+ * delivery instead of polling /api/trusted-domains.json.
+ *
+ * Events:
+ *   revocation.opened           — a new suspension/revocation is issued
+ *   revocation.reinstated       — a revocation is lifted
+ *   revocation.appeal_decided   — an admin ruled on an appeal
+ *
+ * Each delivery is signed with HMAC-SHA256:
+ *   X-WAB-Webhook-Signature: t=<unix_ts>,v1=<hex>
+ *   where hex = HMAC_SHA256(secret, `${t}.${body}`)
+ *
+ * Retry policy: 3 attempts at t+0, t+30s, t+5m.
+ */
+
+'use strict';
+
+const crypto = require('crypto');
+const { db } = require('../models/db');
+const { canonicalize } = require('./canonical-json');
+const signer = require('./operator-signer');
+
+const VALID_EVENTS = new Set([
+  'revocation.opened',
+  'revocation.reinstated',
+  'revocation.appeal_decided',
+]);
+
+const RETRY_DELAYS_MS = [0, 30_000, 300_000];
+const REQUEST_TIMEOUT_MS = Number(process.env.WAB_WEBHOOK_TIMEOUT_MS || 8000);
+const MAX_SUBS_PER_USER = Number(process.env.WAB_WEBHOOK_MAX_PER_USER || 10);
+
+function _ulid(prefix) {
+  return `${prefix}_${Date.now().toString(36)}${crypto.randomBytes(8).toString('hex')}`;
+}
+
+function _normalizeUrl(url) {
+  if (!url || typeof url !== 'string') throw _err('url required', 'bad_request', 400);
+  let u;
+  try { u = new URL(url); } catch (_) { throw _err('invalid url', 'bad_request', 400); }
+  if (u.protocol !== 'https:' && !(process.env.NODE_ENV === 'test' && u.protocol === 'http:')) {
+    throw _err('url must be https', 'bad_request', 400);
+  }
+  return u.toString();
+}
+
+function _err(msg, code, status) {
+  const e = new Error(msg); e.code = code; e.statusCode = status; return e;
+}
+
+function _normalizeEvents(events) {
+  if (!events) return Array.from(VALID_EVENTS);
+  const list = Array.isArray(events) ? events : String(events).split(',').map((s) => s.trim()).filter(Boolean);
+  if (!list.length) return Array.from(VALID_EVENTS);
+  for (const e of list) {
+    if (!VALID_EVENTS.has(e)) throw _err(`unknown event: ${e}`, 'bad_event', 400);
+  }
+  return list;
+}
+
+function _publicView(row) {
+  if (!row) return null;
+  return {
+    id: row.id,
+    url: row.url,
+    events: (row.events || '').split(',').filter(Boolean),
+    active: !!row.active,
+    description: row.description || null,
+    last_success_at: row.last_success_at,
+    last_error_at: row.last_error_at,
+    last_error: row.last_error,
+    consecutive_failures: row.consecutive_failures || 0,
+    created_at: row.created_at,
+    updated_at: row.updated_at,
+  };
+}
+
+function createSubscription({ userId, url, events, description }) {
+  if (!userId) throw _err('userId required', 'bad_request', 400);
+  const normalized = _normalizeUrl(url);
+  const eventList = _normalizeEvents(events);
+  const existing = db.prepare(
+    `SELECT COUNT(*) AS n FROM webhook_subscriptions WHERE user_id = ? AND active = 1`,
+  ).get(userId).n;
+  if (existing >= MAX_SUBS_PER_USER) {
+    throw _err(`max ${MAX_SUBS_PER_USER} active subscriptions per user`, 'limit_exceeded', 429);
+  }
+  const id = _ulid('whsub');
+  const secret = crypto.randomBytes(32).toString('base64');
+  db.prepare(`
+    INSERT INTO webhook_subscriptions (id, user_id, url, secret, events, description)
+    VALUES (?, ?, ?, ?, ?, ?)
+  `).run(id, String(userId), normalized, secret, eventList.join(','), description || null);
+  const row = db.prepare(`SELECT * FROM webhook_subscriptions WHERE id = ?`).get(id);
+  // Return secret only on create — never on list/get.
+  return { ..._publicView(row), secret };
+}
+
+function listSubscriptions(userId) {
+  return db.prepare(`
+    SELECT * FROM webhook_subscriptions WHERE user_id = ? ORDER BY created_at DESC
+  `).all(String(userId)).map(_publicView);
+}
+
+function getSubscription({ id, userId }) {
+  const row = db.prepare(`SELECT * FROM webhook_subscriptions WHERE id = ?`).get(id);
+  if (!row) throw _err('not found', 'not_found', 404);
+  if (String(row.user_id) !== String(userId)) throw _err('forbidden', 'forbidden', 403);
+  return _publicView(row);
+}
+
+function updateSubscription({ id, userId, url, events, active, description }) {
+  const row = db.prepare(`SELECT * FROM webhook_subscriptions WHERE id = ?`).get(id);
+  if (!row) throw _err('not found', 'not_found', 404);
+  if (String(row.user_id) !== String(userId)) throw _err('forbidden', 'forbidden', 403);
+  const patch = {};
+  if (url !== undefined) patch.url = _normalizeUrl(url);
+  if (events !== undefined) patch.events = _normalizeEvents(events).join(',');
+  if (active !== undefined) patch.active = active ? 1 : 0;
+  if (description !== undefined) patch.description = description || null;
+  if (!Object.keys(patch).length) return _publicView(row);
+  const sets = Object.keys(patch).map((k) => `${k} = ?`).join(', ');
+  db.prepare(`UPDATE webhook_subscriptions SET ${sets}, updated_at = datetime('now') WHERE id = ?`)
+    .run(...Object.values(patch), id);
+  return _publicView(db.prepare(`SELECT * FROM webhook_subscriptions WHERE id = ?`).get(id));
+}
+
+function deleteSubscription({ id, userId }) {
+  const row = db.prepare(`SELECT user_id FROM webhook_subscriptions WHERE id = ?`).get(id);
+  if (!row) throw _err('not found', 'not_found', 404);
+  if (String(row.user_id) !== String(userId)) throw _err('forbidden', 'forbidden', 403);
+  db.prepare(`DELETE FROM webhook_subscriptions WHERE id = ?`).run(id);
+  return { id, deleted: true };
+}
+
+function listDeliveries({ subscriptionId, userId, limit = 50 }) {
+  const sub = db.prepare(`SELECT user_id FROM webhook_subscriptions WHERE id = ?`).get(subscriptionId);
+  if (!sub) throw _err('not found', 'not_found', 404);
+  if (String(sub.user_id) !== String(userId)) throw _err('forbidden', 'forbidden', 403);
+  return db.prepare(`
+    SELECT id, event_id, event_type, status, attempts, last_status_code,
+           last_error, next_retry_at, created_at, delivered_at
+      FROM webhook_deliveries
+     WHERE subscription_id = ?
+     ORDER BY created_at DESC LIMIT ?
+  `).all(subscriptionId, Math.min(Math.max(limit, 1), 200));
+}
+
+// ── Dispatch ────────────────────────────────────────────────────────────────
+
+function _sign(secret, body) {
+  const t = Math.floor(Date.now() / 1000);
+  const mac = crypto.createHmac('sha256', secret).update(`${t}.${body}`).digest('hex');
+  return { header: `t=${t},v1=${mac}`, t, mac };
+}
+
+async function _httpPost(url, body, headers) {
+  const ctrl = new AbortController();
+  const timer = setTimeout(() => ctrl.abort(), REQUEST_TIMEOUT_MS);
+  try {
+    const res = await fetch(url, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', ...headers },
+      body,
+      signal: ctrl.signal,
+      redirect: 'manual',
+    });
+    let text = '';
+    try { text = await res.text(); } catch (_) {}
+    return { ok: res.ok, status: res.status, body: text.slice(0, 512) };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+async function _attemptDelivery(deliveryId, subscription, body) {
+  const { header } = _sign(subscription.secret, body);
+  const headers = {
+    'X-WAB-Webhook-Signature': header,
+    'X-WAB-Webhook-Event': subscription._eventType,
+    'X-WAB-Webhook-Id': subscription._eventId,
+    'X-WAB-Webhook-Delivery': deliveryId,
+    'User-Agent': 'web-agent-bridge-webhooks/1.0',
+  };
+  if (subscription._operatorSignature) {
+    headers['X-WAB-Operator-Signature'] = subscription._operatorSignature;
+    headers['X-WAB-Operator-Key-Url'] = '/api/operator-key.json';
+  }
+  try {
+    const res = await _httpPost(subscription.url, body, headers);
+    if (res.ok) {
+      db.prepare(`
+        UPDATE webhook_deliveries
+           SET status = 'success', attempts = attempts + 1,
+               last_status_code = ?, last_error = NULL, delivered_at = datetime('now'),
+               next_retry_at = NULL
+         WHERE id = ?
+      `).run(res.status, deliveryId);
+      db.prepare(`
+        UPDATE webhook_subscriptions
+           SET last_success_at = datetime('now'), consecutive_failures = 0,
+               updated_at = datetime('now')
+         WHERE id = ?
+      `).run(subscription.id);
+      return true;
+    }
+    _recordFailure(deliveryId, subscription.id, res.status, `HTTP ${res.status}: ${res.body}`);
+    return false;
+  } catch (e) {
+    _recordFailure(deliveryId, subscription.id, null, String(e.message || e));
+    return false;
+  }
+}
+
+function _recordFailure(deliveryId, subscriptionId, statusCode, errMsg) {
+  const row = db.prepare(`SELECT attempts FROM webhook_deliveries WHERE id = ?`).get(deliveryId);
+  const attempts = (row ? row.attempts : 0) + 1;
+  const isFinal = attempts >= RETRY_DELAYS_MS.length;
+  db.prepare(`
+    UPDATE webhook_deliveries
+       SET status = ?, attempts = ?, last_status_code = ?, last_error = ?,
+           next_retry_at = ?
+     WHERE id = ?
+  `).run(
+    isFinal ? 'failed' : 'pending',
+    attempts,
+    statusCode,
+    errMsg.slice(0, 1024),
+    isFinal ? null : new Date(Date.now() + RETRY_DELAYS_MS[attempts]).toISOString(),
+    deliveryId,
+  );
+  db.prepare(`
+    UPDATE webhook_subscriptions
+       SET last_error_at = datetime('now'), last_error = ?,
+           consecutive_failures = consecutive_failures + 1,
+           updated_at = datetime('now')
+     WHERE id = ?
+  `).run(errMsg.slice(0, 512), subscriptionId);
+}
+
+function _scheduleRetry(deliveryId, subscription, body, attempt) {
+  const delay = RETRY_DELAYS_MS[attempt];
+  if (delay === undefined) return;
+  const t = setTimeout(async () => {
+    const ok = await _attemptDelivery(deliveryId, subscription, body);
+    if (!ok) _scheduleRetry(deliveryId, subscription, body, attempt + 1);
+  }, delay);
+  if (t.unref) t.unref();
+}
+
+/**
+ * Emit an event to all matching active subscriptions. Non-blocking — schedules
+ * deliveries via setImmediate so callers (revocation flows) return fast.
+ */
+function emit(eventType, data) {
+  if (!VALID_EVENTS.has(eventType)) return 0;
+  const subs = db.prepare(`
+    SELECT * FROM webhook_subscriptions
+     WHERE active = 1 AND (',' || events || ',') LIKE ?
+  `).all(`%,${eventType},%`);
+  if (!subs.length) return 0;
+
+  const eventId = _ulid('evt');
+  const payload = {
+    id: eventId,
+    type: eventType,
+    created_at: new Date().toISOString(),
+    data,
+  };
+  // Ed25519-sign the canonical form of the payload (RFC 8785). Receivers verify
+  // with the public key published at /api/operator-key.json. If no operator key
+  // is configured, we still deliver — the HMAC signature alone is sufficient for
+  // per-subscription auth.
+  const operatorSignature = signer.isConfigured() ? signer.sign(payload) : null;
+  if (operatorSignature) {
+    payload.signature = {
+      alg: signer.ALGORITHM,
+      value: operatorSignature,
+      key_url: '/api/operator-key.json',
+      canonicalization: 'RFC8785',
+      signed_fields: ['id', 'type', 'created_at', 'data'],
+    };
+  }
+  const body = JSON.stringify(payload);
+
+  for (const sub of subs) {
+    const deliveryId = _ulid('whd');
+    db.prepare(`
+      INSERT INTO webhook_deliveries
+        (id, subscription_id, event_id, event_type, payload, status, attempts)
+      VALUES (?, ?, ?, ?, ?, 'pending', 0)
+    `).run(deliveryId, sub.id, eventId, eventType, body);
+    const enriched = {
+      ...sub,
+      _eventId: eventId,
+      _eventType: eventType,
+      _operatorSignature: operatorSignature,
+    };
+    setImmediate(async () => {
+      const ok = await _attemptDelivery(deliveryId, enriched, body);
+      if (!ok) _scheduleRetry(deliveryId, enriched, body, 1);
+    });
+  }
+  return subs.length;
+}
+
+/** Verify a delivery signature server-side (for tests + receiver SDKs). */
+function verifySignature({ secret, header, body, toleranceSec = 300 }) {
+  if (!header || typeof header !== 'string') return false;
+  const parts = Object.fromEntries(
+    header.split(',').map((p) => p.split('=').map((s) => s.trim())),
+  );
+  const t = Number(parts.t);
+  const v1 = parts.v1;
+  if (!t || !v1) return false;
+  if (Math.abs(Math.floor(Date.now() / 1000) - t) > toleranceSec) return false;
+  const expected = crypto.createHmac('sha256', secret).update(`${t}.${body}`).digest('hex');
+  try {
+    return crypto.timingSafeEqual(Buffer.from(expected, 'hex'), Buffer.from(v1, 'hex'));
+  } catch (_) { return false; }
+}
+
+/**
+ * Verify the operator (Ed25519) signature embedded inside an event body.
+ *
+ * The receiver passes the parsed JSON envelope (or the raw body string + we
+ * parse). We strip the `signature` field, RFC8785-canonicalise the remainder,
+ * and verify with the operator public key (32-byte raw, base64).
+ *
+ *   verifyOperatorSignature({ body, publicKeyB64 }) -> true | false
+ */
+function verifyOperatorSignature({ body, publicKeyB64 }) {
+  if (!body || !publicKeyB64) return false;
+  let envelope;
+  try {
+    envelope = typeof body === 'string' ? JSON.parse(body) : body;
+  } catch (_) { return false; }
+  const sigObj = envelope.signature;
+  if (!sigObj || sigObj.alg !== 'ed25519' || !sigObj.value) return false;
+
+  const { signature: _omit, ...signed } = envelope;
+  const canon = canonicalize(signed);
+
+  try {
+    const raw = Buffer.from(publicKeyB64, 'base64');
+    if (raw.length !== 32) return false;
+    // Reconstruct SPKI DER for Ed25519: 12-byte prefix + 32-byte raw.
+    const spki = Buffer.concat([
+      Buffer.from('302a300506032b6570032100', 'hex'),
+      raw,
+    ]);
+    const pub = crypto.createPublicKey({ key: spki, format: 'der', type: 'spki' });
+    return crypto.verify(null, Buffer.from(canon, 'utf8'), pub, Buffer.from(sigObj.value, 'base64'));
+  } catch (_) { return false; }
+}
+
+module.exports = {
+  createSubscription,
+  listSubscriptions,
+  getSubscription,
+  updateSubscription,
+  deleteSubscription,
+  listDeliveries,
+  emit,
+  verifySignature,
+  verifyOperatorSignature,
+  VALID_EVENTS,
+  // exposed for tests
+  _attemptDelivery,
+};