web-agent-bridge 3.16.0 → 3.17.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "web-agent-bridge",
-  "version": "3.16.0",
+  "version": "3.17.0",
   "description": "Agent Transaction Bridge — the trust + transaction layer for agentic commerce. Signed intent contracts, idempotent transactions, Ed25519-verifiable receipts, explicit compensation. Plus the original WAB stack: sovereign browser, ShieldQR, SSL health, DNS discovery, agent mesh, and unified gateway for safe AI–website interaction.",
   "author": "Web Agent Bridge <dev@webagentbridge.com>",
   "main": "server/index.js",

package/public/dashboard.html

@@ -39,6 +39,7 @@
         <a href="#" data-view="analytics">📈 Analytics</a>
         <a href="/providers">🔗 DNS Providers</a>
         <a href="/dashboard/shieldlink">🔗 ShieldLink</a>
+        <a href="/webhooks.html">📡 Webhooks</a>
         <a href="#" data-view="billing">💳 Billing</a>
         <a href="#" data-view="settings">⚙️ Settings</a>
         <a href="/docs" style="margin-top:20px;">📖 Documentation</a>

package/public/webhooks.html

@@ -0,0 +1,181 @@
+<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8" />
+<meta name="viewport" content="width=device-width,initial-scale=1" />
+<title>Webhooks · Web Agent Bridge</title>
+<link rel="stylesheet" href="/css/dashboard.css" />
+<style>
+  body { background: #f7f8fa; color: #111; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; margin: 0; }
+  .wrap { max-width: 980px; margin: 0 auto; padding: 32px 24px; }
+  h1 { margin: 0 0 8px; font-size: 28px; }
+  .lede { color: #555; margin: 0 0 28px; }
+  .card { background: #fff; border: 1px solid #e6e7ea; border-radius: 12px; padding: 20px; margin-bottom: 20px; box-shadow: 0 1px 2px rgba(0,0,0,.03); }
+  .row { display: flex; gap: 12px; flex-wrap: wrap; align-items: center; }
+  input, select, button { font: inherit; padding: 9px 12px; border-radius: 8px; border: 1px solid #cfd1d6; background: #fff; }
+  input { flex: 1 1 280px; min-width: 240px; }
+  button { background: #111; color: #fff; border-color: #111; cursor: pointer; }
+  button.ghost { background: #fff; color: #111; }
+  button.danger { background: #c0392b; border-color: #c0392b; }
+  table { width: 100%; border-collapse: collapse; }
+  th, td { padding: 10px 8px; text-align: left; border-bottom: 1px solid #eee; font-size: 14px; vertical-align: top; }
+  th { color: #666; font-weight: 600; font-size: 12px; text-transform: uppercase; letter-spacing: .03em; }
+  code, .mono { font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; font-size: 12px; }
+  .pill { display: inline-block; padding: 2px 8px; border-radius: 999px; font-size: 11px; font-weight: 600; }
+  .pill.ok { background: #e7f6ee; color: #146c43; }
+  .pill.off { background: #fdecea; color: #b71c1c; }
+  .pill.warn { background: #fff4e5; color: #8a5a00; }
+  .secret-box { background: #fff8e1; border: 1px solid #f1d27a; border-radius: 8px; padding: 12px; margin: 10px 0; }
+  .muted { color: #777; font-size: 13px; }
+  details summary { cursor: pointer; color: #2563eb; font-size: 13px; }
+  .empty { text-align: center; color: #888; padding: 28px; }
+</style>
+</head>
+<body>
+<div class="wrap">
+  <h1>Webhooks</h1>
+  <p class="lede">Subscribe to instant push notifications for revocation events. Each payload is HMAC-signed with your subscription secret and Ed25519-signed by the operator.</p>
+
+  <div class="card">
+    <h3 style="margin-top:0">Create subscription</h3>
+    <form id="createForm" class="row" autocomplete="off">
+      <input id="urlInput" type="url" placeholder="https://your-endpoint/webhooks" required />
+      <input id="descInput" type="text" placeholder="Optional description" style="flex: 0 1 220px" />
+      <button type="submit">Subscribe</button>
+    </form>
+    <p class="muted" style="margin: 10px 0 0">Receives <code>revocation.opened</code>, <code>revocation.reinstated</code>, <code>revocation.appeal_decided</code>. <a href="/api/webhooks/events" target="_blank">View events</a> · <a href="/api/operator-key.json" target="_blank">Operator public key</a></p>
+    <div id="secretBox" class="secret-box" style="display:none"></div>
+  </div>
+
+  <div class="card">
+    <div class="row" style="justify-content: space-between; margin-bottom: 12px">
+      <h3 style="margin: 0">Your subscriptions</h3>
+      <button class="ghost" onclick="loadSubs()">Refresh</button>
+    </div>
+    <table>
+      <thead><tr><th>URL</th><th>Events</th><th>Status</th><th>Last result</th><th></th></tr></thead>
+      <tbody id="subsBody"><tr><td colspan="5" class="empty">Loading…</td></tr></tbody>
+    </table>
+  </div>
+
+  <div class="card">
+    <h3 style="margin-top:0">Verifying a delivery</h3>
+    <p class="muted">Every request carries two signatures:</p>
+    <ol class="muted" style="line-height: 1.7">
+      <li><strong>HMAC-SHA256</strong> per subscription — header <code>X-WAB-Webhook-Signature: t=&lt;unix&gt;,v1=&lt;hex&gt;</code>. Recompute over <code>${'`${t}.${rawBody}`'}</code> with your secret.</li>
+      <li><strong>Ed25519 operator signature</strong> — header <code>X-WAB-Operator-Signature</code> + embedded <code>signature.value</code>. Fetch the public key at <code>/api/operator-key.json</code> and verify over the RFC 8785 canonicalisation of the envelope minus the <code>signature</code> field.</li>
+    </ol>
+  </div>
+</div>
+
+<script>
+const TOKEN = localStorage.getItem('wab_token');
+if (!TOKEN) { location.href = '/login.html?next=/webhooks.html'; }
+
+const H = { 'Authorization': `Bearer ${TOKEN}`, 'Content-Type': 'application/json' };
+
+async function api(method, path, body) {
+  const opts = { method, headers: H };
+  if (body !== undefined) opts.body = JSON.stringify(body);
+  const r = await fetch(path, opts);
+  const j = await r.json().catch(() => ({}));
+  if (!r.ok) throw new Error(j.message || j.error || `HTTP ${r.status}`);
+  return j.data;
+}
+
+function escape(s) {
+  return String(s == null ? '' : s).replace(/[&<>"]/g, (c) => ({ '&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;' })[c]);
+}
+
+function pill(active, lastError) {
+  if (!active) return '<span class="pill off">disabled</span>';
+  if (lastError) return '<span class="pill warn">warning</span>';
+  return '<span class="pill ok">active</span>';
+}
+
+async function loadSubs() {
+  const body = document.getElementById('subsBody');
+  body.innerHTML = '<tr><td colspan="5" class="empty">Loading…</td></tr>';
+  try {
+    const subs = await api('GET', '/api/webhooks');
+    if (!subs.length) {
+      body.innerHTML = '<tr><td colspan="5" class="empty">No subscriptions yet.</td></tr>';
+      return;
+    }
+    body.innerHTML = subs.map((s) => `
+      <tr>
+        <td><div class="mono">${escape(s.url)}</div>${s.description ? `<div class="muted">${escape(s.description)}</div>` : ''}</td>
+        <td><div class="muted">${s.events.map(escape).join('<br>')}</div></td>
+        <td>${pill(s.active, s.last_error)}</td>
+        <td>
+          ${s.last_success_at ? `<div class="muted">ok: ${escape(s.last_success_at)}</div>` : ''}
+          ${s.last_error_at ? `<div class="muted">err: ${escape(s.last_error_at)}</div>` : ''}
+          ${s.consecutive_failures ? `<div class="muted">${s.consecutive_failures} consecutive failures</div>` : ''}
+        </td>
+        <td style="text-align:right; white-space: nowrap">
+          <button class="ghost" onclick="toggle('${s.id}', ${!s.active})">${s.active ? 'Pause' : 'Resume'}</button>
+          <button class="ghost" onclick="showDeliveries('${s.id}')">Deliveries</button>
+          <button class="danger" onclick="del('${s.id}')">Delete</button>
+        </td>
+      </tr>
+      <tr id="deliv-${s.id}" style="display:none"><td colspan="5"><div id="deliv-body-${s.id}" class="muted">Loading deliveries…</div></td></tr>
+    `).join('');
+  } catch (e) {
+    body.innerHTML = `<tr><td colspan="5" class="empty">Error: ${escape(e.message)}</td></tr>`;
+  }
+}
+
+async function showDeliveries(id) {
+  const row = document.getElementById('deliv-' + id);
+  const target = document.getElementById('deliv-body-' + id);
+  if (row.style.display === 'table-row') { row.style.display = 'none'; return; }
+  row.style.display = 'table-row';
+  try {
+    const list = await api('GET', `/api/webhooks/${id}/deliveries?limit=20`);
+    if (!list.length) { target.innerHTML = 'No deliveries yet.'; return; }
+    target.innerHTML = '<table>' +
+      '<thead><tr><th>Event</th><th>Status</th><th>Attempts</th><th>Code</th><th>When</th><th>Error</th></tr></thead><tbody>' +
+      list.map((d) => `<tr>
+        <td class="mono">${escape(d.event_type)}</td>
+        <td>${escape(d.status)}</td>
+        <td>${d.attempts}</td>
+        <td>${d.last_status_code || ''}</td>
+        <td class="muted">${escape(d.delivered_at || d.created_at)}</td>
+        <td class="muted" style="max-width: 320px; word-break: break-word">${escape(d.last_error || '')}</td>
+      </tr>`).join('') + '</tbody></table>';
+  } catch (e) {
+    target.innerHTML = 'Error: ' + escape(e.message);
+  }
+}
+
+async function toggle(id, active) {
+  try { await api('PATCH', '/api/webhooks/' + id, { active }); loadSubs(); }
+  catch (e) { alert(e.message); }
+}
+
+async function del(id) {
+  if (!confirm('Delete this subscription?')) return;
+  try { await api('DELETE', '/api/webhooks/' + id); loadSubs(); }
+  catch (e) { alert(e.message); }
+}
+
+document.getElementById('createForm').addEventListener('submit', async (ev) => {
+  ev.preventDefault();
+  const url = document.getElementById('urlInput').value.trim();
+  const description = document.getElementById('descInput').value.trim() || null;
+  try {
+    const sub = await api('POST', '/api/webhooks', { url, description });
+    const box = document.getElementById('secretBox');
+    box.style.display = 'block';
+    box.innerHTML = '<strong>Subscription created.</strong> Save this secret now — it will not be shown again:' +
+      `<div class="mono" style="margin-top:8px; word-break: break-all; user-select: all">${escape(sub.secret)}</div>`;
+    document.getElementById('urlInput').value = '';
+    document.getElementById('descInput').value = '';
+    loadSubs();
+  } catch (e) { alert(e.message); }
+});
+
+loadSubs();
+</script>
+</body>
+</html>

package/server/services/webhooks.js

@@ -20,6 +20,8 @@
 
 const crypto = require('crypto');
 const { db } = require('../models/db');
+const { canonicalize } = require('./canonical-json');
+const signer = require('./operator-signer');
 
 const VALID_EVENTS = new Set([
   'revocation.opened',
@@ -183,6 +185,10 @@ async function _attemptDelivery(deliveryId, subscription, body) {
     'X-WAB-Webhook-Delivery': deliveryId,
     'User-Agent': 'web-agent-bridge-webhooks/1.0',
   };
+  if (subscription._operatorSignature) {
+    headers['X-WAB-Operator-Signature'] = subscription._operatorSignature;
+    headers['X-WAB-Operator-Key-Url'] = '/api/operator-key.json';
+  }
   try {
     const res = await _httpPost(subscription.url, body, headers);
     if (res.ok) {
@@ -264,6 +270,20 @@ function emit(eventType, data) {
     created_at: new Date().toISOString(),
     data,
   };
+  // Ed25519-sign the canonical form of the payload (RFC 8785). Receivers verify
+  // with the public key published at /api/operator-key.json. If no operator key
+  // is configured, we still deliver — the HMAC signature alone is sufficient for
+  // per-subscription auth.
+  const operatorSignature = signer.isConfigured() ? signer.sign(payload) : null;
+  if (operatorSignature) {
+    payload.signature = {
+      alg: signer.ALGORITHM,
+      value: operatorSignature,
+      key_url: '/api/operator-key.json',
+      canonicalization: 'RFC8785',
+      signed_fields: ['id', 'type', 'created_at', 'data'],
+    };
+  }
   const body = JSON.stringify(payload);
 
   for (const sub of subs) {
@@ -273,7 +293,12 @@ function emit(eventType, data) {
         (id, subscription_id, event_id, event_type, payload, status, attempts)
       VALUES (?, ?, ?, ?, ?, 'pending', 0)
     `).run(deliveryId, sub.id, eventId, eventType, body);
-    const enriched = { ...sub, _eventId: eventId, _eventType: eventType };
+    const enriched = {
+      ...sub,
+      _eventId: eventId,
+      _eventType: eventType,
+      _operatorSignature: operatorSignature,
+    };
     setImmediate(async () => {
       const ok = await _attemptDelivery(deliveryId, enriched, body);
       if (!ok) _scheduleRetry(deliveryId, enriched, body, 1);
@@ -298,6 +323,40 @@ function verifySignature({ secret, header, body, toleranceSec = 300 }) {
   } catch (_) { return false; }
 }
 
+/**
+ * Verify the operator (Ed25519) signature embedded inside an event body.
+ *
+ * The receiver passes the parsed JSON envelope (or the raw body string + we
+ * parse). We strip the `signature` field, RFC8785-canonicalise the remainder,
+ * and verify with the operator public key (32-byte raw, base64).
+ *
+ *   verifyOperatorSignature({ body, publicKeyB64 }) -> true | false
+ */
+function verifyOperatorSignature({ body, publicKeyB64 }) {
+  if (!body || !publicKeyB64) return false;
+  let envelope;
+  try {
+    envelope = typeof body === 'string' ? JSON.parse(body) : body;
+  } catch (_) { return false; }
+  const sigObj = envelope.signature;
+  if (!sigObj || sigObj.alg !== 'ed25519' || !sigObj.value) return false;
+
+  const { signature: _omit, ...signed } = envelope;
+  const canon = canonicalize(signed);
+
+  try {
+    const raw = Buffer.from(publicKeyB64, 'base64');
+    if (raw.length !== 32) return false;
+    // Reconstruct SPKI DER for Ed25519: 12-byte prefix + 32-byte raw.
+    const spki = Buffer.concat([
+      Buffer.from('302a300506032b6570032100', 'hex'),
+      raw,
+    ]);
+    const pub = crypto.createPublicKey({ key: spki, format: 'der', type: 'spki' });
+    return crypto.verify(null, Buffer.from(canon, 'utf8'), pub, Buffer.from(sigObj.value, 'base64'));
+  } catch (_) { return false; }
+}
+
 module.exports = {
   createSubscription,
   listSubscriptions,
@@ -307,6 +366,7 @@ module.exports = {
   listDeliveries,
   emit,
   verifySignature,
+  verifyOperatorSignature,
   VALID_EVENTS,
   // exposed for tests
   _attemptDelivery,