web-agent-bridge 3.2.0 → 3.3.0

package/server/utils/secureFields.js

@@ -1,50 +1,50 @@
-/**
- * Optional AES-256-GCM encryption for sensitive DB fields (e.g. SMTP password).
- * Set CREDENTIALS_ENCRYPTION_KEY (any long random string) to enable at-rest encryption.
- */
-
-const crypto = require('crypto');
-
-const PREFIX = 'enc:v1:';
-
-function getKey() {
-  const raw = process.env.CREDENTIALS_ENCRYPTION_KEY;
-  if (!raw || String(raw).length < 8) return null;
-  return crypto.createHash('sha256').update(String(raw)).digest();
-}
-
-function encryptOptional(plain) {
-  if (plain == null || plain === '') return plain;
-  const key = getKey();
-  if (!key) return plain;
-  const iv = crypto.randomBytes(12);
-  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
-  const enc = Buffer.concat([cipher.update(String(plain), 'utf8'), cipher.final()]);
-  const tag = cipher.getAuthTag();
-  return `${PREFIX}${iv.toString('hex')}:${tag.toString('hex')}:${enc.toString('hex')}`;
-}
-
-function decryptOptional(stored) {
-  if (stored == null || stored === '') return stored;
-  if (typeof stored !== 'string' || !stored.startsWith(PREFIX)) return stored;
-  const key = getKey();
-  if (!key) {
-    console.warn('[WAB] CREDENTIALS_ENCRYPTION_KEY missing; cannot decrypt stored credential');
-    return null;
-  }
-  try {
-    const rest = stored.slice(PREFIX.length);
-    const [ivHex, tagHex, dataHex] = rest.split(':');
-    const iv = Buffer.from(ivHex, 'hex');
-    const tag = Buffer.from(tagHex, 'hex');
-    const data = Buffer.from(dataHex, 'hex');
-    const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
-    decipher.setAuthTag(tag);
-    return Buffer.concat([decipher.update(data), decipher.final()]).toString('utf8');
-  } catch (e) {
-    console.error('[WAB] Decrypt failed:', e.message);
-    return null;
-  }
-}
-
-module.exports = { encryptOptional, decryptOptional };
+/**
+ * Optional AES-256-GCM encryption for sensitive DB fields (e.g. SMTP password).
+ * Set CREDENTIALS_ENCRYPTION_KEY (any long random string) to enable at-rest encryption.
+ */
+
+const crypto = require('crypto');
+
+const PREFIX = 'enc:v1:';
+
+function getKey() {
+  const raw = process.env.CREDENTIALS_ENCRYPTION_KEY;
+  if (!raw || String(raw).length < 8) return null;
+  return crypto.createHash('sha256').update(String(raw)).digest();
+}
+
+function encryptOptional(plain) {
+  if (plain == null || plain === '') return plain;
+  const key = getKey();
+  if (!key) return plain;
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+  const enc = Buffer.concat([cipher.update(String(plain), 'utf8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return `${PREFIX}${iv.toString('hex')}:${tag.toString('hex')}:${enc.toString('hex')}`;
+}
+
+function decryptOptional(stored) {
+  if (stored == null || stored === '') return stored;
+  if (typeof stored !== 'string' || !stored.startsWith(PREFIX)) return stored;
+  const key = getKey();
+  if (!key) {
+    console.warn('[WAB] CREDENTIALS_ENCRYPTION_KEY missing; cannot decrypt stored credential');
+    return null;
+  }
+  try {
+    const rest = stored.slice(PREFIX.length);
+    const [ivHex, tagHex, dataHex] = rest.split(':');
+    const iv = Buffer.from(ivHex, 'hex');
+    const tag = Buffer.from(tagHex, 'hex');
+    const data = Buffer.from(dataHex, 'hex');
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+    decipher.setAuthTag(tag);
+    return Buffer.concat([decipher.update(data), decipher.final()]).toString('utf8');
+  } catch (e) {
+    console.error('[WAB] Decrypt failed:', e.message);
+    return null;
+  }
+}
+
+module.exports = { encryptOptional, decryptOptional };

package/server/ws.js

@@ -1,161 +1,161 @@
-const WebSocket = require('ws');
-const { verifyUserToken, verifyAdminToken } = require('./config/secrets');
-const { findSiteById } = require('./models/db');
-const { isJWTRevoked, auditLog } = require('./services/security');
-
-// Map of siteId → Set of WebSocket clients
-const siteClients = new Map();
-// Per-IP connection tracking
-const ipConnections = new Map();
-const MAX_CONNECTIONS_PER_IP = 10;
-const AUTH_TIMEOUT_MS = 10_000;
-const MAX_MESSAGE_SIZE = 4096;
-const MSG_RATE_WINDOW = 60_000;
-const MSG_RATE_MAX = 30;
-
-function setupWebSocket(server) {
-  const wss = new WebSocket.Server({ server, path: '/ws/analytics', maxPayload: MAX_MESSAGE_SIZE });
-
-  wss.on('connection', (ws, req) => {
-    let authenticatedSiteId = null;
-    const clientIP = req.headers['x-forwarded-for']?.split(',')[0]?.trim() || req.socket.remoteAddress || 'unknown';
-
-    // ── Per-IP connection limit ──
-    const currentCount = ipConnections.get(clientIP) || 0;
-    if (currentCount >= MAX_CONNECTIONS_PER_IP) {
-      ws.close(1013, 'Too many connections');
-      return;
-    }
-    ipConnections.set(clientIP, currentCount + 1);
-
-    // ── Auth timeout — close if not authenticated within 10s ──
-    const authTimer = setTimeout(() => {
-      if (!authenticatedSiteId) {
-        ws.close(4001, 'Authentication timeout');
-      }
-    }, AUTH_TIMEOUT_MS);
-
-    // ── Message rate limiter ──
-    const msgTimestamps = [];
-
-    ws.isAlive = true;
-    ws.on('pong', () => { ws.isAlive = true; });
-
-    ws.on('message', (data) => {
-      // Rate limit messages
-      const now = Date.now();
-      msgTimestamps.push(now);
-      while (msgTimestamps.length > 0 && msgTimestamps[0] < now - MSG_RATE_WINDOW) {
-        msgTimestamps.shift();
-      }
-      if (msgTimestamps.length > MSG_RATE_MAX) {
-        ws.close(4008, 'Message rate limit exceeded');
-        return;
-      }
-
-      try {
-        const msg = JSON.parse(data);
-
-        if (msg.type === 'auth') {
-          if (!msg.token || !msg.siteId) {
-            ws.send(JSON.stringify({ type: 'error', message: 'token and siteId required' }));
-            return;
-          }
-
-          // Check JWT revocation before verifying
-          if (isJWTRevoked(msg.token)) {
-            ws.send(JSON.stringify({ type: 'error', message: 'Token has been revoked' }));
-            ws.close(4003, 'Token revoked');
-            return;
-          }
-
-          let decoded;
-          let isAdmin = false;
-          try {
-            decoded = verifyUserToken(msg.token);
-          } catch {
-            try {
-              decoded = verifyAdminToken(msg.token);
-              isAdmin = decoded.isAdmin === true;
-            } catch {
-              ws.send(JSON.stringify({ type: 'error', message: 'Invalid message or auth failed' }));
-              auditLog({ actorType: 'system', action: 'ws_auth_failed', ip: clientIP, outcome: 'denied', severity: 'warning' });
-              return;
-            }
-          }
-
-          if (!isAdmin) {
-            const site = findSiteById.get(msg.siteId);
-            if (!site || site.user_id !== decoded.id) {
-              ws.send(JSON.stringify({ type: 'error', message: 'Forbidden: not your site' }));
-              return;
-            }
-          }
-
-          clearTimeout(authTimer);
-          authenticatedSiteId = msg.siteId;
-          if (!siteClients.has(msg.siteId)) {
-            siteClients.set(msg.siteId, new Set());
-          }
-          siteClients.get(msg.siteId).add(ws);
-          ws.send(JSON.stringify({ type: 'auth:success', siteId: msg.siteId }));
-        } else if (!authenticatedSiteId) {
-          // Reject all non-auth messages before authentication
-          ws.send(JSON.stringify({ type: 'error', message: 'Authentication required' }));
-        }
-      } catch (e) {
-        ws.send(JSON.stringify({ type: 'error', message: 'Invalid message or auth failed' }));
-      }
-    });
-
-    ws.on('close', () => {
-      clearTimeout(authTimer);
-      // Decrement IP connection count
-      const count = ipConnections.get(clientIP) || 1;
-      if (count <= 1) ipConnections.delete(clientIP);
-      else ipConnections.set(clientIP, count - 1);
-
-      if (authenticatedSiteId && siteClients.has(authenticatedSiteId)) {
-        siteClients.get(authenticatedSiteId).delete(ws);
-        if (siteClients.get(authenticatedSiteId).size === 0) {
-          siteClients.delete(authenticatedSiteId);
-        }
-      }
-    });
-
-    ws.on('error', () => {
-      clearTimeout(authTimer);
-    });
-  });
-
-  const interval = setInterval(() => {
-    wss.clients.forEach((ws) => {
-      if (!ws.isAlive) return ws.terminate();
-      ws.isAlive = false;
-      ws.ping();
-    });
-  }, 30000);
-
-  wss.on('close', () => clearInterval(interval));
-
-  return wss;
-}
-
-function broadcastAnalytic(siteId, eventData) {
-  const clients = siteClients.get(siteId);
-  if (!clients || clients.size === 0) return;
-
-  const message = JSON.stringify({
-    type: 'analytic',
-    timestamp: new Date().toISOString(),
-    ...eventData
-  });
-
-  clients.forEach((ws) => {
-    if (ws.readyState === WebSocket.OPEN) {
-      ws.send(message);
-    }
-  });
-}
-
-module.exports = { setupWebSocket, broadcastAnalytic };
+const WebSocket = require('ws');
+const { verifyUserToken, verifyAdminToken } = require('./config/secrets');
+const { findSiteById } = require('./models/db');
+const { isJWTRevoked, auditLog } = require('./services/security');
+
+// Map of siteId → Set of WebSocket clients
+const siteClients = new Map();
+// Per-IP connection tracking
+const ipConnections = new Map();
+const MAX_CONNECTIONS_PER_IP = 10;
+const AUTH_TIMEOUT_MS = 10_000;
+const MAX_MESSAGE_SIZE = 4096;
+const MSG_RATE_WINDOW = 60_000;
+const MSG_RATE_MAX = 30;
+
+function setupWebSocket(server) {
+  const wss = new WebSocket.Server({ server, path: '/ws/analytics', maxPayload: MAX_MESSAGE_SIZE });
+
+  wss.on('connection', (ws, req) => {
+    let authenticatedSiteId = null;
+    const clientIP = req.headers['x-forwarded-for']?.split(',')[0]?.trim() || req.socket.remoteAddress || 'unknown';
+
+    // ── Per-IP connection limit ──
+    const currentCount = ipConnections.get(clientIP) || 0;
+    if (currentCount >= MAX_CONNECTIONS_PER_IP) {
+      ws.close(1013, 'Too many connections');
+      return;
+    }
+    ipConnections.set(clientIP, currentCount + 1);
+
+    // ── Auth timeout — close if not authenticated within 10s ──
+    const authTimer = setTimeout(() => {
+      if (!authenticatedSiteId) {
+        ws.close(4001, 'Authentication timeout');
+      }
+    }, AUTH_TIMEOUT_MS);
+
+    // ── Message rate limiter ──
+    const msgTimestamps = [];
+
+    ws.isAlive = true;
+    ws.on('pong', () => { ws.isAlive = true; });
+
+    ws.on('message', (data) => {
+      // Rate limit messages
+      const now = Date.now();
+      msgTimestamps.push(now);
+      while (msgTimestamps.length > 0 && msgTimestamps[0] < now - MSG_RATE_WINDOW) {
+        msgTimestamps.shift();
+      }
+      if (msgTimestamps.length > MSG_RATE_MAX) {
+        ws.close(4008, 'Message rate limit exceeded');
+        return;
+      }
+
+      try {
+        const msg = JSON.parse(data);
+
+        if (msg.type === 'auth') {
+          if (!msg.token || !msg.siteId) {
+            ws.send(JSON.stringify({ type: 'error', message: 'token and siteId required' }));
+            return;
+          }
+
+          // Check JWT revocation before verifying
+          if (isJWTRevoked(msg.token)) {
+            ws.send(JSON.stringify({ type: 'error', message: 'Token has been revoked' }));
+            ws.close(4003, 'Token revoked');
+            return;
+          }
+
+          let decoded;
+          let isAdmin = false;
+          try {
+            decoded = verifyUserToken(msg.token);
+          } catch {
+            try {
+              decoded = verifyAdminToken(msg.token);
+              isAdmin = decoded.isAdmin === true;
+            } catch {
+              ws.send(JSON.stringify({ type: 'error', message: 'Invalid message or auth failed' }));
+              auditLog({ actorType: 'system', action: 'ws_auth_failed', ip: clientIP, outcome: 'denied', severity: 'warning' });
+              return;
+            }
+          }
+
+          if (!isAdmin) {
+            const site = findSiteById.get(msg.siteId);
+            if (!site || site.user_id !== decoded.id) {
+              ws.send(JSON.stringify({ type: 'error', message: 'Forbidden: not your site' }));
+              return;
+            }
+          }
+
+          clearTimeout(authTimer);
+          authenticatedSiteId = msg.siteId;
+          if (!siteClients.has(msg.siteId)) {
+            siteClients.set(msg.siteId, new Set());
+          }
+          siteClients.get(msg.siteId).add(ws);
+          ws.send(JSON.stringify({ type: 'auth:success', siteId: msg.siteId }));
+        } else if (!authenticatedSiteId) {
+          // Reject all non-auth messages before authentication
+          ws.send(JSON.stringify({ type: 'error', message: 'Authentication required' }));
+        }
+      } catch (e) {
+        ws.send(JSON.stringify({ type: 'error', message: 'Invalid message or auth failed' }));
+      }
+    });
+
+    ws.on('close', () => {
+      clearTimeout(authTimer);
+      // Decrement IP connection count
+      const count = ipConnections.get(clientIP) || 1;
+      if (count <= 1) ipConnections.delete(clientIP);
+      else ipConnections.set(clientIP, count - 1);
+
+      if (authenticatedSiteId && siteClients.has(authenticatedSiteId)) {
+        siteClients.get(authenticatedSiteId).delete(ws);
+        if (siteClients.get(authenticatedSiteId).size === 0) {
+          siteClients.delete(authenticatedSiteId);
+        }
+      }
+    });
+
+    ws.on('error', () => {
+      clearTimeout(authTimer);
+    });
+  });
+
+  const interval = setInterval(() => {
+    wss.clients.forEach((ws) => {
+      if (!ws.isAlive) return ws.terminate();
+      ws.isAlive = false;
+      ws.ping();
+    });
+  }, 30000);
+
+  wss.on('close', () => clearInterval(interval));
+
+  return wss;
+}
+
+function broadcastAnalytic(siteId, eventData) {
+  const clients = siteClients.get(siteId);
+  if (!clients || clients.size === 0) return;
+
+  const message = JSON.stringify({
+    type: 'analytic',
+    timestamp: new Date().toISOString(),
+    ...eventData
+  });
+
+  clients.forEach((ws) => {
+    if (ws.readyState === WebSocket.OPEN) {
+      ws.send(message);
+    }
+  });
+}
+
+module.exports = { setupWebSocket, broadcastAnalytic };

package/templates/artisan-marketplace.yaml

@@ -1,104 +1,104 @@
-# WAB Agent Template — Artisan Marketplace Scout
-# Discovers handmade products from small artisans worldwide
-# Run: npx wab-agent run artisan-marketplace.yaml
-
-name: artisan-marketplace
-version: 1.0.0
-description: Discover and buy handmade products directly from artisans, not intermediaries
-author: WAB Community
-tags: [artisan, handmade, fair-trade, crafts, direct-buy]
-
-goal: >
-  Find WAB-enabled artisan shops, evaluate product authenticity and craftsmanship,
-  compare prices against mass-produced alternatives, negotiate fair prices that
-  support artisans, and verify product descriptions are accurate.
-
-target_sites:
-  discovery_method: wab-registry
-  category: artisan-crafts
-  region: global
-  fallback_urls: []
-
-parameters:
-  - name: product_type
-    type: string
-    required: true
-    description: "Type of handmade product (e.g. pottery, textiles, jewelry, leather)"
-  - name: origin_country
-    type: string
-    description: Preferred country of origin
-  - name: max_price
-    type: number
-    default: 500
-
-actions:
-  - name: discover
-    description: Find artisan shops selling the target product type
-    wab_action: discover
-
-  - name: browse_products
-    description: Browse available handmade products
-    wab_action: getProducts
-    params:
-      category: "{{product_type}}"
-      handmade: true
-
-  - name: verify_authenticity
-    description: Check product descriptions against photos
-    wab_action: verifyText
-    params:
-      fields: [material, origin, technique, dimensions]
-
-  - name: check_artisan_profile
-    description: Verify the artisan is a real person/workshop
-    wab_action: getArtisanProfile
-
-  - name: compare_prices
-    description: Compare with mass-produced alternatives for fair pricing
-    wab_action: getPrice
-    collect: true
-
-  - name: negotiate
-    description: Negotiate a fair price supporting the artisan
-    wab_action: negotiate
-    strategy: first_time
-    conditions:
-      proposed_discount: 5
-    fallback_strategy: instant_payment
-
-  - name: purchase
-    description: Purchase at agreed price
-    wab_action: buy
-    requires: [verify_authenticity]
-
-fairness_rules:
-  prefer_local: false
-  prefer_small_business: true
-  max_price: "{{max_price}}"
-  currency: USD
-  min_reputation_score: 30
-  avoid_monopolies: true
-  support_artisans: true
-
-negotiation:
-  enabled: true
-  max_rounds: 2
-  strategies:
-    - first_time
-    - instant_payment
-    - bulk_order
-  walk_away_threshold: 3
-  respect_artisan_floor: true
-
-verification:
-  anti_hallucination: true
-  cross_check_prices: true
-  verify_descriptions: true
-  require_vision_match: true
-  max_price_variance: 0.15
-
-output:
-  format: json
-  include: [artisan_name, product, material, origin, price, negotiated_price, authenticity_score, reputation]
-  sort_by: authenticity_score
-  limit: 15
+# WAB Agent Template — Artisan Marketplace Scout
+# Discovers handmade products from small artisans worldwide
+# Run: npx wab-agent run artisan-marketplace.yaml
+
+name: artisan-marketplace
+version: 1.0.0
+description: Discover and buy handmade products directly from artisans, not intermediaries
+author: WAB Community
+tags: [artisan, handmade, fair-trade, crafts, direct-buy]
+
+goal: >
+  Find WAB-enabled artisan shops, evaluate product authenticity and craftsmanship,
+  compare prices against mass-produced alternatives, negotiate fair prices that
+  support artisans, and verify product descriptions are accurate.
+
+target_sites:
+  discovery_method: wab-registry
+  category: artisan-crafts
+  region: global
+  fallback_urls: []
+
+parameters:
+  - name: product_type
+    type: string
+    required: true
+    description: "Type of handmade product (e.g. pottery, textiles, jewelry, leather)"
+  - name: origin_country
+    type: string
+    description: Preferred country of origin
+  - name: max_price
+    type: number
+    default: 500
+
+actions:
+  - name: discover
+    description: Find artisan shops selling the target product type
+    wab_action: discover
+
+  - name: browse_products
+    description: Browse available handmade products
+    wab_action: getProducts
+    params:
+      category: "{{product_type}}"
+      handmade: true
+
+  - name: verify_authenticity
+    description: Check product descriptions against photos
+    wab_action: verifyText
+    params:
+      fields: [material, origin, technique, dimensions]
+
+  - name: check_artisan_profile
+    description: Verify the artisan is a real person/workshop
+    wab_action: getArtisanProfile
+
+  - name: compare_prices
+    description: Compare with mass-produced alternatives for fair pricing
+    wab_action: getPrice
+    collect: true
+
+  - name: negotiate
+    description: Negotiate a fair price supporting the artisan
+    wab_action: negotiate
+    strategy: first_time
+    conditions:
+      proposed_discount: 5
+    fallback_strategy: instant_payment
+
+  - name: purchase
+    description: Purchase at agreed price
+    wab_action: buy
+    requires: [verify_authenticity]
+
+fairness_rules:
+  prefer_local: false
+  prefer_small_business: true
+  max_price: "{{max_price}}"
+  currency: USD
+  min_reputation_score: 30
+  avoid_monopolies: true
+  support_artisans: true
+
+negotiation:
+  enabled: true
+  max_rounds: 2
+  strategies:
+    - first_time
+    - instant_payment
+    - bulk_order
+  walk_away_threshold: 3
+  respect_artisan_floor: true
+
+verification:
+  anti_hallucination: true
+  cross_check_prices: true
+  verify_descriptions: true
+  require_vision_match: true
+  max_price_variance: 0.15
+
+output:
+  format: json
+  include: [artisan_name, product, material, origin, price, negotiated_price, authenticity_score, reputation]
+  sort_by: authenticity_score
+  limit: 15