web-agent-bridge 3.2.0 → 3.3.0

package/server/routes/growth.js

@@ -1,962 +0,0 @@
-/**
- * WAB Growth Suite v2.5 — Full API Routes
- *
- * Real, functional endpoints for all 8 modules:
- *  1. Shield / Widget  → POST /scan
- *  2. AI Safety Layer  → POST /safety/check
- *  3. WAB Score        → GET  /score/:domain, POST /score/batch
- *  4. Trust Layer      → GET  /trust/verify/:domain, POST /trust/register
- *  5. Bounty Network   → POST /bounty/submit, GET /bounty/status/:id, ...
- *  6. Data Marketplace → GET  /data/datasets, POST /data/purchase, ...
- *  7. Email Protection → POST /email/scan
- *  8. Affiliate Intel  → GET  /affiliate/analyze/:network, POST /affiliate/detect-fraud
- */
-
-const express = require('express');
-const router = express.Router();
-const crypto = require('crypto');
-const { db } = require('../models/db');
-const { authenticateToken } = require('../middleware/auth');
-const { calculateNeutralityScore } = require('../services/fairness');
-
-// ── Helpers ───────────────────────────────────────────────────────────
-function uuid() { return crypto.randomUUID ? crypto.randomUUID() : require('uuid').v4(); }
-
-function jsonParse(str, fallback = {}) {
-  try { return JSON.parse(str); } catch { return fallback; }
-}
-
-const GRADES = [
-  { min: 95, grade: 'A+', label: 'Exceptional',    color: '#22c55e' },
-  { min: 90, grade: 'A',  label: 'Excellent',      color: '#4ade80' },
-  { min: 85, grade: 'A-', label: 'Very Good',       color: '#86efac' },
-  { min: 80, grade: 'B+', label: 'Good',            color: '#a3e635' },
-  { min: 75, grade: 'B',  label: 'Above Average',   color: '#facc15' },
-  { min: 70, grade: 'B-', label: 'Satisfactory',    color: '#fbbf24' },
-  { min: 65, grade: 'C+', label: 'Below Average',   color: '#f59e0b' },
-  { min: 60, grade: 'C',  label: 'Fair',            color: '#fb923c' },
-  { min: 55, grade: 'C-', label: 'Poor',            color: '#f97316' },
-  { min: 50, grade: 'D',  label: 'Very Poor',       color: '#ef4444' },
-  { min:  0, grade: 'F',  label: 'Failing',         color: '#dc2626' },
-];
-
-function getGrade(score) {
-  for (const g of GRADES) {
-    if (score >= g.min) return g;
-  }
-  return GRADES[GRADES.length - 1];
-}
-
-// Threat pattern database (real patterns, not placeholders)
-const THREAT_PATTERNS = [
-  { pattern: /paypal|paypa[l1]/i, type: 'phishing', weight: 95 },
-  { pattern: /login.*verify|verify.*account/i, type: 'credential_phishing', weight: 90 },
-  { pattern: /free.*prize|winner.*claim/i, type: 'advance_fee_scam', weight: 85 },
-  { pattern: /bit\.ly|tinyurl|t\.co/i, type: 'url_shortener', weight: 30 },
-  { pattern: /\.xyz$|\.tk$|\.ml$|\.ga$|\.cf$/i, type: 'suspicious_tld', weight: 40 },
-  { pattern: /crypto.*invest|bitcoin.*double/i, type: 'crypto_scam', weight: 92 },
-  { pattern: /pharmacy|v[i1]agra|c[i1]al[i1]s/i, type: 'pharma_spam', weight: 70 },
-  { pattern: /download.*free|crack.*software/i, type: 'malware_lure', weight: 80 },
-  { pattern: /apple.*id.*locked|icloud.*suspend/i, type: 'phishing', weight: 93 },
-  { pattern: /bank.*transfer|wire.*urgent/i, type: 'bec_fraud', weight: 88 },
-];
-
-const PHISHING_EMAIL_PATTERNS = [
-  { pattern: /urgent|immediately|act now|expire/i, label: 'Urgency language' },
-  { pattern: /verify your (account|identity|email)/i, label: 'Account verification request' },
-  { pattern: /you have won|congratulations.*winner/i, label: 'Prize/lottery claim' },
-  { pattern: /click here|click below/i, label: 'Suspicious call-to-action' },
-  { pattern: /account.*(suspend|terminat|restrict|locked)/i, label: 'Account threat' },
-  { pattern: /confirm your (details|identity|payment)/i, label: 'Confirmation request' },
-  { pattern: /update.*(billing|payment|card) info/i, label: 'Info update request' },
-  { pattern: /\$[\d,]+.*charged|transaction.*\$[\d,]+/i, label: 'Fake charge notification' },
-];
-
-const KNOWN_NETWORKS = {
-  amazon_associates: { name: 'Amazon Associates', avg_commission: 4, avg_payout_days: 60, cookie_days: 1, trust_base: 82 },
-  shareasale:        { name: 'ShareASale',        avg_commission: 8, avg_payout_days: 20, cookie_days: 30, trust_base: 78 },
-  cj_affiliate:     { name: 'CJ Affiliate',      avg_commission: 7, avg_payout_days: 30, cookie_days: 30, trust_base: 75 },
-  clickbank:         { name: 'ClickBank',          avg_commission: 50, avg_payout_days: 45, cookie_days: 60, trust_base: 61 },
-  rakuten:           { name: 'Rakuten',            avg_commission: 5, avg_payout_days: 30, cookie_days: 30, trust_base: 73 },
-  impact:            { name: 'Impact',             avg_commission: 6, avg_payout_days: 30, cookie_days: 30, trust_base: 80 },
-  awin:              { name: 'Awin',               avg_commission: 5, avg_payout_days: 30, cookie_days: 30, trust_base: 76 },
-  partnerstack:      { name: 'PartnerStack',       avg_commission: 20, avg_payout_days: 15, cookie_days: 90, trust_base: 85 },
-};
-
-const FRAUD_PATTERNS = {
-  cookie_stuffing:    { severity: 'CRITICAL', label: 'Cookie Stuffing',       description: 'Unauthorized cookie injection to steal attribution' },
-  click_fraud:        { severity: 'CRITICAL', label: 'Click Fraud',           description: 'Automated fake clicks inflating metrics' },
-  commission_shaving: { severity: 'HIGH',     label: 'Commission Shaving',    description: 'Network reduces valid commission amounts' },
-  late_attribution:   { severity: 'HIGH',     label: 'Late Attribution',      description: 'Delayed tracking causes missed valid sales' },
-  low_cvr:            { severity: 'MEDIUM',   label: 'Low Conversion Rate',   description: 'CVR significantly below industry benchmark' },
-  payment_delays:     { severity: 'MEDIUM',   label: 'Payment Delays',        description: 'Payouts consistently later than promised' },
-  tos_changes:        { severity: 'MEDIUM',   label: 'TOS Changes',           description: 'Frequent or sudden commission/term changes' },
-};
-
-const REWARD_TIERS = {
-  CRITICAL:  { credits: 50,  label: 'Critical Threat' },
-  HIGH:      { credits: 25,  label: 'High Risk' },
-  MEDIUM:    { credits: 10,  label: 'Medium Risk' },
-  LOW:       { credits:  5,  label: 'Low Risk' },
-  DUPLICATE: { credits:  1,  label: 'Duplicate' },
-  INVALID:   { credits:  0,  label: 'Invalid' },
-};
-
-
-// ═══════════════════════════════════════════════════════════════════════
-// 1. SHIELD / WIDGET — URL Threat Scanning
-// ═══════════════════════════════════════════════════════════════════════
-
-router.post('/scan', (req, res) => {
-  const { url } = req.body;
-  if (!url) return res.status(400).json({ error: 'url is required' });
-
-  let parsedUrl;
-  try { parsedUrl = new URL(url); } catch {
-    return res.status(400).json({ error: 'Invalid URL format' });
-  }
-
-  const hostname = parsedUrl.hostname.toLowerCase();
-  let riskScore = 0;
-  const threats = [];
-
-  // Run pattern analysis
-  for (const tp of THREAT_PATTERNS) {
-    if (tp.pattern.test(url) || tp.pattern.test(hostname)) {
-      riskScore = Math.max(riskScore, tp.weight);
-      threats.push({ type: tp.type, confidence: tp.weight });
-    }
-  }
-
-  // Heuristics
-  if (hostname.length > 40) { riskScore = Math.max(riskScore, 45); threats.push({ type: 'long_domain', confidence: 45 }); }
-  if ((hostname.match(/\./g) || []).length > 4) { riskScore = Math.max(riskScore, 50); threats.push({ type: 'excessive_subdomains', confidence: 50 }); }
-  if (/\d{4,}/.test(hostname)) { riskScore = Math.max(riskScore, 35); threats.push({ type: 'numeric_domain', confidence: 35 }); }
-  if (parsedUrl.protocol === 'http:') { riskScore = Math.max(riskScore, 20); threats.push({ type: 'no_ssl', confidence: 20 }); }
-
-  // Check DB for known domains
-  const cached = db.prepare('SELECT * FROM wab_scores WHERE domain = ?').get(hostname);
-  if (cached && cached.security_score !== undefined) {
-    const secRisk = 100 - cached.security_score;
-    if (secRisk > riskScore) riskScore = secRisk;
-  }
-
-  let status = 'SAFE';
-  if (riskScore >= 80) status = 'CRITICAL';
-  else if (riskScore >= 50) status = 'WARNING';
-  else if (riskScore >= 25) status = 'NOTICE';
-
-  res.json({
-    url,
-    domain: hostname,
-    status,
-    risk_score: riskScore,
-    threats,
-    scanned_at: new Date().toISOString(),
-    powered_by: 'WAB Shield v2.5 | https://www.webagentbridge.com',
-  });
-});
-
-
-// ═══════════════════════════════════════════════════════════════════════
-// 2. AI SAFETY LAYER — Pre-navigation safety check
-// ═══════════════════════════════════════════════════════════════════════
-
-router.post('/safety/check', (req, res) => {
-  const { url, action, platform, amount, currency } = req.body;
-
-  if (!url && !platform) return res.status(400).json({ error: 'url or platform required' });
-
-  const results = { safe: true, warnings: [], blocks: [] };
-
-  // URL scan
-  if (url) {
-    let parsedUrl;
-    try { parsedUrl = new URL(url); } catch {
-      return res.status(400).json({ error: 'Invalid URL' });
-    }
-    const hostname = parsedUrl.hostname.toLowerCase();
-    let riskScore = 0;
-    for (const tp of THREAT_PATTERNS) {
-      if (tp.pattern.test(url) || tp.pattern.test(hostname)) {
-        riskScore = Math.max(riskScore, tp.weight);
-        if (tp.weight >= 80) results.blocks.push({ reason: tp.type, confidence: tp.weight });
-        else results.warnings.push({ reason: tp.type, confidence: tp.weight });
-      }
-    }
-    if (riskScore >= 80) results.safe = false;
-  }
-
-  // Fairness check for platform
-  if (platform) {
-    const site = db.prepare('SELECT * FROM sites WHERE LOWER(domain) = ? AND active = 1').get(platform.toLowerCase());
-    if (site) {
-      const score = calculateNeutralityScore(site);
-      if (score < 40) {
-        results.warnings.push({ reason: 'low_fairness', score, platform });
-      }
-      results.fairness = { platform, score, grade: getGrade(score).grade };
-    }
-  }
-
-  // Transaction safety
-  if (action === 'transaction' && amount) {
-    const numAmount = parseFloat(amount);
-    if (numAmount > 500) {
-      results.warnings.push({ reason: 'high_value_transaction', amount: numAmount, currency: currency || 'USD' });
-    }
-    if (platform && results.warnings.some(w => w.reason === 'low_fairness')) {
-      results.safe = false;
-      results.blocks.push({ reason: 'unfair_platform_transaction', platform, amount: numAmount });
-    }
-  }
-
-  res.json({
-    ...results,
-    action: action || 'navigate',
-    checked_at: new Date().toISOString(),
-    powered_by: 'WAB AI Safety Layer v2.5',
-  });
-});
-
-
-// ═══════════════════════════════════════════════════════════════════════
-// 3. WAB SCORE — Platform Transparency Rating
-// ═══════════════════════════════════════════════════════════════════════
-
-router.get('/score/:domain', (req, res) => {
-  const domain = req.params.domain.toLowerCase().replace(/^www\./, '').replace(/^https?:\/\//, '');
-  if (!domain || domain.length < 3) return res.status(400).json({ error: 'Valid domain required' });
-
-  // Check cache (valid for 24 hours)
-  const cached = db.prepare(`SELECT * FROM wab_scores WHERE domain = ? AND expires_at > datetime('now')`).get(domain);
-  if (cached) {
-    return res.json({
-      domain,
-      score: cached.overall_score,
-      fairness_score: cached.fairness_score,
-      security_score: cached.security_score,
-      grade: cached.grade,
-      grade_label: cached.grade_label,
-      details: jsonParse(cached.details),
-      computed_at: cached.computed_at,
-      cached: true,
-      powered_by: 'WAB Score v2.5',
-    });
-  }
-
-  // Compute score
-  const site = db.prepare(`SELECT * FROM sites WHERE LOWER(REPLACE(domain, 'www.', '')) = ? AND active = 1`).get(domain);
-
-  let fairnessScore = 50; // default for unknown sites
-  let securityScore = 70;
-  const details = { signals: [] };
-
-  if (site) {
-    fairnessScore = calculateNeutralityScore(site);
-    const config = jsonParse(site.config);
-
-    // Security signals
-    if (config.agentPermissions) {
-      details.signals.push({ signal: 'agent_permissions_configured', impact: '+10' });
-      securityScore += 10;
-    }
-    if (config.restrictions && Object.keys(config.restrictions).length) {
-      details.signals.push({ signal: 'restrictions_defined', impact: '+5' });
-      securityScore += 5;
-    }
-    if (config.logging) {
-      details.signals.push({ signal: 'logging_enabled', impact: '+5' });
-      securityScore += 5;
-    }
-    details.signals.push({ signal: 'wab_registered', impact: '+15' });
-    securityScore += 15;
-  } else {
-    // Unknown site — pattern-based estimation
-    if (/\.gov$/.test(domain)) { securityScore = 90; fairnessScore = 85; details.signals.push({ signal: 'government_domain', impact: '+40' }); }
-    else if (/\.edu$/.test(domain)) { securityScore = 85; fairnessScore = 80; details.signals.push({ signal: 'education_domain', impact: '+35' }); }
-    else if (/amazon\.com|google\.com|microsoft\.com|apple\.com/.test(domain)) { securityScore = 88; fairnessScore = 82; details.signals.push({ signal: 'major_platform', impact: '+30' }); }
-    else if (/\.xyz$|\.tk$|\.ml$/.test(domain)) { securityScore = 30; fairnessScore = 25; details.signals.push({ signal: 'suspicious_tld', impact: '-40' }); }
-    else { details.signals.push({ signal: 'unregistered_with_wab', impact: '-20' }); securityScore -= 10; fairnessScore -= 10; }
-  }
-
-  securityScore = Math.max(0, Math.min(100, securityScore));
-  fairnessScore = Math.max(0, Math.min(100, fairnessScore));
-  const overallScore = Math.round(fairnessScore * 0.7 + securityScore * 0.3);
-  const gradeInfo = getGrade(overallScore);
-
-  // Cache result
-  const stmt = db.prepare(`
-    INSERT OR REPLACE INTO wab_scores (domain, overall_score, fairness_score, security_score, grade, grade_label, details, computed_at, expires_at)
-    VALUES (?, ?, ?, ?, ?, ?, ?, datetime('now'), datetime('now', '+1 day'))
-  `);
-  stmt.run(domain, overallScore, fairnessScore, securityScore, gradeInfo.grade, gradeInfo.label, JSON.stringify(details));
-
-  res.json({
-    domain,
-    score: overallScore,
-    fairness_score: fairnessScore,
-    security_score: securityScore,
-    grade: gradeInfo.grade,
-    grade_label: gradeInfo.label,
-    grade_color: gradeInfo.color,
-    details,
-    computed_at: new Date().toISOString(),
-    cached: false,
-    powered_by: 'WAB Score v2.5',
-  });
-});
-
-router.post('/score/batch', (req, res) => {
-  const { domains } = req.body;
-  if (!Array.isArray(domains) || domains.length === 0) return res.status(400).json({ error: 'domains array required' });
-  if (domains.length > 50) return res.status(400).json({ error: 'Maximum 50 domains per batch' });
-
-  const results = [];
-  for (const d of domains) {
-    const domain = d.toLowerCase().replace(/^www\./, '').replace(/^https?:\/\//, '');
-    const cached = db.prepare(`SELECT * FROM wab_scores WHERE domain = ? AND expires_at > datetime('now')`).get(domain);
-    if (cached) {
-      results.push({ domain, score: cached.overall_score, grade: cached.grade, grade_label: cached.grade_label });
-    } else {
-      // Quick compute with defaults
-      let fairness = 50, security = 60;
-      const site = db.prepare(`SELECT * FROM sites WHERE LOWER(REPLACE(domain, 'www.', '')) = ? AND active = 1`).get(domain);
-      if (site) { fairness = calculateNeutralityScore(site); security = 75; }
-      const overall = Math.round(fairness * 0.7 + security * 0.3);
-      const g = getGrade(overall);
-      db.prepare(`INSERT OR REPLACE INTO wab_scores (domain, overall_score, fairness_score, security_score, grade, grade_label, details, computed_at, expires_at) VALUES (?, ?, ?, ?, ?, ?, ?, datetime('now'), datetime('now', '+1 day'))`).run(domain, overall, fairness, security, g.grade, g.label, '{}');
-      results.push({ domain, score: overall, grade: g.grade, grade_label: g.label });
-    }
-  }
-
-  results.sort((a, b) => b.score - a.score);
-  res.json({ results, count: results.length, powered_by: 'WAB Score v2.5' });
-});
-
-
-// ═══════════════════════════════════════════════════════════════════════
-// 4. TRUST LAYER PROTOCOL — Domain Trust Verification
-// ═══════════════════════════════════════════════════════════════════════
-
-router.get('/trust/verify/:domain', async (req, res) => {
-  const domain = req.params.domain.toLowerCase().replace(/^www\./, '');
-
-  // Check cache
-  const cached = db.prepare(`SELECT * FROM trust_manifests WHERE domain = ? AND last_verified_at > datetime('now', '-1 day')`).get(domain);
-  if (cached) {
-    return res.json({
-      domain,
-      verified: !!cached.verified,
-      manifest: jsonParse(cached.manifest),
-      verification: jsonParse(cached.verification_result),
-      cached: true,
-      powered_by: 'WAB Trust Layer Protocol',
-    });
-  }
-
-  // Try to fetch /.well-known/wab.json from domain
-  const warnings = [];
-  let manifest = null;
-  let verified = false;
-
-  try {
-    const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), 5000);
-    const response = await fetch(`https://${domain}/.well-known/wab.json`, { signal: controller.signal });
-    clearTimeout(timeout);
-
-    if (response.ok) {
-      manifest = await response.json();
-
-      // Validate manifest
-      if (manifest.wab_certified !== undefined) verified = true;
-      if (manifest.last_audit) {
-        const auditAge = (Date.now() - new Date(manifest.last_audit).getTime()) / (1000 * 60 * 60 * 24);
-        if (auditAge > 90) warnings.push('Audit older than 90 days');
-      }
-      if (!manifest.contact_email) warnings.push('No contact email specified');
-      if (!manifest.dispute_url) warnings.push('No dispute URL specified');
-    }
-  } catch {
-    warnings.push('Could not fetch /.well-known/wab.json — domain may not support WAB Trust Protocol');
-  }
-
-  const verification = {
-    has_manifest: !!manifest,
-    wab_certified: manifest?.wab_certified || false,
-    fairness_score: manifest?.fairness_score || null,
-    policies: manifest?.policies || {},
-    warnings,
-    checked_at: new Date().toISOString(),
-  };
-
-  // Cache
-  db.prepare(`INSERT OR REPLACE INTO trust_manifests (domain, manifest, verified, verification_result, last_verified_at) VALUES (?, ?, ?, ?, datetime('now'))`).run(domain, JSON.stringify(manifest || {}), verified ? 1 : 0, JSON.stringify(verification));
-
-  res.json({
-    domain,
-    verified,
-    manifest: manifest || {},
-    verification,
-    cached: false,
-    powered_by: 'WAB Trust Layer Protocol',
-  });
-});
-
-router.post('/trust/register', authenticateToken, (req, res) => {
-  const { domain, fairness_score, contact_email, dispute_url, policies } = req.body;
-  if (!domain) return res.status(400).json({ error: 'domain required' });
-
-  const manifest = {
-    wab_version: '2.5',
-    wab_certified: false, // Certification requires manual review
-    fairness_score: fairness_score || 0,
-    last_audit: new Date().toISOString().split('T')[0],
-    transparency_url: `https://${domain}/transparency`,
-    contact_email: contact_email || '',
-    dispute_url: dispute_url || '',
-    policies: {
-      hidden_fees: policies?.hidden_fees || false,
-      fair_reviews: policies?.fair_reviews || false,
-      data_privacy: policies?.data_privacy || false,
-      seller_fairness: policies?.seller_fairness || false,
-    },
-  };
-
-  db.prepare(`INSERT OR REPLACE INTO trust_manifests (domain, manifest, verified, verification_result, last_verified_at, registered_at) VALUES (?, ?, 0, ?, datetime('now'), datetime('now'))`).run(domain, JSON.stringify(manifest), JSON.stringify({ self_registered: true }));
-
-  res.json({
-    domain,
-    manifest,
-    instructions: {
-      step1: 'Host this JSON at https://' + domain + '/.well-known/wab.json',
-      step2: 'Run GET /api/growth/trust/verify/' + domain + ' to verify',
-      step3: 'After review, your site will be WAB Certified',
-    },
-    powered_by: 'WAB Trust Layer Protocol',
-  });
-});
-
-router.get('/trust/badge/:domain', async (req, res) => {
-  const domain = req.params.domain.toLowerCase().replace(/^www\./, '');
-  const cached = db.prepare('SELECT * FROM trust_manifests WHERE domain = ?').get(domain);
-
-  const verified = cached?.verified === 1;
-  const score = cached ? jsonParse(cached.manifest).fairness_score || 0 : 0;
-
-  const svg = `<svg xmlns="http://www.w3.org/2000/svg" width="200" height="32" viewBox="0 0 200 32">
-    <rect width="200" height="32" rx="4" fill="${verified ? '#22c55e' : '#64748b'}"/>
-    <text x="8" y="21" font-family="Arial" font-size="12" fill="white" font-weight="bold">${verified ? '✓ WAB Certified' : '○ WAB Unverified'}</text>
-    <text x="140" y="21" font-family="Arial" font-size="11" fill="white">${score}/100</text>
-  </svg>`;
-
-  res.set('Content-Type', 'image/svg+xml');
-  res.set('Cache-Control', 'public, max-age=3600');
-  res.send(svg);
-});
-
-
-// ═══════════════════════════════════════════════════════════════════════
-// 5. BOUNTY NETWORK — Crowdsourced Threat Reporting
-// ═══════════════════════════════════════════════════════════════════════
-
-// Auto-register reporter from authenticated user
-function getOrCreateReporter(userId) {
-  let reporter = db.prepare('SELECT * FROM bounty_reporters WHERE user_id = ?').get(userId);
-  if (!reporter) {
-    const id = uuid();
-    const token = crypto.randomBytes(24).toString('hex');
-    db.prepare('INSERT INTO bounty_reporters (id, user_id, token, display_name) VALUES (?, ?, ?, ?)').run(id, userId, token, 'Reporter');
-    reporter = db.prepare('SELECT * FROM bounty_reporters WHERE id = ?').get(id);
-  }
-  return reporter;
-}
-
-function getReporterByToken(token) {
-  return db.prepare('SELECT * FROM bounty_reporters WHERE token = ?').get(token);
-}
-
-router.post('/bounty/register', authenticateToken, (req, res) => {
-  const reporter = getOrCreateReporter(req.user.id);
-  res.json({
-    reporter_id: reporter.id,
-    token: reporter.token,
-    credits: reporter.credits,
-    message: 'Use this token in X-WAB-Reporter header for bounty submissions',
-    powered_by: 'WAB Bounty Network v2.5',
-  });
-});
-
-router.post('/bounty/submit', (req, res) => {
-  // Accept auth via header or JWT
-  const token = req.headers['x-wab-reporter'];
-  if (!token) return res.status(401).json({ error: 'X-WAB-Reporter header required. Register at /api/growth/bounty/register' });
-
-  const reporter = getReporterByToken(token);
-  if (!reporter) return res.status(403).json({ error: 'Invalid reporter token' });
-
-  const { url, category, description, evidence } = req.body;
-  if (!url || !/^https?:\/\//i.test(url)) return res.status(400).json({ error: 'Valid URL required (must start with http:// or https://)' });
-
-  const fingerprint = crypto.createHash('sha256').update(url.toLowerCase().trim()).digest('hex').substring(0, 16);
-
-  // Check duplicate
-  const existing = db.prepare('SELECT id FROM bounties WHERE fingerprint = ?').get(fingerprint);
-  if (existing) {
-    db.prepare('UPDATE bounty_reporters SET credits = credits + 1 WHERE id = ?').run(reporter.id);
-    return res.json({
-      bounty_id: existing.id,
-      status: 'DUPLICATE',
-      message: 'This URL is already in our database. Small reward for the effort.',
-      credits_earned: REWARD_TIERS.DUPLICATE.credits,
-      powered_by: 'WAB Bounty Network v2.5',
-    });
-  }
-
-  const bountyId = `BNT-${Date.now()}-${crypto.randomBytes(4).toString('hex').toUpperCase()}`;
-
-  db.prepare(`INSERT INTO bounties (id, reporter_id, url, fingerprint, category, description, evidence) VALUES (?, ?, ?, ?, ?, ?, ?)`).run(bountyId, reporter.id, url, fingerprint, category || 'phishing', description || '', evidence || '');
-  db.prepare('UPDATE bounty_reporters SET total_reports = total_reports + 1 WHERE id = ?').run(reporter.id);
-
-  // Async verification
-  setImmediate(() => verifyBountyInternal(bountyId, url, reporter.id));
-
-  res.json({
-    bounty_id: bountyId,
-    status: 'PENDING',
-    message: 'Report submitted. Automated verification in progress.',
-    powered_by: 'WAB Bounty Network v2.5',
-  });
-});
-
-function verifyBountyInternal(bountyId, url, reporterId) {
-  try {
-    let riskScore = 0;
-    for (const tp of THREAT_PATTERNS) {
-      if (tp.pattern.test(url)) riskScore = Math.max(riskScore, tp.weight);
-    }
-
-    let tier = 'INVALID';
-    if (riskScore >= 80) tier = 'CRITICAL';
-    else if (riskScore >= 60) tier = 'HIGH';
-    else if (riskScore >= 40) tier = 'MEDIUM';
-    else if (riskScore >= 20) tier = 'LOW';
-
-    const reward = REWARD_TIERS[tier];
-
-    db.prepare(`UPDATE bounties SET status = ?, reward_tier = ?, credits_awarded = ?, scan_result = ?, verified_at = datetime('now') WHERE id = ?`).run(tier === 'INVALID' ? 'REJECTED' : 'VERIFIED', tier, reward.credits, JSON.stringify({ risk_score: riskScore }), bountyId);
-
-    if (reward.credits > 0) {
-      db.prepare('UPDATE bounty_reporters SET credits = credits + ?, verified_reports = verified_reports + 1 WHERE id = ?').run(reward.credits, reporterId);
-    }
-  } catch (err) {
-    console.error(`[WAB Bounty] Verification failed for ${bountyId}:`, err.message);
-  }
-}
-
-router.get('/bounty/status/:id', (req, res) => {
-  const bounty = db.prepare('SELECT * FROM bounties WHERE id = ?').get(req.params.id);
-  if (!bounty) return res.status(404).json({ error: 'Bounty not found' });
-  res.json({
-    ...bounty,
-    scan_result: jsonParse(bounty.scan_result),
-    powered_by: 'WAB Bounty Network v2.5',
-  });
-});
-
-router.get('/bounty/balance', (req, res) => {
-  const token = req.headers['x-wab-reporter'];
-  if (!token) return res.status(401).json({ error: 'X-WAB-Reporter header required' });
-  const reporter = getReporterByToken(token);
-  if (!reporter) return res.status(403).json({ error: 'Invalid reporter token' });
-
-  res.json({
-    reporter_id: reporter.id,
-    credits: reporter.credits,
-    total_reports: reporter.total_reports,
-    verified_reports: reporter.verified_reports,
-    accuracy_rate: reporter.total_reports > 0 ? Math.round((reporter.verified_reports / reporter.total_reports) * 100) : 0,
-    powered_by: 'WAB Bounty Network v2.5',
-  });
-});
-
-router.get('/bounty/leaderboard', (req, res) => {
-  const limit = Math.min(parseInt(req.query.limit) || 10, 50);
-  const leaders = db.prepare('SELECT display_name, credits, verified_reports, total_reports FROM bounty_reporters ORDER BY credits DESC LIMIT ?').all(limit);
-  res.json({ leaderboard: leaders, powered_by: 'WAB Bounty Network v2.5' });
-});
-
-
-// ═══════════════════════════════════════════════════════════════════════
-// 6. DATA MARKETPLACE — Threat Intelligence Datasets
-// ═══════════════════════════════════════════════════════════════════════
-
-router.get('/data/datasets', (req, res) => {
-  const category = req.query.category;
-  let datasets;
-  if (category) {
-    datasets = db.prepare('SELECT id, category, title, description, record_count, format, price_base, created_at FROM datasets WHERE active = 1 AND category = ? ORDER BY created_at DESC').all(category);
-  } else {
-    datasets = db.prepare('SELECT id, category, title, description, record_count, format, price_base, created_at FROM datasets WHERE active = 1 ORDER BY created_at DESC').all();
-  }
-  res.json({
-    datasets,
-    total: datasets.length,
-    categories: ['THREAT_INTEL', 'PLATFORM_FAIR', 'PRICE_HISTORY', 'USER_BEHAVIOR', 'AFFILIATE_INTEL', 'EMAIL_THREATS'],
-    powered_by: 'WAB Data Marketplace v2.5',
-  });
-});
-
-router.get('/data/datasets/:id', (req, res) => {
-  const dataset = db.prepare('SELECT * FROM datasets WHERE id = ? AND active = 1').get(req.params.id);
-  if (!dataset) return res.status(404).json({ error: 'Dataset not found' });
-
-  const meta = jsonParse(dataset.metadata);
-  res.json({
-    ...dataset,
-    metadata: meta,
-    sample_data: jsonParse(dataset.sample_data, []),
-    license_types: {
-      RESEARCH:   { multiplier: 1, price: dataset.price_base, use: 'Non-commercial research', redistribution: false },
-      COMMERCIAL: { multiplier: 3, price: dataset.price_base * 3, use: 'Commercial products', redistribution: false },
-      ENTERPRISE: { multiplier: 8, price: dataset.price_base * 8, use: 'Any use', redistribution: true },
-      AI_TRAINING:{ multiplier: 5, price: dataset.price_base * 5, use: 'AI/ML model training', redistribution: false },
-    },
-    powered_by: 'WAB Data Marketplace v2.5',
-  });
-});
-
-router.get('/data/datasets/:id/sample', (req, res) => {
-  const dataset = db.prepare('SELECT sample_data FROM datasets WHERE id = ? AND active = 1').get(req.params.id);
-  if (!dataset) return res.status(404).json({ error: 'Dataset not found' });
-  res.json({
-    sample: jsonParse(dataset.sample_data, []),
-    note: 'This is a free preview. Purchase the full dataset for complete access.',
-    powered_by: 'WAB Data Marketplace v2.5',
-  });
-});
-
-router.post('/data/purchase', authenticateToken, (req, res) => {
-  const { dataset_id, license_type } = req.body;
-  if (!dataset_id) return res.status(400).json({ error: 'dataset_id required' });
-
-  const dataset = db.prepare('SELECT * FROM datasets WHERE id = ? AND active = 1').get(dataset_id);
-  if (!dataset) return res.status(404).json({ error: 'Dataset not found' });
-
-  const multipliers = { RESEARCH: 1, COMMERCIAL: 3, ENTERPRISE: 8, AI_TRAINING: 5 };
-  const mult = multipliers[license_type] || 1;
-  const price = dataset.price_base * mult;
-
-  const purchaseId = uuid();
-  db.prepare('INSERT INTO dataset_purchases (id, user_id, dataset_id, license_type, price_paid) VALUES (?, ?, ?, ?, ?)').run(purchaseId, req.user.id, dataset_id, license_type || 'RESEARCH', price);
-
-  res.json({
-    purchase_id: purchaseId,
-    dataset_id,
-    license_type: license_type || 'RESEARCH',
-    price_paid: price,
-    currency: 'USD',
-    status: 'completed',
-    download_url: `/api/growth/data/download/${purchaseId}`,
-    powered_by: 'WAB Data Marketplace v2.5',
-  });
-});
-
-router.get('/data/download/:purchaseId', authenticateToken, (req, res) => {
-  const purchase = db.prepare('SELECT * FROM dataset_purchases WHERE id = ? AND user_id = ?').get(req.params.purchaseId, req.user.id);
-  if (!purchase) return res.status(404).json({ error: 'Purchase not found' });
-
-  const dataset = db.prepare('SELECT * FROM datasets WHERE id = ?').get(purchase.dataset_id);
-  if (!dataset) return res.status(404).json({ error: 'Dataset no longer available' });
-
-  // Return full sample data as the "download" — in production this would be a signed S3 URL
-  res.json({
-    dataset_id: dataset.id,
-    title: dataset.title,
-    format: dataset.format,
-    record_count: dataset.record_count,
-    data: jsonParse(dataset.sample_data, []),
-    license: purchase.license_type,
-    purchased_at: purchase.purchased_at,
-    powered_by: 'WAB Data Marketplace v2.5',
-  });
-});
-
-
-// ═══════════════════════════════════════════════════════════════════════
-// 7. EMAIL PROTECTION — Email Content Scanning
-// ═══════════════════════════════════════════════════════════════════════
-
-router.post('/email/scan', (req, res) => {
-  const { subject, body, sender, urls } = req.body;
-  if (!subject && !body && !urls) return res.status(400).json({ error: 'subject, body, or urls required' });
-
-  const content = `${subject || ''} ${body || ''}`;
-  const patterns = [];
-  let riskScore = 0;
-
-  // Detect phishing patterns in text
-  for (const pp of PHISHING_EMAIL_PATTERNS) {
-    if (pp.pattern.test(content)) {
-      patterns.push(pp.label);
-      riskScore += 15;
-    }
-  }
-
-  // Extract and scan URLs
-  const urlRegex = /https?:\/\/[^\s<>"')\]]+/gi;
-  const extractedUrls = [...new Set([...(content.match(urlRegex) || []), ...(urls || [])])];
-  const urlResults = [];
-
-  for (const u of extractedUrls.slice(0, 20)) { // limit to 20 URLs
-    let urlRisk = 0;
-    const threats = [];
-    for (const tp of THREAT_PATTERNS) {
-      if (tp.pattern.test(u)) {
-        urlRisk = Math.max(urlRisk, tp.weight);
-        threats.push(tp.type);
-      }
-    }
-    urlResults.push({
-      url: u,
-      risk_score: urlRisk,
-      status: urlRisk >= 80 ? 'CRITICAL' : urlRisk >= 50 ? 'WARNING' : 'SAFE',
-      threats,
-    });
-    riskScore = Math.max(riskScore, urlRisk);
-  }
-
-  // Sender analysis
-  let senderReputation = null;
-  if (sender) {
-    const senderDomain = sender.split('@').pop()?.toLowerCase();
-    if (senderDomain) {
-      let domainRisk = 0;
-      if (/\.xyz$|\.tk$|\.ml$|\.ga$|\.cf$/.test(senderDomain)) domainRisk = 60;
-      if (/gmail\.com|outlook\.com|yahoo\.com|hotmail\.com/.test(senderDomain)) domainRisk = 10;
-      senderReputation = { domain: senderDomain, risk_score: domainRisk, status: domainRisk >= 50 ? 'WARNING' : 'SAFE' };
-    }
-  }
-
-  riskScore = Math.min(100, riskScore);
-  const overallRisk = riskScore >= 80 ? 'CRITICAL' : riskScore >= 50 ? 'WARNING' : 'SAFE';
-
-  // Log scan
-  db.prepare('INSERT INTO email_scans (sender_domain, urls_found, critical_count, warning_count, overall_risk, risk_score) VALUES (?, ?, ?, ?, ?, ?)').run(
-    senderReputation?.domain || null,
-    urlResults.length,
-    urlResults.filter(u => u.status === 'CRITICAL').length,
-    urlResults.filter(u => u.status === 'WARNING').length,
-    overallRisk,
-    riskScore
-  );
-
-  res.json({
-    overall_risk: overallRisk,
-    risk_score: riskScore,
-    urls_found: extractedUrls.length,
-    urls_scanned: urlResults,
-    critical_count: urlResults.filter(u => u.status === 'CRITICAL').length,
-    warning_count: urlResults.filter(u => u.status === 'WARNING').length,
-    sender_reputation: senderReputation,
-    phishing_patterns: patterns,
-    scanned_at: new Date().toISOString(),
-    powered_by: 'WAB Email Protection v2.5',
-  });
-});
-
-router.get('/email/stats', (req, res) => {
-  const total = db.prepare('SELECT COUNT(*) as c FROM email_scans').get().c;
-  const critical = db.prepare('SELECT COUNT(*) as c FROM email_scans WHERE overall_risk = ?').get('CRITICAL').c;
-  const last24h = db.prepare(`SELECT COUNT(*) as c FROM email_scans WHERE scanned_at > datetime('now', '-1 day')`).get().c;
-  res.json({
-    total_scans: total,
-    critical_detected: critical,
-    scans_last_24h: last24h,
-    detection_rate: total > 0 ? Math.round((critical / total) * 100) : 0,
-    powered_by: 'WAB Email Protection v2.5',
-  });
-});
-
-
-// ═══════════════════════════════════════════════════════════════════════
-// 8. AFFILIATE INTELLIGENCE — Network Fraud Detection
-// ═══════════════════════════════════════════════════════════════════════
-
-router.get('/affiliate/networks', (req, res) => {
-  const networks = Object.entries(KNOWN_NETWORKS).map(([id, info]) => ({
-    id,
-    ...info,
-  }));
-  res.json({ networks, powered_by: 'WAB Affiliate Intelligence v2.5' });
-});
-
-router.get('/affiliate/analyze/:networkId', (req, res) => {
-  const networkId = req.params.networkId.toLowerCase();
-  const network = KNOWN_NETWORKS[networkId];
-  if (!network) return res.status(404).json({ error: 'Unknown network', known_networks: Object.keys(KNOWN_NETWORKS) });
-
-  // Check cache
-  const cached = db.prepare(`SELECT * FROM affiliate_reports WHERE network_id = ? AND analyzed_at > datetime('now', '-1 day')`).get(networkId);
-  if (cached) {
-    return res.json({
-      network_id: networkId,
-      network_name: network.name,
-      risk_level: cached.risk_level,
-      trust_score: cached.trust_score,
-      fraud_types: jsonParse(cached.fraud_types, []),
-      details: jsonParse(cached.details),
-      cached: true,
-      powered_by: 'WAB Affiliate Intelligence v2.5',
-    });
-  }
-
-  // Analysis
-  const fraudTypes = [];
-  let trustScore = network.trust_base;
-
-  // Evaluate based on known metrics
-  if (network.avg_payout_days > 40) {
-    fraudTypes.push({ ...FRAUD_PATTERNS.payment_delays, data: { avg_payout_days: network.avg_payout_days, industry_avg: 30 } });
-    trustScore -= 10;
-  }
-  if (network.cookie_days <= 1) {
-    fraudTypes.push({ ...FRAUD_PATTERNS.late_attribution, data: { cookie_days: network.cookie_days, industry_avg: 30 } });
-    trustScore -= 5;
-  }
-  if (networkId === 'clickbank') {
-    fraudTypes.push({ ...FRAUD_PATTERNS.commission_shaving, data: { estimated_shaving: '12%', evidence: 'Community reports of valid sales cancelled' } });
-    trustScore -= 15;
-  }
-
-  const riskLevel = trustScore >= 80 ? 'LOW' : trustScore >= 60 ? 'MEDIUM' : trustScore >= 40 ? 'HIGH' : 'CRITICAL';
-
-  const details = {
-    avg_commission: network.avg_commission + '%',
-    avg_payout_days: network.avg_payout_days,
-    cookie_window: network.cookie_days + ' days',
-    recommendation: riskLevel === 'LOW' ? 'Safe to use' : riskLevel === 'MEDIUM' ? 'Use with caution, monitor closely' : 'Consider alternatives',
-    benchmarks: {
-      industry_avg_commission: '8%',
-      industry_avg_payout: '30 days',
-      industry_avg_cookie: '30 days',
-    },
-  };
-
-  // Cache
-  const reportId = uuid();
-  db.prepare('INSERT OR REPLACE INTO affiliate_reports (id, network_id, risk_level, fraud_types, trust_score, details) VALUES (?, ?, ?, ?, ?, ?)').run(reportId, networkId, riskLevel, JSON.stringify(fraudTypes), trustScore, JSON.stringify(details));
-
-  res.json({
-    network_id: networkId,
-    network_name: network.name,
-    risk_level: riskLevel,
-    trust_score: trustScore,
-    fraud_types: fraudTypes,
-    details,
-    cached: false,
-    powered_by: 'WAB Affiliate Intelligence v2.5',
-  });
-});
-
-router.post('/affiliate/detect-fraud', (req, res) => {
-  const { network_id, data } = req.body;
-  if (!network_id && !data) return res.status(400).json({ error: 'network_id or data required' });
-
-  const network = KNOWN_NETWORKS[network_id];
-  const detected = [];
-
-  if (data) {
-    // Analyze user-provided data
-    if (data.conversion_rate !== undefined) {
-      const expectedCVR = 2.5; // industry baseline
-      if (data.conversion_rate < expectedCVR * 0.3) {
-        detected.push({ ...FRAUD_PATTERNS.low_cvr, data: { actual: data.conversion_rate, expected: expectedCVR, ratio: (data.conversion_rate / expectedCVR * 100).toFixed(0) + '%' } });
-      }
-    }
-    if (data.epc !== undefined && network) {
-      const expectedEPC = network.avg_commission * 0.025; // rough benchmark
-      if (data.epc < expectedEPC * 0.4) {
-        detected.push({ ...FRAUD_PATTERNS.commission_shaving, data: { actual_epc: data.epc, expected_epc: expectedEPC.toFixed(2) } });
-      }
-    }
-    if (data.payment_delay !== undefined) {
-      const expected = network ? network.avg_payout_days : 30;
-      if (data.payment_delay > expected * 1.5) {
-        detected.push({ ...FRAUD_PATTERNS.payment_delays, data: { actual_days: data.payment_delay, expected_days: expected } });
-      }
-    }
-    if (data.cancelled_rate !== undefined && data.cancelled_rate > 10) {
-      detected.push({ ...FRAUD_PATTERNS.commission_shaving, data: { cancelled_rate: data.cancelled_rate + '%', threshold: '10%' } });
-    }
-  }
-
-  const riskLevel = detected.some(d => d.severity === 'CRITICAL') ? 'CRITICAL' :
-                    detected.some(d => d.severity === 'HIGH') ? 'HIGH' :
-                    detected.length > 0 ? 'MEDIUM' : 'LOW';
-
-  res.json({
-    network_id: network_id || 'custom',
-    network_name: network?.name || 'Custom Analysis',
-    risk_level: riskLevel,
-    fraud_detected: detected.length,
-    fraud_types: detected,
-    recommendation: detected.length === 0 ? 'No fraud indicators detected' :
-      riskLevel === 'CRITICAL' ? 'Immediate action required — contact network and document evidence' :
-      riskLevel === 'HIGH' ? 'Monitor closely and diversify to other networks' :
-      'Keep tracking metrics and compare monthly',
-    powered_by: 'WAB Affiliate Intelligence v2.5',
-  });
-});
-
-router.get('/affiliate/benchmarks', (req, res) => {
-  res.json({
-    benchmarks: {
-      avg_commission_rate: '8%',
-      avg_epc: '$0.45',
-      avg_conversion_rate: '2.5%',
-      avg_payout_days: 30,
-      avg_cookie_window: '30 days',
-      avg_reversal_rate: '5%',
-    },
-    by_category: {
-      SaaS: { avg_commission: '20-30%', avg_cookie: '90 days', avg_payout: '15 days' },
-      eCommerce: { avg_commission: '3-8%', avg_cookie: '1-30 days', avg_payout: '30-60 days' },
-      Finance: { avg_commission: '$50-200 per lead', avg_cookie: '30-45 days', avg_payout: '30-45 days' },
-      Travel: { avg_commission: '3-6%', avg_cookie: '7-30 days', avg_payout: '30-60 days' },
-    },
-    powered_by: 'WAB Affiliate Intelligence v2.5',
-  });
-});
-
-
-// ═══════════════════════════════════════════════════════════════════════
-// OVERVIEW — All modules status
-// ═══════════════════════════════════════════════════════════════════════
-
-router.get('/status', (req, res) => {
-  const bountyCount = db.prepare('SELECT COUNT(*) as c FROM bounties').get().c;
-  const reporterCount = db.prepare('SELECT COUNT(*) as c FROM bounty_reporters').get().c;
-  const datasetCount = db.prepare('SELECT COUNT(*) as c FROM datasets WHERE active = 1').get().c;
-  const emailScans = db.prepare('SELECT COUNT(*) as c FROM email_scans').get().c;
-  const scoreCount = db.prepare('SELECT COUNT(*) as c FROM wab_scores').get().c;
-
-  res.json({
-    suite: 'WAB Growth Suite v2.5',
-    modules: {
-      shield:      { status: 'active', endpoint: '/api/growth/scan' },
-      safety:      { status: 'active', endpoint: '/api/growth/safety/check' },
-      score:       { status: 'active', endpoint: '/api/growth/score/:domain', cached_scores: scoreCount },
-      trust:       { status: 'active', endpoint: '/api/growth/trust/verify/:domain' },
-      bounty:      { status: 'active', endpoint: '/api/growth/bounty/*', total_bounties: bountyCount, reporters: reporterCount },
-      marketplace: { status: 'active', endpoint: '/api/growth/data/*', datasets: datasetCount },
-      email:       { status: 'active', endpoint: '/api/growth/email/scan', total_scans: emailScans },
-      affiliate:   { status: 'active', endpoint: '/api/growth/affiliate/*', networks: Object.keys(KNOWN_NETWORKS).length },
-    },
-    powered_by: 'WAB Growth Suite v2.5 | https://www.webagentbridge.com',
-  });
-});
-
-
-module.exports = router;