web-agent-bridge 3.2.0 → 3.4.0

package/server/routes/gateway.js

@@ -1,157 +1,173 @@
-/**
- * WAB API Gateway Routes
- * Single entry point: /api/v1/*
- * All 10 advanced modules behind API key authentication.
- *
- * Powered by WAB — Web Agent Bridge
- * https://www.webagentbridge.com
- */
-
-'use strict';
-
-const express = require('express');
-const router = express.Router();
-const { WABKeyEngine } = require('../services/api-key-engine');
-
-const engine = new WABKeyEngine();
-
-// ─── Module Registry ───────────────────────────────────────────────────────────
-const MODULE_META = {
-  'firewall':     { name: 'Agent Firewall',          plan: 'PRO',      file: '../services/modules/agent-firewall' },
-  'notary':       { name: 'Cryptographic Notary',    plan: 'BUSINESS', file: '../services/modules/notary' },
-  'dark-pattern': { name: 'Dark Pattern Detector',   plan: 'FREE',     file: '../services/modules/dark-pattern' },
-  'bargaining':   { name: 'Collective Bargaining',   plan: 'PRO',      file: '../services/modules/collective-bargaining' },
-  'gov':          { name: 'Gov Intelligence',         plan: 'BUSINESS', file: '../services/modules/gov-intelligence' },
-  'price':        { name: 'Price Time Machine',       plan: 'FREE',     file: '../services/modules/price-time-machine' },
-  'neural':       { name: 'Neural Engine',            plan: 'PRO',      file: '../services/modules/neural' },
-  'protocol':     { name: 'WAB Protocol',             plan: 'FREE',     file: '../services/modules/protocol' },
-  'bounty':       { name: 'Bounty Network',           plan: 'FREE',     file: '../services/modules/bounty' },
-  'affiliate':    { name: 'Affiliate Intelligence',   plan: 'PRO',      file: '../services/modules/affiliate-intelligence' },
-};
-
-// ─── Extract API Key ──────────────────────────────────────────────────────────
-function extractKey(req) {
-  const auth = req.headers['authorization'] || '';
-  if (auth.startsWith('Bearer ')) return auth.slice(7).trim();
-  if (req.headers['x-wab-key']) return req.headers['x-wab-key'].trim();
-  return req.query.api_key || null;
-}
-
-// ─── Auth Middleware ──────────────────────────────────────────────────────────
-function gatewayAuth(moduleName) {
-  return (req, res, next) => {
-    const apiKey = extractKey(req);
-    if (!apiKey) {
-      return res.status(401).json({
-        error: 'Authentication required', code: 'MISSING_KEY',
-        message: 'Include your API key: Authorization: Bearer wab_live_xxx',
-        get_key: 'https://www.webagentbridge.com/workspace',
-      });
-    }
-    const validation = engine.validate(apiKey, moduleName);
-    if (!validation.valid) {
-      const status = validation.code === 'INSUFFICIENT_PLAN' ? 403 : 401;
-      return res.status(status).json(validation);
-    }
-    req.wabAuth = validation;
-    next();
-  };
-}
-
-// ─── WAB response wrapper ────────────────────────────────────────────────────
-function wabWrap(req, res, next) {
-  const originalJson = res.json.bind(res);
-  res.json = (data) => {
-    const enriched = { ...data, _wab: {
-      gateway: 'api.webagentbridge.com', module: req._wabModuleName || 'unknown',
-      plan: req.wabAuth ? req.wabAuth.plan_name : 'unknown',
-      usage: req.wabAuth ? req.wabAuth.usage : null,
-      timestamp: new Date().toISOString(), powered_by: 'WAB — Web Agent Bridge',
-    }};
-    return originalJson(enriched);
-  };
-  next();
-}
-
-// ─── Public routes (no auth) ──────────────────────────────────────────────────
-router.get('/health', (req, res) => {
-  res.json({ status: 'operational', service: 'WAB API Gateway', version: '1.0.0',
-    timestamp: new Date().toISOString(), modules: Object.keys(MODULE_META).length,
-    docs: 'https://www.webagentbridge.com/api' });
-});
-
-router.get('/plans', (req, res) => {
-  res.json({ plans: engine.getPlans() });
-});
-
-router.get('/modules', (req, res) => {
-  res.json({ modules: Object.entries(MODULE_META).map(([id, m]) => ({
-    id, name: m.name, min_plan: m.plan,
-    endpoints: `https://api.webagentbridge.com/v1/${id}/`,
-  }))});
-});
-
-// ─── Key Management ─────────────────────────────────────────────────────────
-router.post('/keys/generate', (req, res) => {
-  try {
-    const result = engine.generateKey(req.body);
-    res.status(201).json(result);
-  } catch (err) { res.status(400).json({ error: err.message }); }
-});
-
-router.post('/keys/validate', (req, res) => {
-  const apiKey = extractKey(req);
-  const result = engine.validate(apiKey, req.body.module);
-  res.status(result.valid ? 200 : 401).json(result);
-});
-
-router.get('/keys/usage', (req, res) => {
-  const apiKey = extractKey(req);
-  if (!apiKey) return res.status(401).json({ error: 'API key required' });
-  res.json(engine.getUsage(apiKey));
-});
-
-router.post('/keys/revoke', (req, res) => {
-  const apiKey = extractKey(req);
-  if (!apiKey) return res.status(401).json({ error: 'API key required' });
-  res.json(engine.revoke(apiKey, req.body.reason));
-});
-
-router.post('/keys/rotate', (req, res) => {
-  const apiKey = extractKey(req);
-  if (!apiKey) return res.status(401).json({ error: 'API key required' });
-  res.json(engine.rotate(apiKey));
-});
-
-router.get('/admin/keys', (req, res) => {
-  const apiKey = extractKey(req);
-  res.json(engine.listKeys(apiKey));
-});
-
-// ─── Mount module routers ───────────────────────────────────────────────────
-for (const [moduleId, meta] of Object.entries(MODULE_META)) {
-  try {
-    const mod = require(meta.file);
-    const moduleRouter = mod.createRouter(express);
-    router.use(`/${moduleId}`, gatewayAuth(moduleId), (req, res, next) => { req._wabModuleName = meta.name; next(); }, wabWrap, moduleRouter);
-  } catch (err) {
-    // Module not available — create a stub
-    router.use(`/${moduleId}`, gatewayAuth(moduleId), (req, res) => {
-      res.status(503).json({ error: `Module '${meta.name}' is temporarily unavailable`, code: 'MODULE_UNAVAILABLE' });
-    });
-  }
-}
-
-// ─── Module listing for admin ── ────────────────────────────────────────────
-router.get('/admin/modules', (req, res) => {
-  const apiKey = extractKey(req);
-  const validation = engine.validate(apiKey);
-  if (!validation.valid) return res.status(401).json(validation);
-
-  const modules = Object.entries(MODULE_META).map(([id, m]) => ({
-    id, name: m.name, min_plan: m.plan, status: 'active',
-  }));
-  res.json({ modules });
-});
-
-module.exports = router;
+/**
+ * WAB API Gateway Routes
+ * Single entry point: /api/v1/*
+ * All 10 advanced modules behind API key authentication.
+ *
+ * Powered by WAB — Web Agent Bridge
+ * https://www.webagentbridge.com
+ */
+
+'use strict';
+
+const express = require('express');
+const router = express.Router();
+const { WABKeyEngine } = require('../services/api-key-engine');
+
+const engine = new WABKeyEngine();
+
+// ─── Module Registry ───────────────────────────────────────────────────────────
+const MODULE_META = {
+  'firewall':     { name: 'Agent Firewall',          plan: 'PRO',      file: '../services/modules/agent-firewall' },
+  'notary':       { name: 'Cryptographic Notary',    plan: 'BUSINESS', file: '../services/modules/notary' },
+  'dark-pattern': { name: 'Dark Pattern Detector',   plan: 'FREE',     file: '../services/modules/dark-pattern' },
+  'bargaining':   { name: 'Collective Bargaining',   plan: 'PRO',      file: '../services/modules/collective-bargaining' },
+  'gov':          { name: 'Gov Intelligence',         plan: 'BUSINESS', file: '../services/modules/gov-intelligence' },
+  'price':        { name: 'Price Time Machine',       plan: 'FREE',     file: '../services/modules/price-time-machine' },
+  'neural':       { name: 'Neural Engine',            plan: 'PRO',      file: '../services/modules/neural' },
+  'protocol':     { name: 'WAB Protocol',             plan: 'FREE',     file: '../services/modules/protocol' },
+  'bounty':       { name: 'Bounty Network',           plan: 'FREE',     file: '../services/modules/bounty' },
+  'affiliate':    { name: 'Affiliate Intelligence',   plan: 'PRO',      file: '../services/modules/affiliate-intelligence' },
+};
+
+// ─── Extract API Key ──────────────────────────────────────────────────────────
+function extractKey(req) {
+  const auth = req.headers['authorization'] || '';
+  if (auth.startsWith('Bearer ')) return auth.slice(7).trim();
+  if (req.headers['x-wab-key']) return req.headers['x-wab-key'].trim();
+  return req.query.api_key || null;
+}
+
+// ─── Auth Middleware (with HTTP-method → scope mapping) ──────────────────────
+function methodToScope(method) {
+  const m = (method || 'GET').toUpperCase();
+  if (m === 'GET' || m === 'HEAD' || m === 'OPTIONS') return 'read';
+  if (m === 'DELETE') return 'admin';
+  return 'write'; // POST/PUT/PATCH
+}
+
+function gatewayAuth(moduleName, requiredScope = null) {
+  return (req, res, next) => {
+    const apiKey = extractKey(req);
+    if (!apiKey) {
+      return res.status(401).json({
+        error: 'Authentication required', code: 'MISSING_KEY',
+        message: 'Include your API key: Authorization: Bearer wab_live_xxx',
+        get_key: 'https://www.webagentbridge.com/workspace',
+      });
+    }
+    const scope = requiredScope || methodToScope(req.method);
+    const validation = engine.validate(apiKey, moduleName, scope);
+    if (!validation.valid) {
+      const status = validation.code === 'INSUFFICIENT_PLAN' ? 403
+                   : validation.code === 'INSUFFICIENT_SCOPE' ? 403
+                   : validation.code === 'RATE_LIMIT_EXCEEDED' ? 429
+                   : validation.code === 'QUOTA_EXCEEDED' ? 429
+                   : 401;
+      return res.status(status).json(validation);
+    }
+    if (validation.rotation && validation.rotation.warning) {
+      res.setHeader('X-WAB-Key-Rotation-Due', validation.rotation.rotation_due_at);
+      res.setHeader('X-WAB-Key-Rotation-Days', String(validation.rotation.days_until_due));
+    }
+    req.wabAuth = validation;
+    next();
+  };
+}
+
+// ─── WAB response wrapper ────────────────────────────────────────────────────
+function wabWrap(req, res, next) {
+  const originalJson = res.json.bind(res);
+  res.json = (data) => {
+    const enriched = { ...data, _wab: {
+      gateway: 'api.webagentbridge.com', module: req._wabModuleName || 'unknown',
+      plan: req.wabAuth ? req.wabAuth.plan_name : 'unknown',
+      usage: req.wabAuth ? req.wabAuth.usage : null,
+      timestamp: new Date().toISOString(), powered_by: 'WAB — Web Agent Bridge',
+    }};
+    return originalJson(enriched);
+  };
+  next();
+}
+
+// ─── Public routes (no auth) ──────────────────────────────────────────────────
+router.get('/health', (req, res) => {
+  res.json({ status: 'operational', service: 'WAB API Gateway', version: '1.0.0',
+    timestamp: new Date().toISOString(), modules: Object.keys(MODULE_META).length,
+    docs: 'https://www.webagentbridge.com/api' });
+});
+
+router.get('/plans', (req, res) => {
+  res.json({ plans: engine.getPlans() });
+});
+
+router.get('/modules', (req, res) => {
+  res.json({ modules: Object.entries(MODULE_META).map(([id, m]) => ({
+    id, name: m.name, min_plan: m.plan,
+    endpoints: `https://api.webagentbridge.com/v1/${id}/`,
+  }))});
+});
+
+// ─── Key Management ─────────────────────────────────────────────────────────
+router.post('/keys/generate', (req, res) => {
+  try {
+    const result = engine.generateKey(req.body);
+    res.status(201).json(result);
+  } catch (err) { res.status(400).json({ error: err.message }); }
+});
+
+router.post('/keys/validate', (req, res) => {
+  const apiKey = extractKey(req);
+  const result = engine.validate(apiKey, req.body.module);
+  res.status(result.valid ? 200 : 401).json(result);
+});
+
+router.get('/keys/usage', (req, res) => {
+  const apiKey = extractKey(req);
+  if (!apiKey) return res.status(401).json({ error: 'API key required' });
+  res.json(engine.getUsage(apiKey));
+});
+
+router.post('/keys/revoke', (req, res) => {
+  const apiKey = extractKey(req);
+  if (!apiKey) return res.status(401).json({ error: 'API key required' });
+  res.json(engine.revoke(apiKey, req.body.reason));
+});
+
+router.post('/keys/rotate', (req, res) => {
+  const apiKey = extractKey(req);
+  if (!apiKey) return res.status(401).json({ error: 'API key required' });
+  res.json(engine.rotate(apiKey));
+});
+
+router.get('/admin/keys', (req, res) => {
+  const apiKey = extractKey(req);
+  res.json(engine.listKeys(apiKey));
+});
+
+// ─── Mount module routers ───────────────────────────────────────────────────
+for (const [moduleId, meta] of Object.entries(MODULE_META)) {
+  try {
+    const mod = require(meta.file);
+    const moduleRouter = mod.createRouter(express);
+    router.use(`/${moduleId}`, gatewayAuth(moduleId), (req, res, next) => { req._wabModuleName = meta.name; next(); }, wabWrap, moduleRouter);
+  } catch (err) {
+    // Module not available — create a stub
+    router.use(`/${moduleId}`, gatewayAuth(moduleId), (req, res) => {
+      res.status(503).json({ error: `Module '${meta.name}' is temporarily unavailable`, code: 'MODULE_UNAVAILABLE' });
+    });
+  }
+}
+
+// ─── Module listing for admin ── ────────────────────────────────────────────
+router.get('/admin/modules', (req, res) => {
+  const apiKey = extractKey(req);
+  const validation = engine.validate(apiKey);
+  if (!validation.valid) return res.status(401).json(validation);
+
+  const modules = Object.entries(MODULE_META).map(([id, m]) => ({
+    id, name: m.name, min_plan: m.plan, status: 'active',
+  }));
+  res.json({ modules });
+});
+
+module.exports = router;

package/server/routes/governance.js

@@ -0,0 +1,208 @@
+/**
+ * WAB Agent Governance Routes
+ * Mounted at /api/governance
+ *
+ * Auth model:
+ *   - Agent endpoints: Bearer <agent_token> in Authorization header
+ *     OR ?agent_id=...&agent_token=... query params (for SDKs without headers)
+ *   - Owner/human endpoints (kill, decide approval): same agent token works
+ *     for the owner of that agent. (Future: owner-level user auth.)
+ */
+
+'use strict';
+
+const express = require('express');
+const gov = require('../services/governance');
+
+const router = express.Router();
+
+// ───────────────────────── auth middleware ────
+function requireAgent(req, res, next) {
+  const auth = req.headers.authorization || '';
+  const headerToken = auth.startsWith('Bearer ') ? auth.slice(7).trim() : null;
+  const agentId = req.params.agentId || req.body?.agent_id || req.query?.agent_id;
+  const token   = headerToken || req.body?.agent_token || req.query?.agent_token;
+  const a = gov.authAgent(agentId, token);
+  if (!a) return res.status(401).json({ error: 'invalid_agent_credentials' });
+  req.agent = a;
+  next();
+}
+
+// ───────────────────────── lifecycle ────
+// Register a new agent. Returns the one-time token. Public — anyone can create
+// an agent identity for themselves; rate-limited by the parent app.
+router.post('/agents', (req, res) => {
+  try {
+    const { agent_id, owner_id, display_name, metadata } = req.body || {};
+    const out = gov.registerAgent({
+      agentId: agent_id, ownerId: owner_id,
+      displayName: display_name, metadata,
+    });
+    res.status(201).json({
+      agent_id: out.agentId,
+      agent_token: out.agentToken,   // shown ONCE — caller must store it
+      message: 'Save the agent_token now; it cannot be retrieved later.',
+    });
+  } catch (e) {
+    if (String(e.message).includes('UNIQUE')) {
+      return res.status(409).json({ error: 'agent_id_exists' });
+    }
+    res.status(500).json({ error: 'register_failed', detail: e.message });
+  }
+});
+
+router.get('/agents/:agentId/status', requireAgent, (req, res) => {
+  const s = gov.getStatus(req.agent.agent_id);
+  res.json(s);
+});
+
+// Kill switch — agent self-kill or external trigger with valid token.
+router.post('/agents/:agentId/kill', requireAgent, (req, res) => {
+  const reason = req.body?.reason || 'manual';
+  const ok = gov.killAgent(req.agent.agent_id, reason);
+  res.json({ ok, status: 'killed', reason });
+});
+
+router.post('/agents/:agentId/revive', requireAgent, (req, res) => {
+  const reason = req.body?.reason || 'manual_revive';
+  const ok = gov.reviveAgent(req.agent.agent_id, reason);
+  res.json({ ok, status: 'alive', reason });
+});
+
+// ───────────────────────── policies ────
+router.get('/agents/:agentId/policies', requireAgent, (req, res) => {
+  res.json({ policies: gov.listPolicies(req.agent.agent_id) });
+});
+
+router.post('/agents/:agentId/policies', requireAgent, (req, res) => {
+  const b = req.body || {};
+  if (!b.resource || !b.action) {
+    return res.status(400).json({ error: 'missing_fields', need: ['resource', 'action'] });
+  }
+  const r = gov.definePolicy({
+    agentId:        req.agent.agent_id,
+    resource:       String(b.resource),
+    action:         String(b.action),
+    scope:          b.scope || null,
+    maxAmount:      b.max_amount,
+    currency:       b.currency,
+    dailyCap:       b.daily_cap,
+    perCallRate:    b.per_call_rate,
+    requiresApproval: !!b.requires_approval,
+    effect:         b.effect === 'deny' ? 'deny' : 'allow',
+    expiresAt:      b.expires_at || null,
+  });
+  res.status(201).json({ ok: true, id: r.id });
+});
+
+router.delete('/agents/:agentId/policies/:id', requireAgent, (req, res) => {
+  const ok = gov.deletePolicy(req.agent.agent_id, Number(req.params.id));
+  res.json({ ok });
+});
+
+// ───────────────────────── core check ────
+// Pre-action authorisation. Agent calls this BEFORE executing.
+router.post('/agents/:agentId/check', requireAgent, (req, res) => {
+  const { resource, action, scope, amount, currency } = req.body || {};
+  if (!resource || !action) {
+    return res.status(400).json({ error: 'missing_fields', need: ['resource', 'action'] });
+  }
+  const r = gov.check({
+    agentId: req.agent.agent_id, resource, action, scope, amount, currency,
+  });
+  // Audit the check itself (no params persisted by default).
+  gov.appendAudit({
+    agentId: req.agent.agent_id, eventType: 'check',
+    resource, action, scope, amount, currency,
+    decision: r.decision, reason: r.reason,
+  });
+  res.json({
+    decision: r.decision,
+    reason:   r.reason,
+    policy_id: r.policy?.id || null,
+    extra: r.extra || null,
+  });
+});
+
+// Agent reports an executed action (for audit + spend tracking).
+router.post('/agents/:agentId/execute', requireAgent, (req, res) => {
+  const b = req.body || {};
+  if (!b.resource || !b.action) {
+    return res.status(400).json({ error: 'missing_fields', need: ['resource', 'action'] });
+  }
+  const audit = gov.appendAudit({
+    agentId: req.agent.agent_id, eventType: 'execute',
+    resource: b.resource, action: b.action, scope: b.scope,
+    amount: b.amount, currency: b.currency,
+    decision: b.decision || 'allow', reason: b.reason || null,
+    paramsJson: b.params ? JSON.stringify(gov._internals.redact(b.params)) : null,
+    resultJson: b.result ? JSON.stringify(gov._internals.redact(b.result)) : null,
+  });
+  if (b.amount && Number(b.amount) > 0) {
+    gov.recordSpend(req.agent.agent_id, b.resource, Number(b.amount),
+      b.currency || 'USD', String(audit.id));
+  }
+  res.json({ ok: true, audit_id: audit.id, hash: audit.hash });
+});
+
+// ───────────────────────── approvals ────
+router.post('/agents/:agentId/approvals', requireAgent, (req, res) => {
+  const b = req.body || {};
+  if (!b.resource || !b.action) {
+    return res.status(400).json({ error: 'missing_fields', need: ['resource', 'action'] });
+  }
+  const r = gov.requestApproval({
+    agentId: req.agent.agent_id,
+    resource: b.resource, action: b.action, scope: b.scope,
+    amount: b.amount, currency: b.currency,
+    params: b.params, reason: b.reason, ttlMs: b.ttl_ms,
+  });
+  res.status(201).json(r);
+});
+
+router.get('/agents/:agentId/approvals/pending', requireAgent, (req, res) => {
+  const limit = Math.min(500, Number(req.query.limit) || 100);
+  res.json({ pending: gov.listPendingApprovals(req.agent.agent_id, limit) });
+});
+
+router.get('/approvals/:requestId', (req, res) => {
+  const r = gov.getApproval(req.params.requestId);
+  if (!r) return res.status(404).json({ error: 'not_found' });
+  res.json(r);
+});
+
+// Human decision endpoint. Requires the agent's token (treated as owner-grade).
+// Future hardening: separate owner-level user auth.
+router.post('/approvals/:requestId/decide', (req, res) => {
+  const r = gov.getApproval(req.params.requestId);
+  if (!r) return res.status(404).json({ error: 'not_found' });
+  // Authenticate as the owner-of-the-agent.
+  const auth = req.headers.authorization || '';
+  const headerToken = auth.startsWith('Bearer ') ? auth.slice(7).trim() : null;
+  const token = headerToken || req.body?.agent_token || req.query?.agent_token;
+  const a = gov.authAgent(r.agent_id, token);
+  if (!a) return res.status(401).json({ error: 'invalid_credentials' });
+  const decision = req.body?.decision === 'approved' ? 'approved' : 'rejected';
+  const out = gov.decideApproval(req.params.requestId, {
+    decision, decidedBy: req.body?.decided_by || a.owner_id || null,
+    note: req.body?.note || null,
+  });
+  if (!out.ok) return res.status(409).json(out);
+  res.json(out);
+});
+
+// ───────────────────────── audit ────
+router.get('/agents/:agentId/audit', requireAgent, (req, res) => {
+  const limit = Math.min(1000, Number(req.query.limit) || 200);
+  const since = req.query.since || null;
+  const eventType = req.query.event || null;
+  res.json({
+    audit: gov.getAudit(req.agent.agent_id, { limit, since, eventType }),
+  });
+});
+
+router.get('/agents/:agentId/audit/verify', requireAgent, (req, res) => {
+  res.json(gov.verifyAuditChain(req.agent.agent_id));
+});
+
+module.exports = router;