web-agent-bridge 3.3.0 → 3.4.0

package/public/shieldqr.html

@@ -0,0 +1,231 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>WAB ShieldQR — Scan QR codes safely</title>
+  <meta name="description" content="Scan any QR code in your browser and instantly verify the destination with WAB ShieldQR — DNS trust, Ed25519 signatures, SSL inspection.">
+  <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700;800&display=swap" rel="stylesheet">
+  <link rel="stylesheet" href="/css/styles.css">
+  <style>
+    body { font-family: 'Inter', system-ui, sans-serif; margin:0; background:#0f172a; color:#e2e8f0; min-height:100vh; }
+    .wrap { max-width: 720px; margin: 0 auto; padding: 28px 18px 60px; }
+    h1 { font-size: 1.8rem; margin: 0 0 6px; display:flex; align-items:center; gap:10px; }
+    .sub { color:#94a3b8; margin: 0 0 22px; }
+    .card { background:#1e293b; border:1px solid #334155; border-radius:14px; padding:18px; margin-bottom:16px; }
+    #reader { width:100%; border-radius:10px; overflow:hidden; background:#000; }
+    #reader video { width:100%; max-height:60vh; }
+    .controls { display:flex; gap:8px; flex-wrap:wrap; margin-top:10px; }
+    .btn { padding:10px 16px; border-radius:8px; border:none; font-weight:600; cursor:pointer; font-size:.95rem; }
+    .btn-primary { background:#6366f1; color:#fff; }
+    .btn-primary:hover { background:#4f46e5; }
+    .btn-secondary { background:#334155; color:#e2e8f0; }
+    .btn-danger { background:#dc2626; color:#fff; }
+    .btn-success { background:#16a34a; color:#fff; }
+    input[type=text] { flex:1; min-width:200px; padding:10px 12px; border-radius:8px; border:1px solid #475569; background:#0f172a; color:#e2e8f0; font-size:.95rem; }
+    .verdict { padding:18px; border-radius:14px; border:2px solid; }
+    .verdict.green  { border-color:#16a34a; background:rgba(22,163,74,.08); }
+    .verdict.yellow { border-color:#ca8a04; background:rgba(202,138,4,.08); }
+    .verdict.red    { border-color:#dc2626; background:rgba(220,38,38,.08); }
+    .verdict h2 { margin:0 0 6px; font-size:1.4rem; }
+    .verdict .score { font-size:2.4rem; font-weight:800; }
+    .verdict .url { font-family: ui-monospace, Menlo, monospace; font-size:.85rem; word-break: break-all; color:#cbd5e1; margin: 6px 0 12px; }
+    .signals { margin-top:10px; }
+    .signal { padding:8px 10px; border-radius:8px; background:#0f172a; margin-bottom:6px; font-size:.85rem; display:flex; gap:8px; align-items:flex-start; }
+    .signal .sev { font-size:.7rem; font-weight:700; padding:1px 6px; border-radius:4px; text-transform:uppercase; flex-shrink:0; }
+    .sev-low    { background:#0ea5e9; color:#fff; }
+    .sev-medium { background:#ca8a04; color:#fff; }
+    .sev-high   { background:#dc2626; color:#fff; }
+    .meta { display:grid; grid-template-columns:repeat(auto-fit, minmax(140px,1fr)); gap:8px; margin-top:10px; font-size:.85rem; }
+    .meta div { background:#0f172a; padding:8px 10px; border-radius:8px; }
+    .meta .lbl { color:#94a3b8; font-size:.7rem; text-transform:uppercase; letter-spacing:.04em; }
+    .hidden { display:none !important; }
+    .footer-note { color:#64748b; font-size:.8rem; text-align:center; margin-top:30px; }
+    a { color:#a5b4fc; }
+  </style>
+  <!-- html5-qrcode loader (CSP-allowed origin) -->
+  <script src="https://unpkg.com/html5-qrcode@2.3.8/html5-qrcode.min.js"></script>
+</head>
+<body>
+<div class="wrap">
+  <h1>🛡️ WAB ShieldQR</h1>
+  <p class="sub">Scan any QR code in your browser. We verify the destination with DNS trust records, Ed25519 signatures, and live SSL inspection — <strong>before</strong> you ever open the link.</p>
+
+  <div class="card">
+    <div id="reader"></div>
+    <div class="controls">
+      <button id="startCam" class="btn btn-primary">📷 Start camera</button>
+      <button id="stopCam"  class="btn btn-secondary hidden">⏹ Stop</button>
+    </div>
+  </div>
+
+  <div class="card">
+    <strong>Or paste a URL manually:</strong>
+    <div class="controls" style="margin-top:8px;">
+      <input id="manualUrl" type="text" placeholder="https://example.com/...">
+      <button id="manualScan" class="btn btn-primary">Verify</button>
+    </div>
+  </div>
+
+  <div id="result" class="card hidden"></div>
+
+  <p class="footer-note">
+    Powered by <a href="/">Web Agent Bridge</a> · ShieldQR is open and free for everyone ·
+    <a href="/api/shieldqr/recent" target="_blank">Recent scans</a>
+  </p>
+</div>
+
+<script>
+(function () {
+  const el = (id) => document.getElementById(id);
+  const H = (s) => String(s == null ? '' : s).replace(/[&<>"']/g, (c) =>
+    ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":'&#39;'}[c]));
+
+  let scanner = null; let lastResult = null;
+
+  function startCamera() {
+    if (typeof Html5Qrcode === 'undefined') {
+      alert('QR library failed to load. Check your network or use the manual URL field.');
+      return;
+    }
+    el('startCam').classList.add('hidden');
+    el('stopCam').classList.remove('hidden');
+    scanner = new Html5Qrcode('reader');
+    scanner.start(
+      { facingMode: 'environment' },
+      { fps: 10, qrbox: { width: 260, height: 260 } },
+      (decodedText) => {
+        scanner.stop().catch(() => {});
+        el('startCam').classList.remove('hidden');
+        el('stopCam').classList.add('hidden');
+        verify(decodedText);
+      },
+      () => {} // ignore per-frame errors
+    ).catch((err) => {
+      alert('Camera error: ' + err);
+      el('startCam').classList.remove('hidden');
+      el('stopCam').classList.add('hidden');
+    });
+  }
+
+  function stopCamera() {
+    if (!scanner) return;
+    scanner.stop().catch(() => {}).finally(() => {
+      el('startCam').classList.remove('hidden');
+      el('stopCam').classList.add('hidden');
+      scanner = null;
+    });
+  }
+
+  async function verify(url) {
+    const result = el('result');
+    result.classList.remove('hidden');
+    result.innerHTML = '<div style="text-align:center;padding:20px;">⏳ Verifying <strong>' + H(url) + '</strong>…</div>';
+    try {
+      const r = await fetch('/api/shieldqr/scan', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ url }),
+      });
+      const data = await r.json();
+      if (!r.ok) throw new Error(data.error || 'scan failed');
+      lastResult = data;
+      renderVerdict(data, url);
+    } catch (err) {
+      result.innerHTML = '<div style="color:#fca5a5;text-align:center;padding:20px;">❌ ' + H(err.message) + '</div>';
+    }
+  }
+
+  function renderVerdict(d, url) {
+    const lvl = d.level || 'yellow';
+    const icon = { green: '✅', yellow: '⚠️', red: '🛑' }[lvl] || '⚠️';
+    const headline = { green: 'Safe — verified', yellow: 'Caution — incomplete trust', red: 'Dangerous — do not open' }[lvl];
+    const sslDays = d.ssl && d.ssl.days_until_expiry != null ? d.ssl.days_until_expiry : '—';
+    const trustOk = d.trust && d.trust.ok ? '✅ Signed' : '—';
+    const dnsOk   = d.dns && Array.isArray(d.dns.discovery) && d.dns.discovery.length ? '✅ Present' : '—';
+    const signals = (d.signals || []).map((s) => `
+      <div class="signal">
+        <span class="sev sev-${H(s.severity || 'low')}">${H(s.severity || 'low')}</span>
+        <div><strong>${H(s.id || '')}</strong> — ${H(s.message || '')}</div>
+      </div>
+    `).join('') || '<div class="signal"><span class="sev sev-low">ok</span><div>No signals raised.</div></div>';
+
+    const openBtn = lvl === 'green'
+      ? `<a class="btn btn-success" href="${H(url)}" target="_blank" rel="noopener noreferrer">Open destination →</a>`
+      : `<button class="btn btn-danger" data-action="forceOpen">Open anyway (risky)</button>`;
+
+    el('result').innerHTML = `
+      <div class="verdict ${H(lvl)}">
+        <div style="display:flex;justify-content:space-between;align-items:flex-start;gap:14px;flex-wrap:wrap;">
+          <div>
+            <h2>${icon} ${H(headline)}</h2>
+            <div class="url">${H(url)}</div>
+          </div>
+          <div style="text-align:right;">
+            <div class="score">${d.score ?? '—'}</div>
+            <div style="font-size:.7rem;color:#94a3b8;text-transform:uppercase;letter-spacing:.05em;">score / 100</div>
+          </div>
+        </div>
+
+        <div class="meta">
+          <div><div class="lbl">Host</div>${H(d.host || '—')}</div>
+          <div><div class="lbl">DNS _wab</div>${dnsOk}</div>
+          <div><div class="lbl">Signed wab.json</div>${trustOk}</div>
+          <div><div class="lbl">SSL valid for</div>${sslDays} days</div>
+        </div>
+
+        <div class="signals">${signals}</div>
+
+        <div class="controls" style="margin-top:14px;">
+          ${openBtn}
+          <button class="btn btn-secondary" data-action="rescan">Scan another</button>
+          <button class="btn btn-danger" data-action="report">Report this URL</button>
+        </div>
+      </div>
+    `;
+
+    el('result').querySelector('[data-action="rescan"]').addEventListener('click', () => {
+      el('result').classList.add('hidden');
+      el('manualUrl').value = '';
+    });
+    const forceBtn = el('result').querySelector('[data-action="forceOpen"]');
+    if (forceBtn) {
+      forceBtn.addEventListener('click', () => {
+        if (confirm('This site has not been verified as safe. Open anyway?')) {
+          window.open(url, '_blank', 'noopener,noreferrer');
+        }
+      });
+    }
+    el('result').querySelector('[data-action="report"]').addEventListener('click', () => reportUrl(url));
+  }
+
+  async function reportUrl(url) {
+    const reason = prompt('Why are you reporting this URL? (e.g. phishing, malware, scam)');
+    if (!reason || reason.trim().length < 4) return;
+    try {
+      const r = await fetch('/api/shieldqr/report', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ url, reason: reason.trim(), scan_id: lastResult && lastResult.scan_id }),
+      });
+      const data = await r.json();
+      if (!r.ok) throw new Error(data.error || 'report failed');
+      alert('Thank you — your report has been submitted.');
+    } catch (err) {
+      alert('Report failed: ' + err.message);
+    }
+  }
+
+  el('startCam').addEventListener('click', startCamera);
+  el('stopCam').addEventListener('click', stopCamera);
+  el('manualScan').addEventListener('click', () => {
+    const u = el('manualUrl').value.trim();
+    if (u) verify(u);
+  });
+  el('manualUrl').addEventListener('keydown', (e) => {
+    if (e.key === 'Enter') { e.preventDefault(); el('manualScan').click(); }
+  });
+})();
+</script>
+</body>
+</html>

package/public/sitemap.xml

@@ -12,6 +12,12 @@
     <changefreq>weekly</changefreq>
     <priority>0.9</priority>
   </url>
+  <url>
+    <loc>https://webagentbridge.com/whitepaper</loc>
+    <lastmod>2026-05-03</lastmod>
+    <changefreq>yearly</changefreq>
+    <priority>0.95</priority>
+  </url>
   <url>
     <loc>https://webagentbridge.com/premium</loc>
     <lastmod>2026-03-28</lastmod>

package/public/wab-trust.html

@@ -0,0 +1,200 @@
+<!DOCTYPE html>
+<html lang="en" dir="ltr">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>WAB Trust — Cryptographic Verification (v1.3)</title>
+  <meta name="description" content="WAB DNS Discovery v1.3 trust layer: DNSSEC + Ed25519 signed manifests anchored in domain ownership. Verify any domain's cryptographic trust score live.">
+  <link rel="stylesheet" href="/css/styles.css?v=3.3.0">
+  <style>
+    body { background:#081123; color:#e8efff; }
+    .hero { padding:100px 20px 26px; text-align:center; }
+    .hero .badge { display:inline-block; background:linear-gradient(135deg,#10b981,#059669); padding:4px 12px; border-radius:999px; font-size:.78rem; font-weight:700; letter-spacing:.5px; margin-bottom:12px; }
+    .hero h1 { font-size:clamp(1.9rem,4vw,2.8rem); margin:6px 0 8px; }
+    .hero p { color:#9eb1d8; max-width:840px; margin:0 auto; font-size:1rem; }
+    .wrap { max-width:1180px; margin:0 auto; padding:0 18px 70px; }
+    .panel { background:linear-gradient(180deg,rgba(17,24,39,.92),rgba(10,16,30,.96)); border:1px solid rgba(148,163,184,.2); border-radius:14px; padding:18px; margin-bottom:16px; }
+    .panel h3 { margin:0 0 10px; color:#fcd34d; font-size:1rem; }
+    .grid2 { display:grid; grid-template-columns:1.2fr 1fr; gap:14px; }
+    @media (max-width:880px) { .grid2 { grid-template-columns:1fr; } }
+    label { display:block; font-size:.78rem; color:#a8b7d7; margin-bottom:5px; }
+    input, textarea, select { width:100%; background:#0b162a; border:1px solid rgba(148,163,184,.28); color:#e8efff; border-radius:10px; padding:10px; font-family:Consolas,monospace; font-size:.85rem; }
+    button { background:linear-gradient(135deg,#10b981,#047857); color:#fff; border:none; border-radius:10px; padding:10px 14px; cursor:pointer; font-weight:700; font-size:.85rem; }
+    button.alt { background:linear-gradient(135deg,#334155,#1f2937); }
+    button.warn { background:linear-gradient(135deg,#f59e0b,#b45309); }
+    .actions { display:flex; gap:8px; flex-wrap:wrap; margin-top:8px; }
+    pre { background:#020617; border:1px solid rgba(148,163,184,.26); border-radius:10px; padding:12px; color:#c4b5fd; overflow:auto; font-size:.78rem; }
+    .score-card { text-align:center; padding:20px; border-radius:14px; }
+    .score-num { font-size:3.4rem; font-weight:800; line-height:1; }
+    .score-label { font-size:.86rem; text-transform:uppercase; letter-spacing:1.4px; margin-top:6px; }
+    .platinum { background:linear-gradient(135deg,#a855f7,#6366f1); color:#fff; }
+    .gold     { background:linear-gradient(135deg,#fbbf24,#d97706); color:#1f2937; }
+    .silver   { background:linear-gradient(135deg,#cbd5e1,#94a3b8); color:#1f2937; }
+    .bronze   { background:linear-gradient(135deg,#f97316,#c2410c); color:#fff; }
+    .basic    { background:linear-gradient(135deg,#475569,#1f2937); color:#fff; }
+    .unverified { background:#1f2937; color:#a8b7d7; border:1px solid rgba(148,163,184,.26); }
+    .check-row { display:flex; align-items:center; gap:10px; padding:8px 0; border-bottom:1px solid rgba(148,163,184,.12); font-size:.9rem; }
+    .check-row:last-child { border-bottom:0; }
+    .check-icon { width:22px; height:22px; border-radius:50%; display:flex; align-items:center; justify-content:center; font-weight:800; font-size:.78rem; }
+    .check-icon.ok { background:#064e3b; color:#a7f3d0; }
+    .check-icon.no { background:#7f1d1d; color:#fecaca; }
+    .findings { background:#0b162a; border-left:3px solid #f59e0b; padding:10px 14px; border-radius:6px; font-size:.84rem; color:#fde68a; margin-top:10px; }
+    .findings ul { margin:6px 0 0 18px; padding:0; }
+    table { width:100%; border-collapse:collapse; font-size:.84rem; }
+    th, td { padding:8px 10px; text-align:left; border-bottom:1px solid rgba(148,163,184,.14); }
+    th { color:#a8b7d7; font-weight:600; font-size:.74rem; text-transform:uppercase; letter-spacing:.5px; }
+    .pill { display:inline-block; padding:2px 8px; border-radius:999px; font-size:.7rem; font-weight:700; }
+    .pill.ok { background:#064e3b; color:#a7f3d0; }
+    .pill.no { background:#7f1d1d; color:#fecaca; }
+    .keyout { display:none; }
+    a { color:#fcd34d; }
+    .small { font-size:.8rem; color:#9eb1d8; }
+  </style>
+</head>
+<body>
+  <section class="hero">
+    <span class="badge">WAB v1.3 · Trust Layer</span>
+    <h1>Cryptographic Trust for Agent Discovery</h1>
+    <p>WAB v1.3 binds every domain's discovery manifest to an <strong>Ed25519 signature</strong>, with the public key published in DNS and protected by <strong>DNSSEC</strong>. No CA. No central registry. Trust is rooted exactly where it should be — in domain ownership.</p>
+  </section>
+
+  <div class="wrap">
+
+    <div class="grid2">
+      <!-- LIVE VERIFIER -->
+      <div class="panel">
+        <h3>Verify any domain</h3>
+        <p class="small">Runs the full 5-check trust report: DNS · DNSSEC · public key · HTTPS manifest · signature.</p>
+        <label>Domain</label>
+        <input id="vDomain" placeholder="example.com" value="webagentbridge.com" />
+        <div class="actions">
+          <button onclick="runVerify()">Run Trust Check</button>
+          <button class="alt" onclick="loadLeaderboard()">View Leaderboard</button>
+        </div>
+        <div id="vResult" style="margin-top:14px;"></div>
+      </div>
+
+      <!-- KEY GENERATOR -->
+      <div class="panel">
+        <h3>Generate Ed25519 keypair</h3>
+        <p class="small">Stateless. The server never stores your private key — save it offline and use it to sign your <code>wab.json</code>.</p>
+        <div class="actions">
+          <button class="warn" onclick="genKeys()">Generate New Keypair</button>
+          <button class="alt" onclick="document.getElementById('keyout').style.display='none'">Hide</button>
+        </div>
+        <div id="keyout" class="keyout" style="margin-top:14px;">
+          <label>TXT record (publish in DNS)</label>
+          <pre id="kTxt"></pre>
+          <label>Public key (base64)</label>
+          <pre id="kPub"></pre>
+          <label>Private key (base64) — save offline NOW</label>
+          <pre id="kPriv" style="border-color:#7f1d1d;color:#fecaca;"></pre>
+          <p class="small" style="color:#fde68a;">⚠ This is the only time the private key is shown. Copy it now.</p>
+        </div>
+      </div>
+    </div>
+
+    <!-- LEADERBOARD -->
+    <div class="panel" id="leaderboardPanel" style="display:none;">
+      <h3>Trust Leaderboard</h3>
+      <div id="leaderboard">Loading…</div>
+    </div>
+
+    <!-- HOW IT WORKS -->
+    <div class="panel">
+      <h3>How WAB v1.3 trust works</h3>
+      <ol style="color:#cbd5e1;font-size:.9rem;line-height:1.7;padding-left:20px;">
+        <li><strong>Generate keypair</strong> (Ed25519, 32 bytes each) — offline or via the button above.</li>
+        <li><strong>Publish public key in DNS</strong>: <code>_wab IN TXT "v=wab1; endpoint=https://example.com/.well-known/wab.json; pk=ed25519:&lt;BASE64&gt;"</code>.</li>
+        <li><strong>Enable DNSSEC</strong> on your zone (most registrars: 1-click). DNSSEC chain protects the key from spoofing.</li>
+        <li><strong>Sign your manifest</strong> with the private key: <code>node wab-sign.js sign wab.json key.priv</code> → <code>wab.signed.json</code>.</li>
+        <li><strong>Upload signed manifest</strong> to <code>https://example.com/.well-known/wab.json</code>.</li>
+        <li>Agents fetch the TXT (verify DNSSEC) → fetch the manifest (verify signature with DNS-published key) → trust established.</li>
+      </ol>
+      <p class="small" style="margin-top:10px;">Compare to ANS, sitemap.xml, llms.txt, ai.txt:
+        <a href="/wab-vs-protocols">WAB vs other protocols →</a></p>
+      <p class="small">Offline tools: <a href="/examples/wab-sign.js" target="_blank">wab-sign.js</a> · <a href="/examples/wab-verify.js" target="_blank">wab-verify.js</a></p>
+    </div>
+
+  </div>
+
+  <script>
+    const tick = (b) => b ? '<div class="check-icon ok">✓</div>' : '<div class="check-icon no">✗</div>';
+
+    async function runVerify() {
+      const d = document.getElementById('vDomain').value.trim();
+      if (!d) return;
+      const out = document.getElementById('vResult');
+      out.innerHTML = '<p class="small">Running trust check…</p>';
+      try {
+        const r = await fetch(`/api/discovery/trust/${encodeURIComponent(d)}`);
+        const data = await r.json();
+        if (!r.ok) { out.innerHTML = `<p style="color:#fecaca;">Error: ${data.error || r.status}</p>`; return; }
+        const c = data.checks || {};
+        const cls = data.trust_label || 'unverified';
+        out.innerHTML = `
+          <div class="score-card ${cls}">
+            <div class="score-num">${data.trust_score}<span style="font-size:1.2rem;opacity:.7">/100</span></div>
+            <div class="score-label">${cls}</div>
+          </div>
+          <div style="margin-top:10px;">
+            <div class="check-row">${tick(c.dns_resolved)}<span>DNS <code>_wab</code> record present</span></div>
+            <div class="check-row">${tick(c.dnssec_verified)}<span>DNSSEC verified (AD flag set)</span></div>
+            <div class="check-row">${tick(c.has_public_key)}<span>Public key in DNS (<code>pk=${c.pk_algorithm || '—'}</code>)</span></div>
+            <div class="check-row">${tick(c.https_endpoint && c.manifest_fetched)}<span>HTTPS manifest reachable</span></div>
+            <div class="check-row">${tick(c.signature_valid)}<span>Manifest signature valid (Ed25519)</span></div>
+          </div>
+          ${data.public_key ? `<p class="small" style="margin-top:10px;">Key fingerprint: <code>${data.public_key.fingerprint}</code></p>` : ''}
+          ${data.findings && data.findings.length ? `<div class="findings"><strong>Findings:</strong><ul>${data.findings.map(f=>`<li>${f}</li>`).join('')}</ul></div>` : ''}
+        `;
+      } catch (err) {
+        out.innerHTML = `<p style="color:#fecaca;">Error: ${err.message}</p>`;
+      }
+    }
+
+    async function genKeys() {
+      try {
+        const r = await fetch('/api/discovery/keys/generate', { method:'POST' });
+        const k = await r.json();
+        document.getElementById('keyout').style.display = 'block';
+        document.getElementById('kTxt').textContent = k.txt_record_snippet;
+        document.getElementById('kPub').textContent = k.public_key;
+        document.getElementById('kPriv').textContent = k.private_key;
+      } catch (err) {
+        alert('Key generation failed: ' + err.message);
+      }
+    }
+
+    async function loadLeaderboard() {
+      const panel = document.getElementById('leaderboardPanel');
+      panel.style.display = 'block';
+      const out = document.getElementById('leaderboard');
+      try {
+        const r = await fetch('/api/discovery/trust-leaderboard');
+        const data = await r.json();
+        if (!data.domains || !data.domains.length) {
+          out.innerHTML = '<p class="small">No trust runs recorded yet. Run a verify to populate.</p>';
+          return;
+        }
+        out.innerHTML = `<table>
+          <thead><tr><th>#</th><th>Domain</th><th>Score</th><th>DNSSEC</th><th>pk</th><th>Signed</th><th>Sig OK</th><th>Last check</th></tr></thead>
+          <tbody>${data.domains.map((d,i)=>`
+            <tr>
+              <td>${i+1}</td>
+              <td>${d.domain}</td>
+              <td><strong>${d.score}</strong></td>
+              <td>${d.dnssec === 'verified' ? '<span class="pill ok">✓</span>' : '<span class="pill no">'+d.dnssec+'</span>'}</td>
+              <td>${d.has_pk ? '<span class="pill ok">✓</span>' : '<span class="pill no">—</span>'}</td>
+              <td>${d.signed_manifest ? '<span class="pill ok">✓</span>' : '<span class="pill no">—</span>'}</td>
+              <td>${d.signature_valid ? '<span class="pill ok">✓</span>' : '<span class="pill no">—</span>'}</td>
+              <td class="small">${(d.last_checked||'').replace('T',' ').slice(0,16)}</td>
+            </tr>
+          `).join('')}</tbody>
+        </table>`;
+      } catch (err) {
+        out.innerHTML = `<p style="color:#fecaca;">Error: ${err.message}</p>`;
+      }
+    }
+  </script>
+</body>
+</html>