web-agent-bridge 3.3.0 → 3.4.0

package/sdk/safe-mode.js

@@ -0,0 +1,221 @@
+/**
+ * WAB Safe Mode — Agent-side trust gate.
+ *
+ * Splits the web into Trusted (WAB + valid signature) vs Untrusted, and
+ * gives the agent a single function to ask before any action:
+ *     await safeMode.evaluate(domain) → { level, verdict, allow_execute,
+ *                                          allow_read, reason }
+ *
+ * Trust levels:
+ *   3 — DNS + Ed25519 signature valid + telemetry score ≥ 60   (full execute)
+ *   2 — DNS + valid wab.json (no signature OR no telemetry)    (limited execute)
+ *   1 — Resolves but no _wab record / score below threshold    (read-only)
+ *   0 — Compliance verdict = deny / suspicious                 (block)
+ *
+ * Usage (Node):
+ *   const { WABSafeMode } = require('web-agent-bridge/sdk');
+ *   const safe = new WABSafeMode({ apiBase: 'https://webagentbridge.com' });
+ *   const v = await safe.evaluate('example.com');
+ *   if (v.allow_execute) await agent.execute(...);
+ *   else if (v.allow_read) await agent.readOnly(...);
+ *   else throw new Error('Blocked by Safe Mode: ' + v.reason);
+ */
+
+'use strict';
+
+const DEFAULT_API = 'https://webagentbridge.com';
+
+const POLICIES = {
+  strict:     { require_dnssec: true,  require_signature: true,  min_score: 75 },
+  standard:   { require_dnssec: false, require_signature: true,  min_score: 60 },
+  permissive: { require_dnssec: false, require_signature: false, min_score: 40 },
+};
+
+class WABSafeMode {
+  /**
+   * @param {object} [opts]
+   * @param {string} [opts.apiBase='https://webagentbridge.com']
+   * @param {'strict'|'standard'|'permissive'} [opts.policy='standard']
+   * @param {number} [opts.cacheTtlMs=60000]   — verdicts cached this long
+   * @param {number} [opts.timeoutMs=8000]
+   * @param {function} [opts.fetch]            — fetch impl (defaults to global fetch)
+   */
+  constructor(opts = {}) {
+    this.apiBase   = (opts.apiBase || DEFAULT_API).replace(/\/+$/, '');
+    this.policy    = POLICIES[opts.policy] ? opts.policy : 'standard';
+    this.cacheTtl  = Number.isFinite(opts.cacheTtlMs) ? opts.cacheTtlMs : 60_000;
+    this.timeoutMs = Number.isFinite(opts.timeoutMs)  ? opts.timeoutMs  : 8_000;
+    this._fetch    = opts.fetch || (typeof fetch !== 'undefined' ? fetch : null);
+    this._cache    = new Map(); // domain → { at, value }
+    if (!this._fetch) {
+      // Node ≤ 17 fallback
+      try { this._fetch = require('node-fetch'); } catch { /* user must supply */ }
+    }
+  }
+
+  /** Normalises a domain or URL to bare hostname. */
+  static normalizeDomain(input) {
+    if (!input || typeof input !== 'string') return null;
+    let s = input.trim().toLowerCase();
+    s = s.replace(/^https?:\/\//, '').replace(/\/.*$/, '').replace(/^www\./, '');
+    return /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?(\.[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)+$/.test(s) ? s : null;
+  }
+
+  async _get(path) {
+    if (!this._fetch) throw new Error('Safe Mode requires fetch (Node 18+ or pass opts.fetch)');
+    const ctl = (typeof AbortController !== 'undefined') ? new AbortController() : null;
+    const timer = ctl ? setTimeout(() => ctl.abort(), this.timeoutMs) : null;
+    try {
+      const r = await this._fetch(this.apiBase + path, ctl ? { signal: ctl.signal } : {});
+      if (!r.ok) return null;
+      return await r.json();
+    } catch { return null; }
+    finally { if (timer) clearTimeout(timer); }
+  }
+
+  /**
+   * Evaluate a domain and produce a verdict the agent can act on.
+   * @param {string} domain
+   * @param {object} [opts]
+   * @param {boolean} [opts.live=false] — force a live trust check (skip cache).
+   * @returns {Promise<{
+   *   domain: string, level: 0|1|2|3,
+   *   verdict: 'allow'|'restrict'|'deny',
+   *   allow_execute: boolean, allow_read: boolean,
+   *   score: number, score_label: string,
+   *   reason: string, reasons: Array,
+   *   trust: object|null, score_detail: object|null,
+   *   compliance: object|null,
+   *   evaluated_at: string,
+   * }>}
+   */
+  async evaluate(domain, opts = {}) {
+    const d = WABSafeMode.normalizeDomain(domain);
+    if (!d) {
+      return this._verdict(domain, 0, 'deny', 0, 'unrated',
+        'invalid_domain', [{ code: 'invalid_domain', severity: 'deny' }],
+        null, null, null);
+    }
+
+    const cached = this._cache.get(d);
+    if (!opts.live && cached && (Date.now() - cached.at) < this.cacheTtl) return cached.value;
+
+    // Optionally trigger a live trust check first so compliance has fresh data.
+    let trust = null;
+    if (opts.live) {
+      trust = await this._get(`/api/discovery/trust/${encodeURIComponent(d)}`);
+    }
+
+    const [score, compliance] = await Promise.all([
+      this._get(`/api/discovery/score/${encodeURIComponent(d)}`),
+      this._get(`/api/discovery/compliance/${encodeURIComponent(d)}?policy=${this.policy}`),
+    ]);
+
+    // Derive trust level
+    let level = 1;
+    let reasonCode = 'no_signal';
+    if (compliance) {
+      if (compliance.verdict === 'deny') { level = 0; reasonCode = 'compliance_deny'; }
+      else if (compliance.verdict === 'restrict') { level = 1; reasonCode = 'compliance_restrict'; }
+      else { // allow
+        const sigRate = score?.signature_valid_rate ?? compliance.signature_valid_rate ?? 0;
+        const sc = compliance.score ?? score?.score ?? 0;
+        if (sigRate > 0.5 && sc >= 60) { level = 3; reasonCode = 'trusted_full'; }
+        else { level = 2; reasonCode = 'trusted_limited'; }
+      }
+    } else {
+      level = 1;
+      reasonCode = 'no_compliance_record';
+    }
+
+    const verdict = compliance?.verdict || (level === 0 ? 'deny' : level >= 2 ? 'allow' : 'restrict');
+    const value = this._verdict(
+      d, level, verdict,
+      compliance?.score ?? score?.score ?? 0,
+      compliance?.score_label ?? score?.label ?? 'unrated',
+      reasonCode,
+      compliance?.reasons || [],
+      trust, score, compliance,
+    );
+
+    this._cache.set(d, { at: Date.now(), value });
+    return value;
+  }
+
+  _verdict(domain, level, verdict, score, label, reason, reasons, trust, scoreDetail, compliance) {
+    const allow_execute = level >= 2 && verdict === 'allow';
+    const allow_read    = level >= 1 && verdict !== 'deny';
+    return {
+      domain,
+      level,
+      verdict,
+      allow_execute,
+      allow_read,
+      score,
+      score_label: label,
+      reason,
+      reasons,
+      trust,
+      score_detail: scoreDetail,
+      compliance,
+      policy: this.policy,
+      evaluated_at: new Date().toISOString(),
+    };
+  }
+
+  /**
+   * Wrap an async action so it only runs if Safe Mode allows execute on the
+   * given domain. Throws WABSafeModeError otherwise.
+   */
+  async guardExecute(domain, action) {
+    const v = await this.evaluate(domain);
+    if (!v.allow_execute) {
+      const err = new WABSafeModeError(
+        `Safe Mode blocked execute on ${v.domain} (level ${v.level}, verdict ${v.verdict}, ${v.reason})`,
+        v,
+      );
+      throw err;
+    }
+    return await action(v);
+  }
+
+  /** Read-only variant: throws only if level === 0. */
+  async guardRead(domain, action) {
+    const v = await this.evaluate(domain);
+    if (!v.allow_read) {
+      throw new WABSafeModeError(
+        `Safe Mode blocked read on ${v.domain} (level ${v.level}, verdict ${v.verdict})`,
+        v,
+      );
+    }
+    return await action(v);
+  }
+
+  /** Picks the highest-trust domain from a candidate list. */
+  async pickBest(domains) {
+    const evals = await Promise.all(
+      (domains || []).map((d) => this.evaluate(d).catch(() => null)),
+    );
+    const sorted = evals.filter(Boolean).sort((a, b) => {
+      if (b.level !== a.level) return b.level - a.level;
+      return (b.score || 0) - (a.score || 0);
+    });
+    return sorted[0] || null;
+  }
+
+  clearCache(domain) {
+    if (domain) this._cache.delete(WABSafeMode.normalizeDomain(domain));
+    else this._cache.clear();
+  }
+}
+
+class WABSafeModeError extends Error {
+  constructor(message, verdict) {
+    super(message);
+    this.name = 'WABSafeModeError';
+    this.code = 'WAB_SAFE_MODE_BLOCKED';
+    this.verdict = verdict;
+  }
+}
+
+module.exports = { WABSafeMode, WABSafeModeError, POLICIES };

package/server/index.js

@@ -29,6 +29,8 @@ const adsRoutes = require('./routes/ads');
 const wabApiRoutes = require('./routes/wab-api');
 const noscriptRoutes = require('./routes/noscript');
 const discoveryRoutes = require('./routes/discovery');
+const providerRoutes = require('./routes/providers');
+const governanceRoutes = require('./routes/governance');
 const premiumRoutes = require('./routes/premium');
 const adminPremiumRoutes = require('./routes/admin-premium');
 const workspaceRoutes = require('./routes/agent-workspace');
@@ -68,8 +70,8 @@ app.use(
 );
 
 const scriptSrc = process.env.CSP_ALLOW_UNSAFE_INLINE === 'false'
-  ? ["'self'"]
-  : ["'self'", "'unsafe-inline'"];
+  ? ["'self'", 'https://unpkg.com', 'https://cdn.jsdelivr.net']
+  : ["'self'", "'unsafe-inline'", 'https://unpkg.com', 'https://cdn.jsdelivr.net'];
 const styleSrc = process.env.CSP_ALLOW_UNSAFE_INLINE === 'false'
   ? ["'self'"]
   : ["'self'", "'unsafe-inline'"];
@@ -87,8 +89,12 @@ app.use(
     contentSecurityPolicy: {
       directives: {
         defaultSrc: ["'self'"],
-        scriptSrc: [...scriptSrc, (req, res) => `'nonce-${res.locals.cspNonce}'`],
-        scriptSrcAttr: scriptSrc,
+        // NOTE: Adding a nonce alongside 'unsafe-inline' makes browsers ignore
+        // 'unsafe-inline' (CSP3 spec). All existing public/admin pages still
+        // rely on inline <script> blocks, so we keep 'unsafe-inline' enforced
+        // here and use the Report-Only policy below to track nonce migration.
+        scriptSrc: scriptSrc,
+        scriptSrcAttr: [...scriptSrc, "'unsafe-hashes'"],
         styleSrc: [...styleSrc, 'https://fonts.googleapis.com'],
         imgSrc: ["'self'", 'data:', 'https:'],
         connectSrc: ["'self'", 'https:', 'ws:', 'wss:'],
@@ -186,6 +192,27 @@ app.post('/api/billing/webhook', express.raw({ type: 'application/json' }), asyn
 
 app.use(express.json());
 
+// Global JSON parse error handler (catches malformed JSON from bots/scanners)
+app.use((err, req, res, next) => {
+  if (err.type === 'entity.parse.failed' || err instanceof SyntaxError) {
+    return res.status(400).json({ error: 'Invalid JSON', details: err.message });
+  }
+  next(err);
+});
+
+// Global error handler — catches all unhandled route errors
+// global-error-handler
+app.use((err, req, res, next) => {
+  const status = err.status || err.statusCode || 500;
+  const message = err.message || 'Internal Server Error';
+  if (status >= 500) {
+    console.error('[server] Unhandled error:', err.message, err.stack?.split('\n')[1] || '');
+  }
+  if (!res.headersSent) {
+    res.status(status).json({ error: message });
+  }
+});
+
 const apiLimiter = rateLimit({
   windowMs: 15 * 60 * 1000,
   max: 200,
@@ -205,6 +232,31 @@ const licenseLimiter = rateLimit({
   }
 });
 
+// Whitepaper guard — must run BEFORE express.static so we can apply strict headers
+// and intercept both /whitepaper and /whitepaper.html with the same protections.
+const whitepaperHandler = (req, res) => {
+  res.set('Cache-Control', 'no-store, no-cache, must-revalidate, max-age=0');
+  res.set('Pragma', 'no-cache');
+  res.set('Expires', '0');
+  res.set('X-Frame-Options', 'DENY');
+  res.set('X-Content-Type-Options', 'nosniff');
+  res.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+  res.set('X-Robots-Tag', 'index, follow, noarchive, nosnippet, noimageindex');
+  res.set('Content-Security-Policy', "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'");
+  res.set('X-Copyright', 'All Rights Reserved (c) 2026 Web Agent Bridge - Reproduction Prohibited');
+  res.sendFile(path.join(__dirname, '..', 'public', 'whitepaper.html'));
+};
+app.get(['/whitepaper', '/whitepaper.html'], whitepaperHandler);
+
+// WAB Trust artifact (signed Ed25519 wab.json) — served explicitly because
+// express.static skips dotfile directories like /.well-known by default.
+app.get('/.well-known/wab.json', (req, res) => {
+  res.set('Cache-Control', 'public, max-age=300');
+  res.set('Access-Control-Allow-Origin', '*');
+  res.type('application/json');
+  res.sendFile(path.join(__dirname, '..', 'public', '.well-known', 'wab.json'));
+});
+
 app.use(express.static(path.join(__dirname, '..', 'public'), {
   setHeaders(res, filePath) {
     if (filePath.endsWith('.html')) {
@@ -226,8 +278,62 @@ app.use('/api/ads', apiLimiter, adsRoutes);
 app.use('/api/wab', wabApiRoutes);
 app.use('/api/noscript', apiLimiter, noscriptRoutes);
 app.use('/api/discovery', apiLimiter, discoveryRoutes);
+app.use('/api/providers', apiLimiter, providerRoutes);
+app.use('/api/governance', apiLimiter, governanceRoutes);
+app.use('/api/plans', apiLimiter, require('./routes/plans'));
+app.use('/api/admin/plans', apiLimiter, require('./routes/admin-plans'));
+app.use('/api/admin/shieldqr', apiLimiter, require('./routes/admin-shieldqr'));
+app.use('/api/admin/trust-monitor', apiLimiter, require('./routes/admin-trust-monitor'));
+app.use('/api/shieldqr', apiLimiter, require('./routes/shieldqr'));
 // Also expose well-known discovery endpoints at the canonical root paths so
 // agents can find them without the /api/discovery prefix (RFC 8615).
+
+// /activate — WAB DNS Discovery activation guide (bilingual)
+app.get('/activate', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'activate.html'));
+});
+app.get('/shieldqr', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'shieldqr.html'));
+});
+app.get('/activate-dns', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'activate.html'));
+});
+app.get('/provider-onboarding', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'provider-onboarding.html'));
+});
+app.get('/provider-sandbox', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'provider-sandbox.html'));
+});
+app.get('/cloudflare-integration', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'cloudflare-integration.html'));
+});
+app.get('/cpanel-integration', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'cpanel-integration.html'));
+});
+app.get('/route53-integration', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'route53-integration.html'));
+});
+app.get('/plesk-integration', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'plesk-integration.html'));
+});
+app.get('/gcp-dns-integration', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'gcp-dns-integration.html'));
+});
+app.get('/azure-dns-integration', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'azure-dns-integration.html'));
+});
+app.get('/registrar-integrations', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'registrar-integrations.html'));
+});
+app.get('/adoption-metrics', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'adoption-metrics.html'));
+});
+app.get('/wab-trust', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'wab-trust.html'));
+});
+app.get('/wab-vs-protocols', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'wab-vs-protocols.html'));
+});
 app.use('/', apiLimiter, discoveryRoutes);
 app.use('/api/premium', apiLimiter, premiumRoutes);
 app.use('/api/admin/premium', apiLimiter, adminPremiumRoutes);
@@ -304,6 +410,9 @@ function noCache(req, res, next) {
 app.get('/dashboard', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'dashboard.html'));
 });
+app.get('/providers', noCache, (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'providers.html'));
+});
 app.get('/mesh-dashboard', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'mesh-dashboard.html'));
 });
@@ -328,6 +437,13 @@ app.get('/admin', noCache, (req, res) => {
 app.get('/admin/snapshots', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'admin', 'snapshots.html'));
 });
+
+// ─── Admin sub-pages (each backed by real API endpoints in /api/admin/*) ──
+['users','sites','analytics','grants','payments','stripe','smtp','notifications','governance','discovery','trust','providers','plans','shieldqr','trust-monitor'].forEach((page) => {
+  app.get('/admin/' + page, noCache, (req, res) => {
+    res.sendFile(path.join(__dirname, '..', 'public', 'admin', page + '.html'));
+  });
+});
 app.get('/privacy', noCache, (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'privacy.html'));
 });
@@ -376,10 +492,21 @@ app.use('/demo', demoStoreRoutes);
 app.use('/downloads', express.static(path.join(__dirname, '..', 'downloads'), {
   maxAge: '1d',
   setHeaders: (res, filePath) => {
-    res.set('Content-Disposition', 'attachment');
+    // Shell scripts served as plain text for curl | bash usage
+    if (filePath.endsWith('.sh')) {
+      res.set('Content-Type', 'text/plain; charset=utf-8');
+    } else {
+      res.set('Content-Disposition', 'attachment');
+    }
   }
 }));
 
+// WAB Discovery install shortcut: curl -fsSL https://webagentbridge.com/install | bash
+app.get('/install', (req, res) => {
+  res.set('Content-Type', 'text/plain; charset=utf-8');
+  res.sendFile(path.join(__dirname, '..', 'downloads', 'quick-wab.sh'));
+});
+
 // Agent chat endpoint for WAB Browser — Real AI Agent
 const chatLimiter = rateLimit({
   windowMs: 60 * 1000,
@@ -501,6 +628,15 @@ app.get('*', (req, res) => {
   }
 });
 
+
+// Prevent PM2 restarts from uncaught errors — log and continue
+process.on('uncaughtException', (err) => {
+  console.error('[process] uncaughtException:', err.message);
+});
+process.on('unhandledRejection', (reason) => {
+  console.error('[process] unhandledRejection:', reason?.message || reason);
+});
+
 if (process.env.NODE_ENV !== 'test') {
   console.log('Running database migrations...');
   runMigrations();
@@ -519,6 +655,9 @@ if (process.env.NODE_ENV !== 'test') {
   // Start Cluster Orchestrator
   cluster.start();
 
+  // Start the SSL Health Monitor cron (Extended Trust Layer).
+  try { require('./services/ssl-monitor').start(); } catch (e) { console.warn('[ssl-monitor] start failed:', e.message); }
+
   server.listen(PORT, () => {
     console.log(`\n  ╔══════════════════════════════════════════╗`);
     console.log(`  ║   Web Agent Bridge v${pkg.version}                ║`);

package/server/migrations/007_governance.sql

@@ -0,0 +1,106 @@
+-- ═══════════════════════════════════════════════════════════════════
+-- WAB Agent Governance Layer
+-- Permission Boundaries · Approval Gates · Tamper-Evident Audit Log
+-- Kill Switch · Spend Limits
+-- ═══════════════════════════════════════════════════════════════════
+
+-- Agents registered for governance (one row per agent identity).
+CREATE TABLE IF NOT EXISTS gov_agents (
+  agent_id      TEXT PRIMARY KEY,
+  owner_id      TEXT,                       -- user_id of owner (nullable for unauthed)
+  display_name  TEXT,
+  token_hash    TEXT NOT NULL,              -- sha256(agent_token); used to authenticate the agent
+  status        TEXT NOT NULL DEFAULT 'alive' CHECK(status IN ('alive','killed','suspended')),
+  killed_at     TEXT,
+  killed_reason TEXT,
+  metadata      TEXT,                       -- JSON
+  created_at    TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at    TEXT NOT NULL DEFAULT (datetime('now'))
+);
+
+-- Permission policies. One row = one rule. Evaluated allow-list style.
+CREATE TABLE IF NOT EXISTS gov_policies (
+  id            INTEGER PRIMARY KEY AUTOINCREMENT,
+  agent_id      TEXT NOT NULL,
+  resource      TEXT NOT NULL,              -- e.g. "stripe", "gmail", "clickup", "domain:example.com"
+  action        TEXT NOT NULL,              -- "read" | "write" | "execute" | "*"
+  scope         TEXT,                       -- optional: e.g. "refunds", "inbox", "tasks/123"
+  max_amount    REAL,                       -- monetary cap per single action
+  currency      TEXT DEFAULT 'USD',
+  daily_cap     REAL,                       -- monetary cap per 24h rolling
+  per_call_rate INTEGER,                    -- max calls per minute
+  requires_approval INTEGER NOT NULL DEFAULT 0,  -- 1 = always send to human gate
+  effect        TEXT NOT NULL DEFAULT 'allow' CHECK(effect IN ('allow','deny')),
+  expires_at    TEXT,
+  created_at    TEXT NOT NULL DEFAULT (datetime('now')),
+  FOREIGN KEY (agent_id) REFERENCES gov_agents(agent_id) ON DELETE CASCADE
+);
+CREATE INDEX IF NOT EXISTS idx_gov_policies_agent ON gov_policies(agent_id);
+CREATE INDEX IF NOT EXISTS idx_gov_policies_lookup ON gov_policies(agent_id, resource, action);
+
+-- Append-only audit log with HMAC hash chain (tamper-evident).
+-- prev_hash → hash chain links every entry; breaking the chain detects tampering.
+CREATE TABLE IF NOT EXISTS gov_audit (
+  id           INTEGER PRIMARY KEY AUTOINCREMENT,
+  agent_id     TEXT NOT NULL,
+  ts           TEXT NOT NULL DEFAULT (datetime('now')),
+  event_type   TEXT NOT NULL,               -- 'check' | 'execute' | 'deny' | 'approval_request' | 'approval_decision' | 'kill' | 'policy_change' | 'note'
+  resource     TEXT,
+  action       TEXT,
+  scope        TEXT,
+  amount       REAL,
+  currency     TEXT,
+  decision     TEXT,                        -- 'allow' | 'deny' | 'pending' | 'approved' | 'rejected'
+  reason       TEXT,
+  params_json  TEXT,                        -- redacted parameter snapshot
+  result_json  TEXT,
+  prev_hash    TEXT,                        -- prior entry's hash
+  hash         TEXT NOT NULL,               -- HMAC(secret, prev_hash || row_payload)
+  FOREIGN KEY (agent_id) REFERENCES gov_agents(agent_id) ON DELETE CASCADE
+);
+CREATE INDEX IF NOT EXISTS idx_gov_audit_agent_ts ON gov_audit(agent_id, ts);
+CREATE INDEX IF NOT EXISTS idx_gov_audit_event ON gov_audit(agent_id, event_type);
+
+-- Approval requests. Async — agent requests, human resolves later.
+CREATE TABLE IF NOT EXISTS gov_approvals (
+  request_id    TEXT PRIMARY KEY,
+  agent_id      TEXT NOT NULL,
+  resource      TEXT NOT NULL,
+  action        TEXT NOT NULL,
+  scope         TEXT,
+  amount        REAL,
+  currency      TEXT,
+  params_json   TEXT,
+  reason        TEXT,                       -- why approval is required
+  status        TEXT NOT NULL DEFAULT 'pending' CHECK(status IN ('pending','approved','rejected','expired','cancelled')),
+  decided_by    TEXT,                       -- user_id of approver
+  decided_at    TEXT,
+  decided_note  TEXT,
+  expires_at    TEXT,                       -- auto-expire pending requests
+  created_at    TEXT NOT NULL DEFAULT (datetime('now')),
+  FOREIGN KEY (agent_id) REFERENCES gov_agents(agent_id) ON DELETE CASCADE
+);
+CREATE INDEX IF NOT EXISTS idx_gov_approvals_pending ON gov_approvals(agent_id, status);
+
+-- Spend tracker (per agent, per resource, sliding window).
+-- Rebuilt rolling-style; we just append on every monetary action.
+CREATE TABLE IF NOT EXISTS gov_spend (
+  id           INTEGER PRIMARY KEY AUTOINCREMENT,
+  agent_id     TEXT NOT NULL,
+  resource     TEXT NOT NULL,
+  amount       REAL NOT NULL,
+  currency     TEXT NOT NULL DEFAULT 'USD',
+  ts           TEXT NOT NULL DEFAULT (datetime('now')),
+  ref          TEXT,                        -- audit_id or external ref
+  FOREIGN KEY (agent_id) REFERENCES gov_agents(agent_id) ON DELETE CASCADE
+);
+CREATE INDEX IF NOT EXISTS idx_gov_spend_window ON gov_spend(agent_id, resource, ts);
+
+-- Rate-limit token buckets (lightweight; we keep counters).
+CREATE TABLE IF NOT EXISTS gov_rate (
+  agent_id     TEXT NOT NULL,
+  resource     TEXT NOT NULL,
+  window_start TEXT NOT NULL,               -- ISO timestamp (minute-resolution)
+  count        INTEGER NOT NULL DEFAULT 0,
+  PRIMARY KEY (agent_id, resource, window_start)
+);