web-agent-bridge 3.3.0 → 3.4.0

package/server/services/shieldqr.js

@@ -0,0 +1,322 @@
+/**
+ * WAB ShieldQR — verification service
+ * --------------------------------------------------------------
+ * Given a URL extracted from a QR code (or any short link), verify whether
+ * it's safe to open.  Layered checks:
+ *
+ *   1. Heuristic risk score (shorteners, brand-new TLDs, IP literals, etc.)
+ *   2. DNS Discovery — TXT lookup on  _wab.{domain}  and  _wab-trust.{domain}
+ *   3. Cryptographic Trust  — fetch /.well-known/wab.json and verify
+ *      Ed25519 signature against the public key advertised in the TXT record.
+ *   4. SSL/TLS health — fetch the cert, compare thumbprint, check expiry.
+ *
+ * The result is a *level* (green / yellow / red) plus a structured
+ * `signals[]` array so a UI can show a human-readable explanation.
+ *
+ * No third-party deps — only Node built-ins (`dns/promises`, `tls`,
+ * `crypto`, `https`).
+ */
+'use strict';
+
+const dns = require('node:dns').promises;
+const tls = require('node:tls');
+const crypto = require('node:crypto');
+const https = require('node:https');
+const http = require('node:http');
+
+const SHORTENER_HOSTS = new Set([
+  'bit.ly', 't.co', 'tinyurl.com', 'goo.gl', 'ow.ly', 'is.gd', 'buff.ly',
+  'cutt.ly', 'rebrand.ly', 'shorturl.at', 'tiny.cc', 'rb.gy', 'lnkd.in',
+]);
+
+const FETCH_TIMEOUT_MS = 4000;
+const MAX_BODY_BYTES = 64 * 1024;
+
+// ─── Public API ───────────────────────────────────────────────────────
+
+/**
+ * Inspect a single URL.  Always resolves; never throws.
+ * @param {string} input  raw URL or string from a QR scan
+ * @returns {Promise<{level:'green'|'yellow'|'red', score:number, url:string|null,
+ *   host:string|null, signals:Array, dns:any, trust:any, ssl:any, generated_at:string}>}
+ */
+async function scan(input) {
+  const t0 = Date.now();
+  const out = {
+    level: 'yellow',
+    score: 50,
+    url: null,
+    host: null,
+    signals: [],
+    dns: null,
+    trust: null,
+    ssl: null,
+    generated_at: new Date().toISOString(),
+    elapsed_ms: 0,
+  };
+
+  const parsed = parseUrl(input);
+  if (!parsed) {
+    out.level = 'red';
+    out.score = 0;
+    out.signals.push({ id: 'invalid_url', severity: 'high', message: 'Cannot parse a URL from input' });
+    out.elapsed_ms = Date.now() - t0;
+    return out;
+  }
+  out.url = parsed.href;
+  out.host = parsed.hostname;
+
+  // 1. Static heuristics
+  applyHeuristics(parsed, out);
+
+  // 2. DNS Discovery (parallel TXT lookups)
+  const [discovery, trust] = await Promise.all([
+    safeTxt(`_wab.${parsed.hostname}`),
+    safeTxt(`_wab-trust.${parsed.hostname}`),
+  ]);
+  out.dns = { discovery, trust };
+  if (discovery.records.length) {
+    out.signals.push({ id: 'wab_dns', severity: 'good', message: `_wab TXT record found at ${parsed.hostname}` });
+  }
+  if (trust.records.length) {
+    out.signals.push({ id: 'wab_trust_dns', severity: 'good', message: `_wab-trust TXT record found` });
+  }
+
+  // 3. Cryptographic trust  (only if DNS announced a key)
+  const wabFields = parseWabTxt(discovery.records.concat(trust.records));
+  if (wabFields.pk || wabFields.endpoint) {
+    out.trust = await verifyTrust(parsed, wabFields).catch((e) => ({ ok: false, error: String(e?.message || e) }));
+    if (out.trust.ok) {
+      out.signals.push({ id: 'signature_ok', severity: 'good', message: 'Ed25519 signature verified against DNS public key' });
+    } else if (out.trust && out.trust.error) {
+      out.signals.push({ id: 'signature_fail', severity: 'high', message: `Trust check failed: ${out.trust.error}` });
+    }
+  }
+
+  // 4. SSL/TLS — only over HTTPS hosts
+  if (parsed.protocol === 'https:') {
+    out.ssl = await inspectSsl(parsed.hostname, parsed.port ? Number(parsed.port) : 443).catch((e) => ({ ok: false, error: String(e?.message || e) }));
+    if (out.ssl.ok) {
+      const daysLeft = out.ssl.days_until_expiry;
+      if (daysLeft != null && daysLeft < 0) {
+        out.signals.push({ id: 'ssl_expired', severity: 'high', message: `SSL certificate expired ${-daysLeft}d ago` });
+      } else if (daysLeft != null && daysLeft < 7) {
+        out.signals.push({ id: 'ssl_expiring', severity: 'medium', message: `SSL certificate expires in ${daysLeft} days` });
+      }
+      if (wabFields.ssl_thumbprint && out.ssl.fingerprint_sha256 &&
+          wabFields.ssl_thumbprint.toLowerCase() !== out.ssl.fingerprint_sha256.toLowerCase()) {
+        out.signals.push({ id: 'ssl_thumbprint_mismatch', severity: 'high',
+          message: 'SSL fingerprint does not match the value advertised via _wab DNS' });
+      }
+    }
+  }
+
+  // 4b. Extended Trust — Fallback mode.
+  // If SSL is degraded (expired / expiring / mismatch) BUT we have a
+  // cryptographically verified Ed25519 signature, surface a "partial trust"
+  // signal so the verdict stays yellow instead of crashing to red.
+  const sslDegraded = out.signals.some((s) =>
+    ['ssl_expired', 'ssl_expiring', 'ssl_thumbprint_mismatch'].includes(s.id));
+  if (sslDegraded && out.trust && out.trust.ok) {
+    out.signals.push({ id: 'fallback_trust', severity: 'good',
+      message: 'Partial trust — SSL is degraded but the WAB Ed25519 signature is valid' });
+    out.fallback_trust = true;
+  }
+
+  // 5. Final level — combine signals
+  const verdict = computeLevel(out.signals, !!out.trust?.ok);
+  out.level = verdict.level;
+  out.score = verdict.score;
+  out.elapsed_ms = Date.now() - t0;
+  return out;
+}
+
+// ─── Helpers ──────────────────────────────────────────────────────────
+
+function parseUrl(input) {
+  if (!input || typeof input !== 'string') { return null; }
+  let s = input.trim();
+  if (!/^[a-z][a-z0-9+.-]*:\/\//i.test(s)) { s = 'https://' + s; }
+  try { return new URL(s); } catch { return null; }
+}
+
+function applyHeuristics(parsed, out) {
+  const host = parsed.hostname.toLowerCase();
+  // IP-literal hosts are suspicious
+  if (/^\d+\.\d+\.\d+\.\d+$/.test(host) || host.includes(':')) {
+    out.signals.push({ id: 'ip_literal_host', severity: 'high', message: 'URL points to a raw IP address' });
+  }
+  if (SHORTENER_HOSTS.has(host)) {
+    out.signals.push({ id: 'shortener', severity: 'medium', message: `URL uses a shortener domain (${host})` });
+  }
+  if (parsed.protocol === 'http:') {
+    out.signals.push({ id: 'plain_http', severity: 'medium', message: 'URL uses plain HTTP (no TLS)' });
+  }
+  // Punycode / homoglyph hint
+  if (host.includes('xn--')) {
+    out.signals.push({ id: 'punycode', severity: 'medium', message: 'Hostname uses Punycode (possible homoglyph attack)' });
+  }
+  // Excessive subdomains
+  if (host.split('.').length > 5) {
+    out.signals.push({ id: 'deep_subdomain', severity: 'low', message: 'Hostname has unusually many subdomain levels' });
+  }
+}
+
+async function safeTxt(name) {
+  try {
+    const records = await dns.resolveTxt(name);
+    return { name, records: records.map((parts) => parts.join('')), error: null };
+  } catch (err) {
+    return { name, records: [], error: err.code || String(err.message || err) };
+  }
+}
+
+/**
+ * Parse `key=value;` style fields out of TXT records that begin with `v=wab1`.
+ * Returns merged object with at least:
+ *   v, endpoint, pk, ssl_thumbprint, ssl_expires, shieldqr
+ */
+function parseWabTxt(rawRecords) {
+  const out = {};
+  for (const rec of rawRecords) {
+    if (!/v\s*=\s*wab1/i.test(rec)) { continue; }
+    const parts = rec.split(';').map((p) => p.trim()).filter(Boolean);
+    for (const p of parts) {
+      const eq = p.indexOf('=');
+      if (eq < 0) { continue; }
+      const k = p.slice(0, eq).trim().toLowerCase();
+      const v = p.slice(eq + 1).trim();
+      if (k && v && !out[k]) { out[k] = v; }
+    }
+  }
+  return out;
+}
+
+async function verifyTrust(parsed, wabFields) {
+  const base = wabFields.endpoint && /^https?:\/\//i.test(wabFields.endpoint)
+    ? wabFields.endpoint
+    : `${parsed.origin}/.well-known/wab.json`;
+  const wabJsonUrl = wabFields.endpoint && wabFields.endpoint.endsWith('.json')
+    ? wabFields.endpoint
+    : (base.endsWith('/') ? base + '.well-known/wab.json' : base + '/.well-known/wab.json');
+
+  const fetched = await fetchSmall(wabJsonUrl);
+  if (!fetched.ok) { return { ok: false, error: `cannot fetch wab.json (${fetched.error || fetched.status})` }; }
+
+  let doc;
+  try { doc = JSON.parse(fetched.body); } catch { return { ok: false, error: 'wab.json is not valid JSON' }; }
+
+  // signature is over the canonical JSON of `doc.payload`
+  const sig = doc.signature;
+  const pkRaw = wabFields.pk || (doc.trust && doc.trust.pk);
+  if (!sig || !pkRaw || !doc.payload) {
+    return { ok: false, error: 'wab.json missing payload/signature/pk' };
+  }
+  const pk = pkRaw.replace(/^ed25519:/i, '');
+
+  let pkBytes;
+  try { pkBytes = Buffer.from(pk, 'base64'); } catch { return { ok: false, error: 'invalid base64 pk' }; }
+  if (pkBytes.length !== 32) { return { ok: false, error: `pk has wrong length (${pkBytes.length} bytes, want 32)` }; }
+  let sigBytes;
+  try { sigBytes = Buffer.from(sig.replace(/^ed25519:/i, ''), 'base64'); } catch { return { ok: false, error: 'invalid base64 signature' }; }
+
+  // Wrap raw 32-byte Ed25519 public key in DER (SubjectPublicKeyInfo)
+  const der = Buffer.concat([
+    Buffer.from('302a300506032b6570032100', 'hex'),
+    pkBytes,
+  ]);
+  let pubKey;
+  try { pubKey = crypto.createPublicKey({ key: der, format: 'der', type: 'spki' }); }
+  catch (e) { return { ok: false, error: 'cannot import Ed25519 pk: ' + e.message }; }
+
+  const message = Buffer.from(canonicalJson(doc.payload), 'utf8');
+  const ok = crypto.verify(null, message, pubKey, sigBytes);
+
+  return { ok, payload: doc.payload, signed_with: pk };
+}
+
+function canonicalJson(obj) {
+  if (obj === null || typeof obj !== 'object') { return JSON.stringify(obj); }
+  if (Array.isArray(obj)) { return '[' + obj.map(canonicalJson).join(',') + ']'; }
+  const keys = Object.keys(obj).sort();
+  return '{' + keys.map((k) => JSON.stringify(k) + ':' + canonicalJson(obj[k])).join(',') + '}';
+}
+
+function fetchSmall(url) {
+  return new Promise((resolve) => {
+    let mod;
+    try { mod = url.startsWith('https:') ? https : http; } catch { return resolve({ ok: false, error: 'bad url' }); }
+    const req = mod.get(url, { timeout: FETCH_TIMEOUT_MS, headers: { 'User-Agent': 'WAB-ShieldQR/1.0' } }, (res) => {
+      if (res.statusCode && res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+        res.resume();
+        return resolve({ ok: false, status: res.statusCode, error: 'redirect_not_followed' });
+      }
+      let bytes = 0;
+      const chunks = [];
+      res.on('data', (c) => {
+        bytes += c.length;
+        if (bytes > MAX_BODY_BYTES) { req.destroy(); return; }
+        chunks.push(c);
+      });
+      res.on('end', () => resolve({
+        ok: (res.statusCode || 0) >= 200 && (res.statusCode || 0) < 300,
+        status: res.statusCode,
+        body: Buffer.concat(chunks).toString('utf8'),
+      }));
+    });
+    req.on('timeout', () => { req.destroy(); resolve({ ok: false, error: 'timeout' }); });
+    req.on('error', (e) => resolve({ ok: false, error: e.message }));
+  });
+}
+
+function inspectSsl(host, port) {
+  return new Promise((resolve) => {
+    const socket = tls.connect({ host, port, servername: host, timeout: FETCH_TIMEOUT_MS, rejectUnauthorized: false }, () => {
+      const cert = socket.getPeerCertificate(true);
+      socket.end();
+      if (!cert || !cert.valid_to) { return resolve({ ok: false, error: 'no certificate returned' }); }
+      const expiry = new Date(cert.valid_to);
+      const days = Math.floor((expiry.getTime() - Date.now()) / 86400000);
+      const fp = (cert.fingerprint256 || '').replace(/:/g, '').toLowerCase();
+      resolve({
+        ok: true,
+        issuer: cert.issuer && (cert.issuer.O || cert.issuer.CN) || null,
+        subject: cert.subject && cert.subject.CN || null,
+        valid_to: cert.valid_to,
+        valid_from: cert.valid_from,
+        days_until_expiry: days,
+        fingerprint_sha256: fp,
+        authorized: socket.authorized,
+        protocol: socket.getProtocol && socket.getProtocol(),
+      });
+    });
+    socket.on('error', (e) => resolve({ ok: false, error: e.message }));
+    socket.on('timeout', () => { socket.destroy(); resolve({ ok: false, error: 'timeout' }); });
+  });
+}
+
+function computeLevel(signals, signedOk) {
+  let score = 60; // neutral start
+  for (const s of signals) {
+    if (s.severity === 'good')   { score += 20; }
+    else if (s.severity === 'low')    { score -= 5; }
+    else if (s.severity === 'medium') { score -= 18; }
+    else if (s.severity === 'high')   { score -= 40; }
+  }
+  if (signedOk) { score = Math.max(score, 90); }
+  score = Math.max(0, Math.min(100, score));
+  const fallback = signals.some((s) => s.id === 'fallback_trust');
+  let level = 'yellow';
+  if (score >= 75 && signedOk && !fallback) { level = 'green'; }
+  else if (score >= 65)        { level = 'yellow'; }
+  else if (score < 35)         { level = 'red'; }
+  else                          { level = 'yellow'; }
+  // Hard-fail on any high-severity signal unless we have a verified signature
+  // (Extended Trust Layer: signature acts as fallback authority when SSL fails).
+  if (signals.some((s) => s.severity === 'high') && !signedOk) { level = 'red'; }
+  // With signed fallback, never drop below yellow.
+  if (fallback && level === 'red') { level = 'yellow'; }
+  return { level, score };
+}
+
+module.exports = { scan, parseWabTxt, canonicalJson };

package/server/services/ssl-inspector.js

@@ -0,0 +1,42 @@
+/**
+ * server/services/ssl-inspector.js
+ * Live TLS certificate inspector — used by sign-wab-domain.js, cron monitor,
+ * and shieldqr verifier. Returns { ok, fingerprint_sha256, valid_to,
+ * days_until_expiry, issuer, subject, fingerprint_b64 }.
+ */
+'use strict';
+
+const tls = require('node:tls');
+
+function inspect(host, port = 443, timeoutMs = 8000) {
+  return new Promise((resolve) => {
+    const socket = tls.connect({
+      host, port, servername: host, rejectUnauthorized: false, timeout: timeoutMs,
+    }, () => {
+      try {
+        const cert = socket.getPeerCertificate(false);
+        if (!cert || !cert.valid_to) { socket.end(); return resolve({ ok: false, error: 'no_cert' }); }
+        const validTo = new Date(cert.valid_to);
+        const daysLeft = Math.floor((validTo.getTime() - Date.now()) / (24 * 3600 * 1000));
+        const fpHex = (cert.fingerprint256 || '').replace(/:/g, '').toLowerCase();
+        const fpB64 = fpHex ? Buffer.from(fpHex, 'hex').toString('base64') : null;
+        socket.end();
+        resolve({
+          ok: true,
+          fingerprint_sha256: fpHex,
+          fingerprint_b64: fpB64,
+          valid_to: validTo.toISOString(),
+          valid_from: cert.valid_from ? new Date(cert.valid_from).toISOString() : null,
+          days_until_expiry: daysLeft,
+          issuer: cert.issuer && (cert.issuer.O || cert.issuer.CN) || null,
+          subject: cert.subject && cert.subject.CN || null,
+          serial: cert.serialNumber || null,
+        });
+      } catch (e) { try { socket.end(); } catch (_) {} resolve({ ok: false, error: e.message }); }
+    });
+    socket.on('error', (err) => resolve({ ok: false, error: err.message }));
+    socket.on('timeout', () => { try { socket.destroy(); } catch (_) {} resolve({ ok: false, error: 'timeout' }); });
+  });
+}
+
+module.exports = { inspect };

package/server/services/ssl-monitor.js

@@ -0,0 +1,167 @@
+/**
+ * server/services/ssl-monitor.js
+ * Extended Trust Layer — Certificate Companion & SSL Health Monitoring.
+ *
+ * Periodically inspects SSL certificates for every active site, persists state
+ * in `ssl_monitor`, appends new certs to `cert_history` (CT log), and emails
+ * the site owner when the certificate is within 7 days of expiry. The cron
+ * runs once per day inside the main process; can be disabled via env
+ * `WAB_SSL_MONITOR=off`.
+ */
+'use strict';
+
+const path = require('node:path');
+const Database = require('better-sqlite3');
+const ssl = require('./ssl-inspector');
+
+const DATA_DIR = process.env.NODE_ENV === 'test'
+  ? path.join(__dirname, '..', '..', 'data-test')
+  : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
+const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+
+let _db = null;
+function db() {
+  if (!_db) { _db = new Database(path.join(DATA_DIR, DB_FILE)); }
+  return _db;
+}
+
+const ALERT_DAYS = Number(process.env.WAB_SSL_ALERT_DAYS || 7);
+const ALERT_REPEAT_HOURS = Number(process.env.WAB_SSL_ALERT_REPEAT_HOURS || 24);
+
+function classify(daysLeft) {
+  if (daysLeft == null) return 'error';
+  if (daysLeft < 0) return 'expired';
+  if (daysLeft <= ALERT_DAYS) return 'expiring';
+  return 'active';
+}
+
+/**
+ * Inspect one host, persist state + CT log entry + alert if needed.
+ * Returns { host, status, days_until_expiry, alerted }.
+ */
+async function checkHost(host, opts = {}) {
+  const info = await ssl.inspect(host, 443);
+  const now = new Date().toISOString();
+
+  if (!info.ok) {
+    db().prepare(`
+      INSERT INTO ssl_monitor (host, status, error, last_checked_at, enabled, owner_user_id)
+      VALUES (?, 'error', ?, ?, 1, ?)
+      ON CONFLICT(host) DO UPDATE SET
+        status='error', error=excluded.error, last_checked_at=excluded.last_checked_at
+    `).run(host, info.error || 'unknown', now, opts.userId || null);
+    return { host, status: 'error', error: info.error };
+  }
+
+  const status = classify(info.days_until_expiry);
+
+  db().prepare(`
+    INSERT INTO ssl_monitor (host, fingerprint_sha256, issuer, valid_to, days_until_expiry,
+                             status, error, last_checked_at, enabled, owner_user_id)
+    VALUES (?, ?, ?, ?, ?, ?, NULL, ?, 1, ?)
+    ON CONFLICT(host) DO UPDATE SET
+      fingerprint_sha256=excluded.fingerprint_sha256,
+      issuer=excluded.issuer,
+      valid_to=excluded.valid_to,
+      days_until_expiry=excluded.days_until_expiry,
+      status=excluded.status,
+      error=NULL,
+      last_checked_at=excluded.last_checked_at
+  `).run(host, info.fingerprint_sha256, info.issuer, info.valid_to,
+         info.days_until_expiry, status, now, opts.userId || null);
+
+  // Append to CT log if fingerprint not seen for this host yet.
+  try {
+    db().prepare(`
+      INSERT OR IGNORE INTO cert_history
+        (host, fingerprint_sha256, issuer, subject, serial, valid_from, valid_to, source)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(host, info.fingerprint_sha256, info.issuer, info.subject, info.serial,
+           info.valid_from, info.valid_to, opts.source || 'monitor');
+  } catch (_) { /* table may not exist yet */ }
+
+  let alerted = false;
+  if (status === 'expiring' || status === 'expired') {
+    alerted = await maybeSendAlert(host, info, status, opts);
+  }
+
+  return { host, status, days_until_expiry: info.days_until_expiry, alerted };
+}
+
+async function maybeSendAlert(host, info, status, opts) {
+  const row = db().prepare(`SELECT last_alert_at, owner_user_id FROM ssl_monitor WHERE host = ?`).get(host);
+  if (row && row.last_alert_at) {
+    const last = new Date(row.last_alert_at).getTime();
+    if (Date.now() - last < ALERT_REPEAT_HOURS * 3600 * 1000) return false;
+  }
+
+  let to = opts.alertEmail || process.env.WAB_SSL_ALERT_EMAIL;
+  try {
+    if (!to && row && row.owner_user_id) {
+      const u = db().prepare('SELECT email FROM users WHERE id = ?').get(row.owner_user_id);
+      if (u && u.email) to = u.email;
+    }
+  } catch (_) { /* users table may not exist in tests */ }
+
+  if (!to) return false;
+
+  try {
+    const { sendEmail } = require('./email');
+    await sendEmail({
+      to, template: 'sslExpiringAlert',
+      data: {
+        host,
+        daysLeft: Math.max(0, info.days_until_expiry),
+        validTo: info.valid_to,
+        issuer: info.issuer,
+        fingerprint: info.fingerprint_sha256,
+      },
+    });
+    db().prepare(`UPDATE ssl_monitor SET last_alert_at = ? WHERE host = ?`)
+      .run(new Date().toISOString(), host);
+    return true;
+  } catch (_) { return false; }
+}
+
+/** Run a sweep across every active site domain (and optional extra hosts). */
+async function runSweep({ extraHosts = [] } = {}) {
+  let hosts = [...extraHosts];
+  try {
+    const rows = db().prepare(
+      "SELECT DISTINCT LOWER(REPLACE(domain, 'http://', '')) AS host, user_id FROM sites WHERE active = 1"
+    ).all();
+    for (const r of rows) {
+      const h = (r.host || '').replace(/^https?:\/\//, '').replace(/\/.*$/, '').replace(/^www\./, 'www.');
+      if (!h) continue;
+      hosts.push({ host: h, userId: r.user_id });
+    }
+  } catch (_) { /* sites table may not exist */ }
+
+  const results = [];
+  for (const item of hosts) {
+    const host = typeof item === 'string' ? item : item.host;
+    const userId = typeof item === 'string' ? null : item.userId;
+    try {
+      results.push(await checkHost(host, { userId }));
+    } catch (e) {
+      results.push({ host, status: 'error', error: e.message });
+    }
+  }
+  return results;
+}
+
+let _interval = null;
+function start() {
+  if (_interval || process.env.WAB_SSL_MONITOR === 'off') return;
+  if (process.env.NODE_ENV === 'test' || process.env.JEST_WORKER_ID) return;
+  // Run immediately, then once per day.
+  setTimeout(() => runSweep().catch(() => {}), 30_000);
+  _interval = setInterval(() => runSweep().catch(() => {}), 24 * 3600 * 1000);
+  if (_interval.unref) _interval.unref();
+}
+
+function stop() {
+  if (_interval) { clearInterval(_interval); _interval = null; }
+}
+
+module.exports = { checkHost, runSweep, classify, start, stop };

package/server/services/stripe.js

@@ -32,7 +32,20 @@ function getStripePrices() {
   };
 }
 
-async function createCheckoutSession({ userId, userEmail, siteId, tier }) {
+// Resolve a Stripe price id from either a plan id (DB) or a legacy tier name.
+// Order: DB plan.stripe_price_id → env STRIPE_PRICE_<UPPER> → platform_settings → null.
+function resolvePriceId(planOrTier) {
+  if (!planOrTier) return null;
+  try {
+    const plans = require('./plans');
+    const p = plans.getPlan(planOrTier);
+    if (p && p.stripe_price_id) return p.stripe_price_id;
+  } catch { /* DB layer not ready (tests) — fall through to legacy lookup */ }
+  const envKey = `STRIPE_PRICE_${String(planOrTier).toUpperCase()}`;
+  return process.env[envKey] || getPlatformSetting(`stripe_price_${planOrTier}`) || null;
+}
+
+async function createCheckoutSession({ userId, userEmail, siteId, tier, planId }) {
   const site = findSiteById.get(siteId);
   if (!site || site.user_id !== userId) {
     throw new Error('Site not found or access denied');
@@ -41,9 +54,9 @@ async function createCheckoutSession({ userId, userEmail, siteId, tier }) {
   const s = getStripe();
   if (!s) throw new Error('Stripe not configured');
 
-  const prices = getStripePrices();
-  const priceId = prices[tier];
-  if (!priceId) throw new Error(`No price configured for tier: ${tier}`);
+  const planRef = planId || tier;
+  const priceId = resolvePriceId(planRef);
+  if (!priceId) throw new Error(`No price configured for plan: ${planRef}`);
 
   // Get or create Stripe customer
   let customer = getStripeCustomer(userId);
@@ -60,7 +73,7 @@ async function createCheckoutSession({ userId, userEmail, siteId, tier }) {
     mode: 'subscription',
     payment_method_types: ['card'],
     line_items: [{ price: priceId, quantity: 1 }],
-    metadata: { wab_user_id: userId, wab_site_id: siteId, tier },
+    metadata: { wab_user_id: userId, wab_site_id: siteId, tier: planRef, plan_id: planRef },
     success_url: `${baseUrl}/dashboard?payment=success&session_id={CHECKOUT_SESSION_ID}`,
     cancel_url: `${baseUrl}/dashboard?payment=cancelled`
   });

package/server/services/vision.js

@@ -1,5 +1,5 @@
 const { db } = require('../models/db');
-const { v4: uuidv4 } = require('uuid');
+const { randomUUID: uuidv4 } = require('crypto');
 const crypto = require('crypto');
 
 // ═══════════════════════════════════════════════════════════════════════