web-agent-bridge 3.3.0 → 3.4.0

package/examples/dns-discovery-agent.js

@@ -0,0 +1,166 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * Official WAB DNS Discovery consumer (multi-site).
+ *
+ * Proves the full value chain per domain:
+ *   1) discover via _wab TXT
+ *   2) fetch wab.json endpoint
+ *   3) call agent endpoints (/api/wab/discover, /api/wab/ping)
+ *
+ * Usage:
+ *   node examples/dns-discovery-agent.js webagentbridge.com example.com
+ */
+
+const { verify } = require('../packages/dns-verify/src');
+const { safeFetch } = require('../server/utils/safe-fetch');
+
+function sanitizeDomain(raw) {
+  return String(raw || '')
+    .trim()
+    .toLowerCase()
+    .replace(/^https?:\/\//, '')
+    .replace(/\/.*$/, '')
+    .replace(/:\d+$/, '')
+    .replace(/^www\./, '');
+}
+
+function parseEndpoint(record) {
+  if (!record || !record.parsed) return null;
+  return record.parsed.endpoint || null;
+}
+
+function logStep(ok, label, detail) {
+  const icon = ok ? 'OK' : 'NO';
+  const extra = detail ? ` - ${detail}` : '';
+  console.log(`[${icon}] ${label}${extra}`);
+}
+
+async function runDomain(domain) {
+  console.log('\n=== ' + domain + ' ===');
+
+  const result = {
+    domain,
+    dns: null,
+    endpoint: null,
+    wabJson: null,
+    discover: null,
+    ping: null,
+    ok: false,
+  };
+
+  const proof = await verify(domain, { timeoutMs: 6000 }).catch((err) => ({
+    ok: false,
+    records: [{ type: '_wab', error: err.message }],
+  }));
+
+  const wabRecord = (proof.records || []).find((r) => r.type === '_wab') || null;
+  result.dns = wabRecord;
+  logStep(!!(wabRecord && wabRecord.ok), 'DNS discovery', wabRecord && (wabRecord.error || wabRecord.fqdn));
+
+  const endpoint = parseEndpoint(wabRecord);
+  result.endpoint = endpoint;
+  if (!endpoint) {
+    logStep(false, 'wab.json endpoint', 'missing endpoint= in _wab record');
+    return result;
+  }
+  logStep(true, 'wab.json endpoint', endpoint);
+
+  const endpointUrl = new URL(endpoint);
+  const allowList = [domain, '*.' + domain, endpointUrl.hostname, '*.' + endpointUrl.hostname]
+    .filter((v, i, a) => a.indexOf(v) === i);
+
+  try {
+    const wabRes = await safeFetch(endpointUrl.toString(), { headers: { accept: 'application/json' } }, {
+      requireHttps: true,
+      allowList,
+      timeoutMs: 8000,
+      maxBytes: 1024 * 1024,
+      allowedContentTypes: ['application/json', 'application/ld+json', 'text/plain'],
+    });
+    const wabJson = await wabRes.json();
+    result.wabJson = wabJson;
+    logStep(wabRes.ok, 'Fetch wab.json', wabRes.status + ' ' + (wabJson.provider && wabJson.provider.name || 'unknown provider'));
+  } catch (err) {
+    logStep(false, 'Fetch wab.json', err.message);
+    return result;
+  }
+
+  const origin = endpointUrl.origin;
+  const discoverUrl = origin + '/api/wab/discover';
+  const fallbackDiscoverUrl = origin + '/agent-bridge.json';
+
+  try {
+    const discoverRes = await safeFetch(discoverUrl, { headers: { accept: 'application/json' } }, {
+      requireHttps: true,
+      allowList,
+      timeoutMs: 8000,
+      maxBytes: 1024 * 1024,
+      allowedContentTypes: ['application/json'],
+    });
+    if (discoverRes.ok) {
+      const discoverJson = await discoverRes.json();
+      result.discover = discoverJson;
+      logStep(true, 'Agent discover', 'GET /api/wab/discover');
+    } else {
+      const fallbackRes = await safeFetch(fallbackDiscoverUrl, { headers: { accept: 'application/json' } }, {
+        requireHttps: true,
+        allowList,
+        timeoutMs: 8000,
+        maxBytes: 1024 * 1024,
+        allowedContentTypes: ['application/json'],
+      });
+      const fallbackJson = await fallbackRes.json().catch(() => ({}));
+      if (fallbackRes.ok) {
+        result.discover = fallbackJson;
+        logStep(true, 'Agent discover', `fallback /agent-bridge.json (discover HTTP ${discoverRes.status})`);
+      } else {
+        logStep(false, 'Agent discover', `discover HTTP ${discoverRes.status}; fallback HTTP ${fallbackRes.status}`);
+      }
+    }
+  } catch (err) {
+    logStep(false, 'Agent discover', err.message);
+  }
+
+  try {
+    const pingRes = await safeFetch(origin + '/api/wab/ping', { headers: { accept: 'application/json' } }, {
+      requireHttps: true,
+      allowList,
+      timeoutMs: 8000,
+      maxBytes: 512 * 1024,
+      allowedContentTypes: ['application/json'],
+    });
+    const pingJson = await pingRes.json();
+    result.ping = pingJson;
+    logStep(pingRes.ok, 'Agent execute', 'GET /api/wab/ping => pong=' + !!(pingJson.result && pingJson.result.pong));
+  } catch (err) {
+    logStep(false, 'Agent execute', err.message);
+  }
+
+  result.ok = !!(result.dns && result.dns.ok && result.wabJson && result.ping);
+  return result;
+}
+
+async function main() {
+  const domains = process.argv.slice(2).map(sanitizeDomain).filter(Boolean);
+  if (domains.length === 0) {
+    console.error('Usage: node examples/dns-discovery-agent.js <domain1> [domain2] [...]');
+    process.exit(1);
+  }
+
+  const outputs = [];
+  for (const domain of domains) {
+    outputs.push(await runDomain(domain));
+  }
+
+  const passed = outputs.filter((o) => o.ok).length;
+  console.log('\nSummary: ' + passed + '/' + outputs.length + ' domains passed full flow');
+
+  if (passed !== outputs.length) process.exitCode = 2;
+}
+
+main().catch((err) => {
+  console.error('Fatal:', err && err.stack || err);
+  process.exit(1);
+});

package/examples/gcp-dns-wab.js

@@ -0,0 +1,76 @@
+#!/usr/bin/env node
+/**
+ * gcp-dns-wab.js — enable/disable WAB DNS Discovery TXT record on Google Cloud DNS.
+ *
+ * Usage:
+ *   node gcp-dns-wab.js enable  example.com my-project example-com
+ *   node gcp-dns-wab.js disable example.com my-project example-com
+ *   node gcp-dns-wab.js status  example.com
+ *
+ * Auth: uses Application Default Credentials (run `gcloud auth application-default login`)
+ *       or set GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
+ *
+ * Required: @google-cloud/dns
+ *   npm install @google-cloud/dns
+ */
+
+'use strict';
+
+const fetch = (() => { try { return require('node-fetch'); } catch { return globalThis.fetch; } })();
+const { DNS } = require('@google-cloud/dns');
+
+const [,, action, domain, projectId, zoneName] = process.argv;
+const WAB_BASE = process.env.WAB_BASE_URL  || 'https://www.webagentbridge.com';
+const ENDPOINT = process.env.WAB_ENDPOINT  || `https://${domain}/.well-known/wab.json`;
+
+if (!action || !domain) { console.error('Usage: node gcp-dns-wab.js <enable|disable|status> <domain> [projectId] [zoneName]'); process.exit(1); }
+if (!['enable','disable','status'].includes(action)) { console.error('Action must be: enable | disable | status'); process.exit(1); }
+if (action !== 'status' && (!projectId || !zoneName)) { console.error('projectId and zoneName required for enable/disable'); process.exit(1); }
+
+async function getRecordTemplate() {
+  const j = await (await fetch(`${WAB_BASE}/api/discovery/provider/record-template?domain=${encodeURIComponent(domain)}&endpoint=${encodeURIComponent(ENDPOINT)}`)).json();
+  if (!j.record || !j.record.value) throw new Error('Could not fetch WAB record template');
+  const v = j.record.value;
+  return v.startsWith('"') ? v : `"${v}"`;
+}
+
+async function main() {
+  console.log(`[WAB] Action: ${action} | Domain: ${domain}`);
+
+  if (action === 'status') {
+    const j = await (await fetch(`${WAB_BASE}/api/discovery/provider/status?domain=${encodeURIComponent(domain)}`)).json();
+    console.log(`[WAB] Status: ${j.status}`);
+    console.log(JSON.stringify(j, null, 2));
+    return;
+  }
+
+  const dns  = new DNS({ projectId });
+  const zone = dns.zone(zoneName);
+  const fqdn = `_wab.${domain}.`;
+
+  const [existing] = await zone.getRecords({ type: 'TXT', name: fqdn });
+  console.log(`[GCP] Existing _wab TXT records: ${existing.length}`);
+
+  if (action === 'enable') {
+    const txtVal = await getRecordTemplate();
+    console.log(`[WAB] TXT value: ${txtVal}`);
+    const newRecord = zone.record('txt', { name: fqdn, ttl: 3600, data: txtVal });
+    if (existing.length) {
+      const [change] = await zone.createChange({ delete: existing, add: newRecord });
+      console.log(`[GCP] Replaced (change id=${change.id}, status=${change.metadata.status})`);
+    } else {
+      const [change] = await zone.createChange({ add: newRecord });
+      console.log(`[GCP] Created (change id=${change.id}, status=${change.metadata.status})`);
+    }
+    console.log('[WAB] WAB Discovery ENABLED.');
+  }
+
+  if (action === 'disable') {
+    if (!existing.length) { console.log('[GCP] No _wab record found — already disabled.'); return; }
+    const [change] = await zone.createChange({ delete: existing });
+    console.log(`[GCP] Deleted (change id=${change.id}, status=${change.metadata.status})`);
+    console.log('[WAB] WAB Discovery DISABLED.');
+  }
+}
+
+main().catch(err => { console.error('[ERROR]', err.message); process.exit(1); });

package/examples/governance-agent.js

@@ -0,0 +1,169 @@
+#!/usr/bin/env node
+/**
+ * WAB Governance Demo
+ * ───────────────────
+ * Walks through the full Layer-3 governance pipeline:
+ *
+ *   1) register agent → get one-time token
+ *   2) define permission boundaries (Stripe read-only + refund <$50 + ClickUp write)
+ *   3) try a forbidden action  → DENIED
+ *   4) try an allowed action   → ALLOWED + audited
+ *   5) try a high-value refund → APPROVAL_REQUIRED → human approves → executed
+ *   6) verify audit chain      → tamper-evident
+ *   7) kill switch             → all subsequent actions DENIED
+ *
+ * Run:
+ *   node examples/governance-agent.js
+ *   WAB_API=http://localhost:3000 node examples/governance-agent.js
+ */
+
+'use strict';
+
+const { WABGovernance } = require('../sdk');
+
+const API = process.env.WAB_API || 'http://localhost:3000';
+
+const c = {
+  reset: '\x1b[0m', dim: '\x1b[2m', bold: '\x1b[1m',
+  green: '\x1b[32m', red: '\x1b[31m', yellow: '\x1b[33m',
+  blue: '\x1b[34m', cyan: '\x1b[36m', magenta: '\x1b[35m',
+};
+const log  = (msg) => console.log(msg);
+const head = (n, msg) => log(`\n${c.bold}${c.cyan}── ${n}. ${msg} ──${c.reset}`);
+const ok   = (m) => log(`  ${c.green}✓${c.reset} ${m}`);
+const no   = (m) => log(`  ${c.red}✗${c.reset} ${m}`);
+const info = (m) => log(`  ${c.dim}${m}${c.reset}`);
+
+async function main() {
+  log(`${c.bold}${c.magenta}WAB Agent Governance Demo${c.reset}  ${c.dim}(API: ${API})${c.reset}`);
+
+  // ── 1) Register a fresh agent identity
+  head(1, 'Register agent');
+  const reg = await WABGovernance.register({
+    apiBase: API,
+    displayName: 'Demo Agent — Stripe + ClickUp',
+    metadata: { demo: true, created: Date.now() },
+  });
+  ok(`agent_id   = ${reg.agent_id}`);
+  ok(`agent_token (shown ONCE) = ${reg.agent_token.slice(0, 12)}…`);
+
+  const gov = new WABGovernance({
+    apiBase:    API,
+    agentId:    reg.agent_id,
+    agentToken: reg.agent_token,
+    // Auto-approve in this demo (a real app would post to Slack/email).
+    onApprovalRequired: async (req) => {
+      info(`[human approval] resource=${req.resource} action=${req.action} amount=${req.amount}`);
+      info('[human approval] auto-approving in demo (3s think...)');
+      await sleep(3000);
+      return 'approved';
+    },
+    approvalTimeoutMs: 30_000,
+  });
+
+  // ── 2) Define policies
+  head(2, 'Define permission boundaries');
+  await gov.definePolicy({ resource: 'stripe', action: 'read',  scope: 'customers' });
+  ok('stripe:read on customers');
+  await gov.definePolicy({
+    resource: 'stripe', action: 'write', scope: 'refunds',
+    max_amount: 50, currency: 'USD', daily_cap: 200,
+  });
+  ok('stripe:write on refunds  (max $50/call, $200/day)');
+  await gov.definePolicy({
+    resource: 'stripe', action: 'write', scope: 'refunds-large',
+    max_amount: 5000, currency: 'USD', requires_approval: true,
+  });
+  ok('stripe:write on refunds-large  (≤$5000, REQUIRES HUMAN APPROVAL)');
+  await gov.definePolicy({
+    resource: 'clickup', action: 'write', scope: 'tasks', per_call_rate: 30,
+  });
+  ok('clickup:write on tasks  (rate-limited 30/min)');
+
+  // ── 3) Forbidden action
+  head(3, 'Attempt forbidden action: gmail:write');
+  try {
+    await gov.guard({ resource: 'gmail', action: 'write', scope: 'inbox' },
+      async () => { throw new Error('should not run'); });
+    no('UNEXPECTED: action ran (governance failed)');
+  } catch (e) {
+    ok(`correctly blocked: ${e.message}`);
+  }
+
+  // ── 4) Allowed read
+  head(4, 'Allowed action: stripe:read on customers');
+  const r = await gov.guard(
+    { resource: 'stripe', action: 'read', scope: 'customers' },
+    async () => ({ count: 12, sample: [{ id: 'cus_abc', email: 'demo@x' }] }),
+  );
+  ok(`executed in ${r.elapsed_ms}ms — result keys: ${Object.keys(r.result).join(', ')}`);
+
+  // ── 5) Small refund: under cap, no approval
+  head(5, 'Small refund: $9.99 (under cap)');
+  const r2 = await gov.guard(
+    { resource: 'stripe', action: 'write', scope: 'refunds',
+      amount: 9.99, currency: 'USD',
+      params: { charge: 'ch_xyz', reason: 'duplicate' } },
+    async () => ({ refund_id: 're_demo_' + Date.now(), status: 'succeeded' }),
+  );
+  ok(`refund posted: ${r2.result.refund_id}`);
+
+  // ── 6) Refund OVER per-call cap → DENIED instantly
+  head(6, 'Refund $9999 with cap=$50 → DENY');
+  try {
+    await gov.guard(
+      { resource: 'stripe', action: 'write', scope: 'refunds',
+        amount: 9999, currency: 'USD' },
+      async () => 'should not run',
+    );
+    no('UNEXPECTED: action ran');
+  } catch (e) {
+    ok(`correctly blocked: ${e.message}`);
+  }
+
+  // ── 7) Large refund routed through approval gate
+  head(7, 'Large refund $499.99 → APPROVAL GATE');
+  const r3 = await gov.guard(
+    { resource: 'stripe', action: 'write', scope: 'refunds-large',
+      amount: 499.99, currency: 'USD',
+      params: { charge: 'ch_big', reason: 'fraud_dispute' },
+      reason: 'high_value_refund_requires_review' },
+    async () => ({ refund_id: 're_big_' + Date.now(), status: 'succeeded' }),
+  );
+  ok(`approved + executed: ${r3.result.refund_id}`);
+
+  // ── 8) Audit log + chain verification
+  head(8, 'Audit log + tamper check');
+  const audit = await gov.getAudit({ limit: 20 });
+  info(`last ${audit.audit.length} events:`);
+  for (const ev of audit.audit.slice(0, 8)) {
+    const tag = ev.decision === 'deny' ? c.red : ev.decision === 'pending' ? c.yellow : c.green;
+    log(`    ${tag}${(ev.decision || '·').padEnd(8)}${c.reset}` +
+        ` ${(ev.event_type || '').padEnd(18)} ${ev.resource || ''}/${ev.action || ''}` +
+        ` ${ev.scope ? '['+ev.scope+'] ' : ''}${ev.amount ? '$'+ev.amount : ''}`);
+  }
+  const v = await gov.verifyAudit();
+  if (v.ok) ok(`chain verified: ${v.count} entries, head=${(v.head || '').slice(0, 12)}…`);
+  else      no(`chain BROKEN at id=${v.broken_at}`);
+
+  // ── 9) Kill switch
+  head(9, 'Kill switch');
+  await gov.kill('demo_complete');
+  ok('agent killed');
+  try {
+    await gov.guard({ resource: 'stripe', action: 'read', scope: 'customers' },
+      async () => 'should not run');
+    no('UNEXPECTED: action ran after kill');
+  } catch (e) {
+    ok(`post-kill action blocked: ${e.message}`);
+  }
+
+  log(`\n${c.bold}${c.green}✓ Demo complete${c.reset}\n`);
+}
+
+function sleep(ms) { return new Promise((r) => setTimeout(r, ms)); }
+
+main().catch((e) => {
+  console.error(`\n${c.red}Demo failed:${c.reset}`, e.message);
+  process.exit(1);
+});

package/examples/plesk-wab-dns.js

@@ -0,0 +1,103 @@
+#!/usr/bin/env node
+/**
+ * plesk-wab-dns.js — enable/disable WAB DNS Discovery TXT record via Plesk REST API.
+ *
+ * Usage:
+ *   PLESK_API_KEY=… node plesk-wab-dns.js enable  example.com plesk.host.com
+ *   PLESK_API_KEY=… node plesk-wab-dns.js disable example.com plesk.host.com
+ *   node plesk-wab-dns.js status example.com
+ *
+ * Optional env vars:
+ *   PLESK_PORT=8443
+ *   PLESK_USER + PLESK_PASS (basic auth instead of API key)
+ *   WAB_BASE_URL (default: https://www.webagentbridge.com)
+ *   NODE_TLS_REJECT_UNAUTHORIZED=0 (for self-signed cert)
+ */
+
+'use strict';
+
+const fetch = (() => { try { return require('node-fetch'); } catch { return globalThis.fetch; } })();
+
+const [,, action, domain, host] = process.argv;
+const PORT     = process.env.PLESK_PORT    || '8443';
+const APIKEY   = process.env.PLESK_API_KEY;
+const USER     = process.env.PLESK_USER;
+const PASS     = process.env.PLESK_PASS;
+const WAB_BASE = process.env.WAB_BASE_URL  || 'https://www.webagentbridge.com';
+const ENDPOINT = process.env.WAB_ENDPOINT  || `https://${domain}/.well-known/wab.json`;
+
+if (!action || !domain) { console.error('Usage: node plesk-wab-dns.js <enable|disable|status> <domain> [plesk-host]'); process.exit(1); }
+if (!['enable','disable','status'].includes(action)) { console.error('Action must be: enable | disable | status'); process.exit(1); }
+if (action !== 'status' && !host) { console.error('plesk-host required for enable/disable'); process.exit(1); }
+if (action !== 'status' && !APIKEY && !(USER && PASS)) { console.error('Set PLESK_API_KEY or PLESK_USER + PLESK_PASS'); process.exit(1); }
+
+function headers() {
+  const h = { 'Content-Type': 'application/json' };
+  if (APIKEY) h['X-API-Key'] = APIKEY;
+  else h['Authorization'] = 'Basic ' + Buffer.from(`${USER}:${PASS}`).toString('base64');
+  return h;
+}
+
+const base = () => `https://${host}:${PORT}/api/v2`;
+
+async function pkReq(method, path, body) {
+  const opts = { method, headers: headers() };
+  if (body) opts.body = JSON.stringify(body);
+  const r = await fetch(`${base()}${path}`, opts);
+  const t = await r.text();
+  if (!r.ok) throw new Error(`Plesk ${r.status}: ${t.slice(0, 300)}`);
+  try { return JSON.parse(t); } catch { return t; }
+}
+
+async function getRecordTemplate() {
+  const j = await (await fetch(`${WAB_BASE}/api/discovery/provider/record-template?domain=${encodeURIComponent(domain)}&endpoint=${encodeURIComponent(ENDPOINT)}`)).json();
+  if (!j.record || !j.record.value) throw new Error('Could not fetch WAB record template');
+  return j.record.value;
+}
+
+async function listWab() {
+  const all = await pkReq('GET', `/dns/records?domain=${encodeURIComponent(domain)}&type=TXT`);
+  return (all || []).filter(r => {
+    const h = (r.host || '').replace(/\.$/, '');
+    return h === `_wab.${domain}` || h === '_wab';
+  });
+}
+
+async function main() {
+  console.log(`[WAB] Action: ${action} | Domain: ${domain}`);
+
+  if (action === 'status') {
+    const j = await (await fetch(`${WAB_BASE}/api/discovery/provider/status?domain=${encodeURIComponent(domain)}`)).json();
+    console.log(`[WAB] Status: ${j.status}`);
+    console.log(JSON.stringify(j, null, 2));
+    return;
+  }
+
+  if (action === 'enable') {
+    const txtVal = await getRecordTemplate();
+    console.log(`[WAB] TXT value: ${txtVal}`);
+    const existing = await listWab();
+    for (const rec of existing) {
+      console.log(`[Plesk] Deleting old record id=${rec.id}`);
+      await pkReq('DELETE', `/dns/records/${rec.id}`);
+    }
+    const out = await pkReq('POST', '/dns/records', {
+      domain, type: 'TXT', host: `_wab.${domain}`, value: txtVal,
+    });
+    console.log('[Plesk] Created TXT record');
+    console.log(JSON.stringify(out, null, 2));
+    console.log('[WAB] WAB Discovery ENABLED.');
+  }
+
+  if (action === 'disable') {
+    const existing = await listWab();
+    if (!existing.length) { console.log('[Plesk] No _wab record found — already disabled.'); return; }
+    for (const rec of existing) {
+      console.log(`[Plesk] Deleting record id=${rec.id}`);
+      await pkReq('DELETE', `/dns/records/${rec.id}`);
+    }
+    console.log('[WAB] WAB Discovery DISABLED.');
+  }
+}
+
+main().catch(err => { console.error('[ERROR]', err.message); process.exit(1); });

package/examples/route53-wab-dns.js

@@ -0,0 +1,144 @@
+#!/usr/bin/env node
+/**
+ * route53-wab-dns.js
+ * -------------------
+ * CLI tool: enable or disable WAB DNS Discovery TXT record on AWS Route 53.
+ *
+ * Usage:
+ *   AWS_ACCESS_KEY_ID=… AWS_SECRET_ACCESS_KEY=… \
+ *     node route53-wab-dns.js enable  example.com [HOSTED_ZONE_ID]
+ *
+ *   AWS_ACCESS_KEY_ID=… AWS_SECRET_ACCESS_KEY=… \
+ *     node route53-wab-dns.js disable example.com [HOSTED_ZONE_ID]
+ *
+ *   node route53-wab-dns.js status example.com
+ *
+ * Optional env vars:
+ *   AWS_REGION          (default: us-east-1)
+ *   WAB_BASE_URL        (default: https://www.webagentbridge.com)
+ *   WAB_ENDPOINT        (override the wab.json URL in the TXT record)
+ *
+ * Required: @aws-sdk/client-route-53
+ *   npm install @aws-sdk/client-route-53
+ */
+
+'use strict';
+
+const {
+  Route53Client,
+  ChangeResourceRecordSetsCommand,
+  ListHostedZonesByNameCommand,
+  ListResourceRecordSetsCommand,
+} = require('@aws-sdk/client-route-53');
+
+const fetch = (() => {
+  try { return require('node-fetch'); }
+  catch { return globalThis.fetch; }
+})();
+
+const [,, action, domain, zoneIdArg] = process.argv;
+
+const REGION   = process.env.AWS_REGION    || 'us-east-1';
+const WAB_BASE = process.env.WAB_BASE_URL  || 'https://www.webagentbridge.com';
+const ENDPOINT = process.env.WAB_ENDPOINT  || `https://${domain}/.well-known/wab.json`;
+
+if (!action || !domain) {
+  console.error('Usage: node route53-wab-dns.js <enable|disable|status> <domain> [zone-id]');
+  process.exit(1);
+}
+if (!['enable','disable','status'].includes(action)) {
+  console.error('Action must be: enable | disable | status');
+  process.exit(1);
+}
+if (action !== 'status' && (!process.env.AWS_ACCESS_KEY_ID || !process.env.AWS_SECRET_ACCESS_KEY)) {
+  console.error('Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env variables');
+  process.exit(1);
+}
+
+const client = new Route53Client({ region: REGION });
+
+async function getRecordTemplate() {
+  const url = `${WAB_BASE}/api/discovery/provider/record-template?domain=${encodeURIComponent(domain)}&endpoint=${encodeURIComponent(ENDPOINT)}`;
+  const j   = await (await fetch(url)).json();
+  if (!j.record || !j.record.value) throw new Error('Could not fetch WAB record template');
+  // Route 53 requires double-quoted TXT value
+  const v = j.record.value;
+  return v.startsWith('"') ? v : `"${v}"`;
+}
+
+async function resolveZoneId() {
+  if (zoneIdArg) return zoneIdArg;
+  console.log(`[R53] Resolving hosted zone for ${domain}…`);
+  const r = await client.send(new ListHostedZonesByNameCommand({ DNSName: domain, MaxItems: '1' }));
+  const zone = (r.HostedZones || []).find(z => z.Name === `${domain}.`);
+  if (!zone) throw new Error(`No hosted zone found for "${domain}"`);
+  return zone.Id.replace('/hostedzone/', '');
+}
+
+async function getCurrentRecord(zoneId) {
+  const r = await client.send(new ListResourceRecordSetsCommand({
+    HostedZoneId: zoneId,
+    StartRecordName: `_wab.${domain}`,
+    StartRecordType: 'TXT',
+    MaxItems: '1',
+  }));
+  return (r.ResourceRecordSets || []).find(
+    rr => rr.Name === `_wab.${domain}.` && rr.Type === 'TXT'
+  ) || null;
+}
+
+async function main() {
+  console.log(`[WAB] Action: ${action} | Domain: ${domain}`);
+
+  if (action === 'status') {
+    const j = await (await fetch(`${WAB_BASE}/api/discovery/provider/status?domain=${encodeURIComponent(domain)}`)).json();
+    console.log(`[WAB] Status: ${j.status}`);
+    console.log(JSON.stringify(j, null, 2));
+    return;
+  }
+
+  const zoneId  = await resolveZoneId();
+  console.log(`[R53] Zone ID: ${zoneId}`);
+
+  if (action === 'enable') {
+    const txtVal = await getRecordTemplate();
+    console.log(`[WAB] TXT value: ${txtVal}`);
+
+    await client.send(new ChangeResourceRecordSetsCommand({
+      HostedZoneId: zoneId,
+      ChangeBatch: {
+        Comment: 'WAB DNS Discovery enable',
+        Changes: [{
+          Action: 'UPSERT',
+          ResourceRecordSet: {
+            Name: `_wab.${domain}`,
+            Type: 'TXT',
+            TTL:  3600,
+            ResourceRecords: [{ Value: txtVal }],
+          },
+        }],
+      },
+    }));
+    console.log('[R53] UPSERT applied');
+    console.log('[WAB] WAB Discovery ENABLED. Propagation may take up to 60 s.');
+  }
+
+  if (action === 'disable') {
+    const existing = await getCurrentRecord(zoneId);
+    if (!existing) {
+      console.log('[R53] No _wab TXT record found — already disabled.');
+      return;
+    }
+    await client.send(new ChangeResourceRecordSetsCommand({
+      HostedZoneId: zoneId,
+      ChangeBatch: {
+        Comment: 'WAB DNS Discovery disable',
+        Changes: [{ Action: 'DELETE', ResourceRecordSet: existing }],
+      },
+    }));
+    console.log('[R53] Record deleted');
+    console.log('[WAB] WAB Discovery DISABLED.');
+  }
+}
+
+main().catch(err => { console.error('[ERROR]', err.message); process.exit(1); });