web-agent-bridge 3.3.0 → 3.8.1

package/examples/safe-mode-agent.js

@@ -0,0 +1,96 @@
+/**
+ * Demo3 — Safe Mode Agent
+ *
+ * Shows the difference between a domain that has WAB enabled (full trust,
+ * full execute) and one that doesn't (read-only / blocked).
+ *
+ *   node examples/safe-mode-agent.js wab-site.com untrusted-site.com
+ *
+ * Or pass --policy=strict|standard|permissive to change the gate.
+ */
+
+'use strict';
+
+const { WABSafeMode } = require('../sdk');
+
+const args = process.argv.slice(2);
+const flags = {};
+const domains = [];
+for (const a of args) {
+  if (a.startsWith('--')) {
+    const [k, v] = a.replace(/^--/, '').split('=');
+    flags[k] = v ?? true;
+  } else domains.push(a);
+}
+if (domains.length === 0) {
+  console.error('Usage: node examples/safe-mode-agent.js <domain1> [<domain2> ...] [--policy=standard]');
+  console.error('       [--api=https://your-wab.example.com]');
+  process.exit(2);
+}
+
+const safe = new WABSafeMode({
+  apiBase: flags.api || process.env.WAB_API_BASE || 'https://webagentbridge.com',
+  policy:  flags.policy || 'standard',
+});
+
+const COLOR = {
+  reset: '\x1b[0m', dim: '\x1b[2m', bold: '\x1b[1m',
+  green: '\x1b[32m', yellow: '\x1b[33m', red: '\x1b[31m', cyan: '\x1b[36m',
+};
+function color(c, s) { return process.stdout.isTTY ? `${COLOR[c]}${s}${COLOR.reset}` : s; }
+function levelColor(l) { return l >= 3 ? 'green' : l === 2 ? 'cyan' : l === 1 ? 'yellow' : 'red'; }
+
+async function checkOne(d) {
+  const t0 = Date.now();
+  const v = await safe.evaluate(d, { live: !!flags.live });
+  const elapsed = Date.now() - t0;
+
+  console.log('');
+  console.log(color('bold', `── ${v.domain} ──────────────────────────────`));
+  console.log(`Level    : ${color(levelColor(v.level), `L${v.level}`)} (${v.score_label} ${v.score})`);
+  console.log(`Verdict  : ${color(v.verdict === 'allow' ? 'green' : v.verdict === 'restrict' ? 'yellow' : 'red', v.verdict.toUpperCase())}`);
+  console.log(`Execute  : ${v.allow_execute ? color('green', '✓ allowed') : color('red', '✗ blocked')}`);
+  console.log(`Read     : ${v.allow_read    ? color('green', '✓ allowed') : color('red', '✗ blocked')}`);
+  console.log(`Reason   : ${v.reason}`);
+  if (v.reasons && v.reasons.length) {
+    for (const r of v.reasons) {
+      const sev = r.severity === 'deny' ? 'red' : r.severity === 'restrict' ? 'yellow' : 'dim';
+      console.log(color('dim', '         · ') + color(sev, `[${r.severity}] ${r.code}`) + ' ' + (r.message || ''));
+    }
+  }
+  console.log(color('dim', `         (policy=${v.policy}, ${elapsed}ms)`));
+
+  // Simulate the agent acting under Safe Mode
+  try {
+    if (v.allow_execute) {
+      await safe.guardExecute(v.domain, async () => {
+        console.log(color('green', `         → Agent: executing full action on ${v.domain}`));
+      });
+    } else if (v.allow_read) {
+      await safe.guardRead(v.domain, async () => {
+        console.log(color('yellow', `         → Agent: read-only mode on ${v.domain}`));
+      });
+    } else {
+      console.log(color('red', `         → Agent: refusing to interact with ${v.domain}`));
+    }
+  } catch (err) {
+    console.log(color('red', `         → ${err.message}`));
+  }
+}
+
+(async () => {
+  console.log(color('bold', `WAB Safe Mode demo — policy=${safe.policy} api=${safe.apiBase}`));
+  for (const d of domains) {
+    try { await checkOne(d); } catch (e) { console.error(`Error checking ${d}: ${e.message}`); }
+  }
+  console.log('');
+
+  // Pick the most trusted target if multiple were given
+  if (domains.length > 1) {
+    const best = await safe.pickBest(domains);
+    if (best) {
+      console.log(color('bold', `Recommended target: `) + color(levelColor(best.level), best.domain) +
+        color('dim', ` (L${best.level}, score ${best.score})`));
+    }
+  }
+})();

package/examples/self-discovery.js

@@ -0,0 +1,106 @@
+#!/usr/bin/env node
+/**
+ * Dogfood demo: WAB uses its own SDK to discover itself.
+ *
+ *   node examples/self-discovery.js                 # runs against webagentbridge.com
+ *   node examples/self-discovery.js https://acme.com
+ *
+ * Demonstrates:
+ *   • discover() — pulls /.well-known/wab.json (preferred) or falls back to
+ *     JSON-LD / OpenGraph / sitemap.xml / robots.txt.
+ *   • Trust validation via the published Ed25519 signature + DNS pin.
+ *   • SSL fingerprint comparison.
+ */
+
+const { discover } = require('../sdk/auto-discovery');
+const tls = require('node:tls');
+const dns = require('node:dns').promises;
+const crypto = require('node:crypto');
+
+const target = process.argv[2] || 'https://www.webagentbridge.com';
+
+function pad(s, n) { return String(s).padEnd(n); }
+
+async function fetchTlsFingerprint(host) {
+  return new Promise((resolve) => {
+    const sock = tls.connect({ host, port: 443, servername: host, rejectUnauthorized: false }, () => {
+      const cert = sock.getPeerCertificate(false);
+      sock.end();
+      const fp = (cert.fingerprint256 || '').replace(/:/g, '').toLowerCase();
+      resolve({ fp, valid_to: cert.valid_to, issuer: cert.issuer && cert.issuer.O });
+    });
+    sock.on('error', () => resolve({ fp: null }));
+    sock.setTimeout(8000, () => { sock.destroy(); resolve({ fp: null }); });
+  });
+}
+
+async function dnsTxt(host) {
+  try { return (await dns.resolveTxt(`_wab.${host}`)).map((r) => r.join('')); }
+  catch { return []; }
+}
+
+function verifyEd25519(payload, signatureB64, pkB64) {
+  try {
+    const pkRaw = Buffer.from(pkB64, 'base64');
+    const der = Buffer.concat([Buffer.from('302a300506032b6570032100', 'hex'), pkRaw]);
+    const pk = crypto.createPublicKey({ key: der, format: 'der', type: 'spki' });
+    const canon = canonicalJson(payload);
+    return crypto.verify(null, Buffer.from(canon, 'utf8'), pk, Buffer.from(signatureB64, 'base64'));
+  } catch (e) { return false; }
+}
+
+function canonicalJson(obj) {
+  if (obj === null || typeof obj !== 'object') return JSON.stringify(obj);
+  if (Array.isArray(obj)) return '[' + obj.map(canonicalJson).join(',') + ']';
+  const keys = Object.keys(obj).sort();
+  return '{' + keys.map((k) => JSON.stringify(k) + ':' + canonicalJson(obj[k])).join(',') + '}';
+}
+
+(async () => {
+  console.log(`\n  Web Agent Bridge — Self-Discovery Demo`);
+  console.log(`  Target: ${target}\n`);
+
+  const env = await discover(target);
+
+  console.log(`  ${pad('source', 14)} ${env.source}`);
+  console.log(`  ${pad('site', 14)} ${env.site && env.site.name}`);
+  console.log(`  ${pad('description', 14)} ${(env.site && env.site.description) || '—'}`);
+  console.log(`  ${pad('actions', 14)} ${env.actions.length}`);
+  for (const a of env.actions.slice(0, 6)) console.log(`     • ${a.name} — ${a.description || ''}`);
+  console.log(`  ${pad('sitemap urls', 14)} ${env.sitemap.length}`);
+
+  // Signed wab.json branch
+  if (env.source === 'wab.json' && env.raw) {
+    const { payload, signature } = env.raw;
+    if (payload && signature) {
+      const host = new URL(target).hostname;
+      const txt = (await dnsTxt(host))[0] || (await dnsTxt(host.replace(/^www\./, '')))[0] || '';
+      const pkMatch = txt.match(/pk=ed25519:([A-Za-z0-9+/=]+)/);
+      const sslDnsMatch = txt.match(/ssl_thumbprint=([0-9a-f]+)/i);
+      const pkB64 = pkMatch ? pkMatch[1] : (payload.trust && payload.trust.pk || '').replace(/^ed25519:/, '');
+      const sigB64 = String(signature).replace(/^ed25519:/, '');
+
+      const sigOk = verifyEd25519(payload, sigB64, pkB64);
+      console.log(`\n  Trust:`);
+      console.log(`     ed25519 signature  ${sigOk ? 'VALID ✓' : 'INVALID ✗'}`);
+      console.log(`     dns pk source      ${pkMatch ? '_wab DNS TXT' : 'wab.json'}`);
+
+      // SSL pin check
+      const live = await fetchTlsFingerprint(host);
+      const pinned = (payload.trust && payload.trust.ssl && payload.trust.ssl.thumbprint) || sslDnsMatch && sslDnsMatch[1];
+      if (live.fp) {
+        const match = pinned && live.fp.toLowerCase() === pinned.toLowerCase();
+        console.log(`     ssl fingerprint    ${match ? 'PINNED MATCH ✓' : (pinned ? 'MISMATCH ✗' : 'no pin')}`);
+        console.log(`        live           ${live.fp.slice(0, 32)}…`);
+        if (pinned) console.log(`        pinned         ${pinned.slice(0, 32)}…`);
+        if (live.valid_to) console.log(`        valid_to       ${live.valid_to}`);
+      }
+    }
+  } else {
+    console.log(`\n  No /.well-known/wab.json found — auto-discovery returned a normalized envelope.`);
+    if (env.products && env.products.length) console.log(`     ${env.products.length} schema.org Product nodes detected`);
+    if (env.meta && env.meta.og && env.meta.og.site_name) console.log(`     OpenGraph site_name: ${env.meta.og.site_name}`);
+  }
+
+  console.log('');
+})().catch((e) => { console.error('demo failed:', e); process.exit(1); });

package/examples/shopify-hydrogen/README.md

@@ -1,74 +1,74 @@
-# Shopify Hydrogen + WAB
-
-This example wires WAB into a Hydrogen storefront client component and exposes practical commerce actions.
-
-## Install
-
-```bash
-npm install @web-agent-bridge/react
-```
-
-## Component
-
-Create `app/components/WabHydrogenBridge.tsx`:
-
-```tsx
-'use client';
-
-import { useEffect } from 'react';
-import { WABProvider, useWAB, useWABAction } from '@web-agent-bridge/react';
-
-function BridgeInner() {
-  const { ready, discover, instance } = useWAB({
-    name: 'Hydrogen Storefront',
-    actions: {
-      getCartCount: {
-        description: 'Return cart item count from cart badge',
-        run: () => {
-          const badge = document.querySelector('[data-cart-count], .cart-count');
-          const value = Number((badge?.textContent || '0').trim()) || 0;
-          return { count: value };
-        }
-      },
-      addFirstVisibleProductToCart: {
-        description: 'Click the first visible add-to-cart button on the page',
-        run: () => {
-          const btn = Array.from(document.querySelectorAll('button, a')).find((el) =>
-            /add\s*to\s*cart/i.test((el.textContent || '').trim())
-          );
-          if (!btn) return { success: false, error: 'No add-to-cart button found' };
-          (btn as HTMLElement).click();
-          return { success: true };
-        }
-      }
-    }
-  });
-
-  const { run: runGetCartCount, result: cartCount } = useWABAction<{ count: number }>('getCartCount', {
-    instance
-  });
-
-  useEffect(() => {
-    if (!ready) return;
-    discover().then((doc) => console.log('WAB discover:', doc));
-    runGetCartCount().catch(() => {});
-  }, [ready, discover, runGetCartCount]);
-
-  return (
-    <div>
-      <p>WAB status: {ready ? 'ready' : 'loading'}</p>
-      <p>Cart count: {cartCount?.count ?? 0}</p>
-    </div>
-  );
-}
-
-export default function WabHydrogenBridge() {
-  return (
-    <WABProvider scriptSrc="https://webagentbridge.com/script/wab.min.js">
-      <BridgeInner />
-    </WABProvider>
-  );
-}
-```
-
-Import this component inside any Hydrogen page so WAB is available to agents.
+# Shopify Hydrogen + WAB
+
+This example wires WAB into a Hydrogen storefront client component and exposes practical commerce actions.
+
+## Install
+
+```bash
+npm install @web-agent-bridge/react
+```
+
+## Component
+
+Create `app/components/WabHydrogenBridge.tsx`:
+
+```tsx
+'use client';
+
+import { useEffect } from 'react';
+import { WABProvider, useWAB, useWABAction } from '@web-agent-bridge/react';
+
+function BridgeInner() {
+  const { ready, discover, instance } = useWAB({
+    name: 'Hydrogen Storefront',
+    actions: {
+      getCartCount: {
+        description: 'Return cart item count from cart badge',
+        run: () => {
+          const badge = document.querySelector('[data-cart-count], .cart-count');
+          const value = Number((badge?.textContent || '0').trim()) || 0;
+          return { count: value };
+        }
+      },
+      addFirstVisibleProductToCart: {
+        description: 'Click the first visible add-to-cart button on the page',
+        run: () => {
+          const btn = Array.from(document.querySelectorAll('button, a')).find((el) =>
+            /add\s*to\s*cart/i.test((el.textContent || '').trim())
+          );
+          if (!btn) return { success: false, error: 'No add-to-cart button found' };
+          (btn as HTMLElement).click();
+          return { success: true };
+        }
+      }
+    }
+  });
+
+  const { run: runGetCartCount, result: cartCount } = useWABAction<{ count: number }>('getCartCount', {
+    instance
+  });
+
+  useEffect(() => {
+    if (!ready) return;
+    discover().then((doc) => console.log('WAB discover:', doc));
+    runGetCartCount().catch(() => {});
+  }, [ready, discover, runGetCartCount]);
+
+  return (
+    <div>
+      <p>WAB status: {ready ? 'ready' : 'loading'}</p>
+      <p>Cart count: {cartCount?.count ?? 0}</p>
+    </div>
+  );
+}
+
+export default function WabHydrogenBridge() {
+  return (
+    <WABProvider scriptSrc="https://webagentbridge.com/script/wab.min.js">
+      <BridgeInner />
+    </WABProvider>
+  );
+}
+```
+
+Import this component inside any Hydrogen page so WAB is available to agents.