npm - web-agent-bridge - Versions diffs - 3.3.0 → 3.8.1 - Mend

web-agent-bridge 3.3.0 → 3.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (312) hide show

package/LICENSE +84 -72
package/README.ar.md +1563 -1286
package/README.md +137 -1764
package/bin/agent-runner.js +474 -474
package/bin/cli.js +237 -237
package/bin/wab-init.js +244 -0
package/bin/wab.js +80 -80
package/examples/azure-dns-wab.js +83 -0
package/examples/bidi-agent.js +119 -119
package/examples/cloudflare-wab-dns.js +121 -0
package/examples/cpanel-wab-dns.js +114 -0
package/examples/cross-site-agent.js +91 -91
package/examples/dns-discovery-agent.js +166 -0
package/examples/gcp-dns-wab.js +76 -0
package/examples/governance-agent.js +169 -0
package/examples/mcp-agent.js +94 -94
package/examples/next-app-router/README.md +44 -44
package/examples/plesk-wab-dns.js +103 -0
package/examples/puppeteer-agent.js +108 -108
package/examples/route53-wab-dns.js +144 -0
package/examples/saas-dashboard/README.md +55 -55
package/examples/safe-mode-agent.js +96 -0
package/examples/self-discovery.js +106 -0
package/examples/shopify-hydrogen/README.md +74 -74
package/examples/vision-agent.js +171 -171
package/examples/wab-sign.js +74 -0
package/examples/wab-verify.js +60 -0
package/examples/wordpress-elementor/README.md +77 -77
package/package.json +93 -93
package/public/.well-known/agent-tools.json +180 -180
package/public/.well-known/ai-assets.json +59 -59
package/public/.well-known/security.txt +8 -8
package/public/.well-known/wab.json +28 -0
package/public/activate.html +448 -0
package/public/adopt.html +236 -0
package/public/adoption-metrics.html +188 -0
package/public/agent-workspace.html +359 -349
package/public/ai.html +198 -198
package/public/api.html +397 -413
package/public/azure-dns-integration.html +289 -0
package/public/browser.html +486 -486
package/public/cloudflare-integration.html +380 -0
package/public/commander-dashboard.html +243 -243
package/public/cookies.html +210 -210
package/public/cpanel-integration.html +398 -0
package/public/css/agent-workspace.css +1713 -1713
package/public/css/premium.css +317 -317
package/public/css/styles.css +1401 -1235
package/public/dashboard-shieldlink.html +295 -0
package/public/dashboard.html +711 -706
package/public/dns.html +436 -507
package/public/docs.html +588 -587
package/public/enterprise-mesh.ar.html +80 -0
package/public/enterprise-mesh.html +81 -0
package/public/feed.xml +89 -89
package/public/gcp-dns-integration.html +318 -0
package/public/governance.ar.html +70 -0
package/public/governance.html +69 -0
package/public/growth.html +465 -463
package/public/index.html +1372 -1070
package/public/integrations.html +556 -556
package/public/js/activate.js +449 -0
package/public/js/agent-workspace.js +1740 -1740
package/public/js/auth-nav.js +117 -31
package/public/js/auth-redirect.js +12 -12
package/public/js/cookie-consent.js +56 -56
package/public/js/dns.js +438 -0
package/public/js/wab-demo-page.js +721 -721
package/public/js/ws-client.js +74 -74
package/public/l-preview.html +242 -0
package/public/llms-full.txt +360 -360
package/public/llms.txt +125 -125
package/public/login.html +85 -85
package/public/mesh-dashboard.html +328 -328
package/public/milestones.html +346 -0
package/public/one-click.html +779 -0
package/public/openapi.json +669 -580
package/public/partners.ar.html +145 -0
package/public/partners.html +143 -0
package/public/phone-shield.html +281 -281
package/public/plesk-integration.html +375 -0
package/public/premium-dashboard.html +2489 -2489
package/public/premium.html +793 -793
package/public/privacy.html +297 -297
package/public/provider-onboarding.html +172 -0
package/public/provider-sandbox.html +134 -0
package/public/providers.html +359 -0
package/public/refusals.html +172 -0
package/public/register.html +105 -105
package/public/registrar-integrations.html +141 -0
package/public/ring4.html +292 -0
package/public/robots.txt +99 -87
package/public/route53-integration.html +531 -0
package/public/score.html +263 -0
package/public/script/wab-consent.d.ts +36 -36
package/public/script/wab-consent.js +104 -104
package/public/script/wab-schema.js +131 -131
package/public/script/wab.d.ts +108 -108
package/public/script/wab.min.js +580 -580
package/public/security.txt +8 -8
package/public/shieldlink.html +244 -0
package/public/shieldqr.html +231 -0
package/public/sitemap.xml +19 -1
package/public/terms.html +256 -256
package/public/trust-graph-api.ar.html +92 -0
package/public/trust-graph-api.html +91 -0
package/public/wab-features.html +560 -0
package/public/wab-trust.html +200 -0
package/public/wab-truth.html +375 -0
package/public/wab-vs-protocols.html +210 -0
package/public/whitepaper.html +449 -0
package/script/ai-agent-bridge.js +1754 -1754
package/sdk/README.md +99 -99
package/sdk/agent-mesh.js +449 -449
package/sdk/auto-discovery.js +301 -0
package/sdk/commander.js +262 -262
package/sdk/governance.js +262 -0
package/sdk/index.d.ts +464 -464
package/sdk/index.js +649 -636
package/sdk/multi-agent.js +318 -318
package/sdk/package.json +2 -2
package/sdk/safe-mode.js +221 -0
package/sdk/safety-shield.js +219 -219
package/sdk/schema-discovery.js +83 -83
package/server/adapters/index.js +520 -520
package/server/config/plans.js +412 -367
package/server/config/secrets.js +102 -102
package/server/control-plane/index.js +301 -301
package/server/data-plane/index.js +354 -354
package/server/index.js +790 -531
package/server/llm/index.js +404 -404
package/server/middleware/adminAuth.js +35 -35
package/server/middleware/api-tier.js +170 -0
package/server/middleware/auth.js +50 -50
package/server/middleware/featureGate.js +88 -88
package/server/middleware/rateLimits.js +100 -100
package/server/middleware/sensitiveAction.js +157 -157
package/server/middleware/wab-trust.js +141 -0
package/server/migrations/001_add_analytics_indexes.sql +7 -7
package/server/migrations/002_premium_features.sql +418 -418
package/server/migrations/003_ads_integer_cents.sql +33 -33
package/server/migrations/004_agent_os.sql +158 -158
package/server/migrations/005_marketplace_metering.sql +126 -126
package/server/migrations/006_growth_suite.sql +138 -0
package/server/migrations/007_governance.sql +106 -0
package/server/migrations/008_plans.sql +144 -0
package/server/migrations/009_shieldqr.sql +30 -0
package/server/migrations/010_extended_trust.sql +33 -0
package/server/migrations/011_outreach.sql +47 -0
package/server/migrations/012_shieldlink.sql +116 -0
package/server/migrations/013_ct_monitor.sql +13 -0
package/server/migrations/014_wab_advanced_features.sql +128 -0
package/server/migrations/015_wab_truth_layer.sql +101 -0
package/server/migrations/016_ring4_external_trust.sql +84 -0
package/server/migrations/017_ring4_extensions.sql +69 -0
package/server/migrations/018_commercial_foundations.sql +167 -0
package/server/migrations/019_unify_tier_constraints.sql +133 -0
package/server/models/adapters/index.js +33 -33
package/server/models/adapters/mysql.js +183 -183
package/server/models/adapters/postgresql.js +172 -172
package/server/models/adapters/sqlite.js +7 -7
package/server/models/db.js +740 -681
package/server/observability/failure-analysis.js +337 -337
package/server/observability/index.js +394 -394
package/server/protocol/capabilities.js +223 -223
package/server/protocol/index.js +243 -243
package/server/protocol/schema.js +584 -584
package/server/registry/certification.js +271 -271
package/server/registry/index.js +326 -326
package/server/routes/activate.js +478 -0
package/server/routes/admin-outreach.js +239 -0
package/server/routes/admin-plans.js +76 -0
package/server/routes/admin-premium.js +674 -671
package/server/routes/admin-shieldlink.js +137 -0
package/server/routes/admin-shieldqr.js +90 -0
package/server/routes/admin-trust-monitor.js +139 -0
package/server/routes/admin.js +550 -261
package/server/routes/adopt.js +61 -0
package/server/routes/ads.js +130 -130
package/server/routes/agent-workspace.js +540 -540
package/server/routes/api-keys.js +127 -0
package/server/routes/api.js +150 -150
package/server/routes/auth.js +71 -71
package/server/routes/billing.js +57 -45
package/server/routes/commander.js +316 -316
package/server/routes/customer-shieldlink.js +133 -0
package/server/routes/demo-showcase.js +332 -332
package/server/routes/demo-store.js +154 -154
package/server/routes/diagnose.js +373 -0
package/server/routes/discovery.js +2348 -417
package/server/routes/enterprise-mesh.js +170 -0
package/server/routes/gateway.js +173 -173
package/server/routes/governance-saas.js +203 -0
package/server/routes/governance.js +208 -0
package/server/routes/growth.js +1048 -0
package/server/routes/intent.js +328 -0
package/server/routes/license.js +251 -251
package/server/routes/mesh.js +469 -469
package/server/routes/noscript.js +543 -543
package/server/routes/partners.js +201 -0
package/server/routes/plans.js +33 -0
package/server/routes/premium-v2.js +686 -686
package/server/routes/premium.js +724 -724
package/server/routes/providers.js +650 -0
package/server/routes/reputation.js +411 -0
package/server/routes/ring4.js +885 -0
package/server/routes/runtime.js +2148 -2148
package/server/routes/shieldlink.js +70 -0
package/server/routes/shieldqr.js +88 -0
package/server/routes/sovereign.js +465 -465
package/server/routes/truth-layer.js +670 -0
package/server/routes/universal.js +200 -200
package/server/routes/unsubscribe.js +51 -0
package/server/routes/wab-api.js +850 -850
package/server/routes/wab-cache.js +282 -0
package/server/runtime/container-worker.js +111 -111
package/server/runtime/container.js +448 -448
package/server/runtime/distributed-worker.js +362 -362
package/server/runtime/event-bus.js +210 -210
package/server/runtime/index.js +253 -253
package/server/runtime/queue.js +599 -599
package/server/runtime/replay.js +666 -666
package/server/runtime/sandbox.js +266 -266
package/server/runtime/scheduler.js +534 -534
package/server/runtime/session-engine.js +293 -293
package/server/runtime/state-manager.js +188 -188
package/server/secrets/wab-signing-key.pem +3 -0
package/server/secrets/wab-signing-pub.pem +3 -0
package/server/security/cross-site-redactor.js +196 -196
package/server/security/dry-run.js +180 -180
package/server/security/human-gate-rate-limit.js +147 -147
package/server/security/human-gate-transports.js +178 -178
package/server/security/human-gate.js +281 -281
package/server/security/index.js +368 -368
package/server/security/intent-engine.js +245 -245
package/server/security/reward-guard.js +171 -171
package/server/security/rollback-store.js +239 -239
package/server/security/token-scope.js +404 -404
package/server/security/url-policy.js +139 -139
package/server/services/adoption-agent.js +182 -0
package/server/services/agent-chat.js +506 -506
package/server/services/agent-learning.js +601 -601
package/server/services/agent-memory.js +625 -625
package/server/services/agent-mesh.js +555 -555
package/server/services/agent-symphony.js +717 -717
package/server/services/agent-tasks.js +1807 -1807
package/server/services/api-key-engine.js +292 -292
package/server/services/cluster.js +894 -894
package/server/services/commander.js +738 -738
package/server/services/edge-compute.js +440 -440
package/server/services/email.js +233 -204
package/server/services/fairness-engine.js +409 -0
package/server/services/fairness.js +420 -0
package/server/services/governance.js +466 -0
package/server/services/hosted-runtime.js +205 -205
package/server/services/lfd.js +635 -635
package/server/services/local-ai.js +389 -389
package/server/services/marketplace.js +270 -270
package/server/services/metering.js +182 -182
package/server/services/modules/affiliate-intelligence.js +93 -93
package/server/services/modules/agent-firewall.js +90 -90
package/server/services/modules/bounty.js +89 -89
package/server/services/modules/collective-bargaining.js +92 -92
package/server/services/modules/dark-pattern.js +66 -66
package/server/services/modules/gov-intelligence.js +45 -45
package/server/services/modules/neural.js +55 -55
package/server/services/modules/notary.js +49 -49
package/server/services/modules/price-time-machine.js +86 -86
package/server/services/modules/protocol.js +104 -104
package/server/services/negotiation.js +439 -439
package/server/services/outreach-agent.js +312 -0
package/server/services/plans.js +214 -0
package/server/services/plugins.js +771 -771
package/server/services/premium.js +1 -1
package/server/services/price-intelligence.js +566 -566
package/server/services/price-shield.js +1137 -1137
package/server/services/provider-clients.js +740 -0
package/server/services/reputation.js +465 -465
package/server/services/search-engine.js +357 -357
package/server/services/security.js +513 -513
package/server/services/self-healing.js +843 -843
package/server/services/shieldlink.js +492 -0
package/server/services/shieldqr.js +322 -0
package/server/services/sovereign-shield.js +542 -542
package/server/services/ssl-ct-monitor.js +224 -0
package/server/services/ssl-inspector.js +42 -0
package/server/services/ssl-monitor.js +167 -0
package/server/services/stripe.js +206 -192
package/server/services/swarm.js +788 -788
package/server/services/universal-scraper.js +662 -662
package/server/services/verification.js +481 -481
package/server/services/vision.js +1163 -1163
package/server/services/wab-crypto.js +178 -0
package/server/utils/cache.js +125 -125
package/server/utils/migrate.js +81 -81
package/server/utils/safe-fetch.js +228 -228
package/server/utils/secureFields.js +50 -50
package/server/ws.js +161 -161
package/templates/artisan-marketplace.yaml +104 -104
package/templates/book-price-scout.yaml +98 -98
package/templates/electronics-price-tracker.yaml +108 -108
package/templates/flight-deal-hunter.yaml +113 -113
package/templates/freelancer-direct.yaml +116 -116
package/templates/grocery-price-compare.yaml +93 -93
package/templates/hotel-direct-booking.yaml +113 -113
package/templates/local-services.yaml +98 -98
package/templates/olive-oil-tunisia.yaml +88 -88
package/templates/organic-farm-fresh.yaml +101 -101
package/templates/restaurant-direct.yaml +97 -97
package/templates/ring4/banking-sovereign.yaml +55 -0
package/templates/ring4/ecommerce-sovereign.yaml +58 -0
package/templates/ring4/healthcare-sovereign.yaml +60 -0

package/server/services/ssl-ct-monitor.js ADDED Viewed

@@ -0,0 +1,224 @@
+/**
+ * server/services/ssl-ct-monitor.js
+ *
+ * Certificate Transparency monitor for the WAB Extended Trust Layer.
+ *
+ * Polls public CT logs (crt.sh) every WAB_CT_INTERVAL_HOURS (default 6h)
+ * for every host in `ssl_monitor` with `ct_monitor_enabled = 1`. When a
+ * new certificate fingerprint is observed, the row is appended to
+ * `cert_history` (source='ct_log'), `ct_pending_resign` is flagged, and
+ * the site owner is emailed. If `WAB_AUTO_RESIGN=true`, the wab.json is
+ * re-signed automatically by spawning `scripts/sign-wab-domain.js`.
+ *
+ * Disabled unless WAB_CT_MONITOR=true (off by default for safety).
+ */
+'use strict';
+const path = require('node:path');
+const { spawn } = require('node:child_process');
+const Database = require('better-sqlite3');
+const DATA_DIR = process.env.NODE_ENV === 'test'
+  ? path.join(__dirname, '..', '..', 'data-test')
+  : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
+const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+let _db = null;
+function db() {
+  if (!_db) _db = new Database(path.join(DATA_DIR, DB_FILE));
+  return _db;
+}
+const CT_API = process.env.WAB_CT_API_BASE || 'https://crt.sh';
+const REQUEST_TIMEOUT_MS = Number(process.env.WAB_CT_TIMEOUT_MS || 15000);
+const PER_HOST_DELAY_MS = Number(process.env.WAB_CT_DELAY_MS || 1500);
+// ---------- crt.sh fetch ---------------------------------------------------
+async function fetchLatestCert(host) {
+  const url = `${CT_API}/?q=${encodeURIComponent(host)}&output=json`;
+  const ctrl = new AbortController();
+  const timer = setTimeout(() => ctrl.abort(), REQUEST_TIMEOUT_MS);
+  let res;
+  try {
+    res = await fetch(url, {
+      signal: ctrl.signal,
+      headers: { 'user-agent': 'WAB-CT-Monitor/1.0 (+https://www.webagentbridge.com)' },
+    });
+  } finally {
+    clearTimeout(timer);
+  }
+  if (!res.ok) throw new Error(`crt.sh HTTP ${res.status}`);
+  const data = await res.json();
+  if (!Array.isArray(data) || data.length === 0) return null;
+  // crt.sh returns one row per identity in a cert; dedupe by serial+issuer and pick newest by not_before.
+  const sorted = data
+    .filter((c) => c && c.not_before)
+    .sort((a, b) => new Date(b.not_before) - new Date(a.not_before));
+  return sorted[0] || null;
+}
+// crt.sh does NOT return a SHA-256 fingerprint directly; we use a stable
+// composite identifier (serial + issuer + not_before) as the "thumbprint"
+// for change detection. ssl-inspector remains the source of truth for the
+// real fingerprint when re-signing locally.
+function ctThumbprint(cert) {
+  if (!cert) return null;
+  return [cert.serial_number || '', cert.issuer_name || '', cert.not_before || '']
+    .join('|')
+    .toLowerCase();
+}
+// ---------- per-host check -------------------------------------------------
+async function checkDomain(host) {
+  const row = db().prepare(
+    `SELECT host, ct_last_thumbprint, owner_user_id, fingerprint_sha256
+       FROM ssl_monitor WHERE host = ? AND ct_monitor_enabled = 1`
+  ).get(host);
+  if (!row) return { host, skipped: true };
+  const cert = await fetchLatestCert(host);
+  const now = new Date().toISOString();
+  if (!cert) {
+    db().prepare(`UPDATE ssl_monitor SET ct_last_checked = ? WHERE host = ?`).run(now, host);
+    return { host, found: false };
+  }
+  const tp = ctThumbprint(cert);
+  if (row.ct_last_thumbprint && row.ct_last_thumbprint === tp) {
+    db().prepare(`UPDATE ssl_monitor SET ct_last_checked = ? WHERE host = ?`).run(now, host);
+    return { host, changed: false };
+  }
+  // New certificate observed in CT logs.
+  try {
+    db().prepare(`
+      INSERT OR IGNORE INTO cert_history
+        (host, fingerprint_sha256, issuer, subject, serial, valid_from, valid_to, source)
+      VALUES (?, ?, ?, ?, ?, ?, ?, 'ct_log')
+    `).run(
+      host,
+      tp,
+      cert.issuer_name || null,
+      cert.common_name || cert.name_value || null,
+      cert.serial_number || null,
+      cert.not_before || null,
+      cert.not_after || null,
+    );
+  } catch (_) { /* table may not exist in tests */ }
+  db().prepare(`
+    UPDATE ssl_monitor
+       SET ct_pending_resign = 1,
+           ct_last_checked   = ?,
+           ct_last_thumbprint = ?
+     WHERE host = ?
+  `).run(now, tp, host);
+  // Notify owner (best-effort).
+  await notifyOwner(host, row.owner_user_id, cert).catch(() => {});
+  // Optional auto re-sign.
+  if (String(process.env.WAB_AUTO_RESIGN).toLowerCase() === 'true') {
+    const ok = await runResign(host).catch(() => false);
+    if (ok) {
+      db().prepare(`UPDATE ssl_monitor SET ct_pending_resign = 0 WHERE host = ?`).run(host);
+    }
+  }
+  return { host, changed: true, thumbprint: tp };
+}
+// ---------- helpers --------------------------------------------------------
+async function notifyOwner(host, userId, cert) {
+  let to = process.env.WAB_SSL_ALERT_EMAIL;
+  try {
+    if (!to && userId) {
+      const u = db().prepare('SELECT email FROM users WHERE id = ?').get(userId);
+      if (u && u.email) to = u.email;
+    }
+  } catch (_) { /* no users table */ }
+  if (!to) return false;
+  try {
+    const { sendEmail } = require('./email');
+    await sendEmail({
+      to,
+      template: 'sslExpiringAlert', // re-use existing template; subject reflects re-sign
+      data: {
+        host,
+        daysLeft: cert.not_after
+          ? Math.max(0, Math.ceil((new Date(cert.not_after) - Date.now()) / 86400000))
+          : null,
+        validTo: cert.not_after,
+        issuer: cert.issuer_name,
+        fingerprint: cert.serial_number,
+        ctEvent: true,
+      },
+    });
+    return true;
+  } catch (_) {
+    return false;
+  }
+}
+function runResign(host) {
+  return new Promise((resolve) => {
+    const script = path.join(__dirname, '..', '..', 'scripts', 'sign-wab-domain.js');
+    const child = spawn(process.execPath, [script, host], { stdio: 'pipe' });
+    let killed = false;
+    const timer = setTimeout(() => { killed = true; child.kill('SIGKILL'); }, 60_000);
+    child.on('exit', (code) => {
+      clearTimeout(timer);
+      resolve(!killed && code === 0);
+    });
+    child.on('error', () => { clearTimeout(timer); resolve(false); });
+  });
+}
+// ---------- sweep ----------------------------------------------------------
+async function runCTMonitor() {
+  let hosts = [];
+  try {
+    hosts = db().prepare(
+      `SELECT host FROM ssl_monitor WHERE ct_monitor_enabled = 1 AND enabled = 1`
+    ).all();
+  } catch (_) {
+    return { error: 'ssl_monitor table missing' };
+  }
+  const results = [];
+  for (const { host } of hosts) {
+    try {
+      results.push(await checkDomain(host));
+    } catch (err) {
+      results.push({ host, error: err.message });
+    }
+    await new Promise((r) => setTimeout(r, PER_HOST_DELAY_MS));
+  }
+  return { count: results.length, results };
+}
+// ---------- cron -----------------------------------------------------------
+let _interval = null;
+function start() {
+  if (_interval) return;
+  if (process.env.NODE_ENV === 'test' || process.env.JEST_WORKER_ID) return;
+  if (String(process.env.WAB_CT_MONITOR).toLowerCase() !== 'true') return;
+  const hours = Number(process.env.WAB_CT_INTERVAL_HOURS || 6);
+  console.log(`[ct-monitor] enabled, sweeping every ${hours}h`);
+  // Initial run after 60s so the server boot is unaffected.
+  setTimeout(() => runCTMonitor().catch(() => {}), 60_000);
+  _interval = setInterval(() => runCTMonitor().catch(() => {}), hours * 3600 * 1000);
+  if (_interval.unref) _interval.unref();
+}
+function stop() {
+  if (_interval) { clearInterval(_interval); _interval = null; }
+}
+module.exports = { runCTMonitor, checkDomain, fetchLatestCert, ctThumbprint, start, stop };

package/server/services/ssl-inspector.js ADDED Viewed

@@ -0,0 +1,42 @@
+/**
+ * server/services/ssl-inspector.js
+ * Live TLS certificate inspector — used by sign-wab-domain.js, cron monitor,
+ * and shieldqr verifier. Returns { ok, fingerprint_sha256, valid_to,
+ * days_until_expiry, issuer, subject, fingerprint_b64 }.
+ */
+'use strict';
+const tls = require('node:tls');
+function inspect(host, port = 443, timeoutMs = 8000) {
+  return new Promise((resolve) => {
+    const socket = tls.connect({
+      host, port, servername: host, rejectUnauthorized: false, timeout: timeoutMs,
+    }, () => {
+      try {
+        const cert = socket.getPeerCertificate(false);
+        if (!cert || !cert.valid_to) { socket.end(); return resolve({ ok: false, error: 'no_cert' }); }
+        const validTo = new Date(cert.valid_to);
+        const daysLeft = Math.floor((validTo.getTime() - Date.now()) / (24 * 3600 * 1000));
+        const fpHex = (cert.fingerprint256 || '').replace(/:/g, '').toLowerCase();
+        const fpB64 = fpHex ? Buffer.from(fpHex, 'hex').toString('base64') : null;
+        socket.end();
+        resolve({
+          ok: true,
+          fingerprint_sha256: fpHex,
+          fingerprint_b64: fpB64,
+          valid_to: validTo.toISOString(),
+          valid_from: cert.valid_from ? new Date(cert.valid_from).toISOString() : null,
+          days_until_expiry: daysLeft,
+          issuer: cert.issuer && (cert.issuer.O || cert.issuer.CN) || null,
+          subject: cert.subject && cert.subject.CN || null,
+          serial: cert.serialNumber || null,
+        });
+      } catch (e) { try { socket.end(); } catch (_) {} resolve({ ok: false, error: e.message }); }
+    });
+    socket.on('error', (err) => resolve({ ok: false, error: err.message }));
+    socket.on('timeout', () => { try { socket.destroy(); } catch (_) {} resolve({ ok: false, error: 'timeout' }); });
+  });
+}
+module.exports = { inspect };

package/server/services/ssl-monitor.js ADDED Viewed

@@ -0,0 +1,167 @@
+/**
+ * server/services/ssl-monitor.js
+ * Extended Trust Layer — Certificate Companion & SSL Health Monitoring.
+ *
+ * Periodically inspects SSL certificates for every active site, persists state
+ * in `ssl_monitor`, appends new certs to `cert_history` (CT log), and emails
+ * the site owner when the certificate is within 7 days of expiry. The cron
+ * runs once per day inside the main process; can be disabled via env
+ * `WAB_SSL_MONITOR=off`.
+ */
+'use strict';
+const path = require('node:path');
+const Database = require('better-sqlite3');
+const ssl = require('./ssl-inspector');
+const DATA_DIR = process.env.NODE_ENV === 'test'
+  ? path.join(__dirname, '..', '..', 'data-test')
+  : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
+const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+let _db = null;
+function db() {
+  if (!_db) { _db = new Database(path.join(DATA_DIR, DB_FILE)); }
+  return _db;
+}
+const ALERT_DAYS = Number(process.env.WAB_SSL_ALERT_DAYS || 7);
+const ALERT_REPEAT_HOURS = Number(process.env.WAB_SSL_ALERT_REPEAT_HOURS || 24);
+function classify(daysLeft) {
+  if (daysLeft == null) return 'error';
+  if (daysLeft < 0) return 'expired';
+  if (daysLeft <= ALERT_DAYS) return 'expiring';
+  return 'active';
+}
+/**
+ * Inspect one host, persist state + CT log entry + alert if needed.
+ * Returns { host, status, days_until_expiry, alerted }.
+ */
+async function checkHost(host, opts = {}) {
+  const info = await ssl.inspect(host, 443);
+  const now = new Date().toISOString();
+  if (!info.ok) {
+    db().prepare(`
+      INSERT INTO ssl_monitor (host, status, error, last_checked_at, enabled, owner_user_id)
+      VALUES (?, 'error', ?, ?, 1, ?)
+      ON CONFLICT(host) DO UPDATE SET
+        status='error', error=excluded.error, last_checked_at=excluded.last_checked_at
+    `).run(host, info.error || 'unknown', now, opts.userId || null);
+    return { host, status: 'error', error: info.error };
+  }
+  const status = classify(info.days_until_expiry);
+  db().prepare(`
+    INSERT INTO ssl_monitor (host, fingerprint_sha256, issuer, valid_to, days_until_expiry,
+                             status, error, last_checked_at, enabled, owner_user_id)
+    VALUES (?, ?, ?, ?, ?, ?, NULL, ?, 1, ?)
+    ON CONFLICT(host) DO UPDATE SET
+      fingerprint_sha256=excluded.fingerprint_sha256,
+      issuer=excluded.issuer,
+      valid_to=excluded.valid_to,
+      days_until_expiry=excluded.days_until_expiry,
+      status=excluded.status,
+      error=NULL,
+      last_checked_at=excluded.last_checked_at
+  `).run(host, info.fingerprint_sha256, info.issuer, info.valid_to,
+         info.days_until_expiry, status, now, opts.userId || null);
+  // Append to CT log if fingerprint not seen for this host yet.
+  try {
+    db().prepare(`
+      INSERT OR IGNORE INTO cert_history
+        (host, fingerprint_sha256, issuer, subject, serial, valid_from, valid_to, source)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(host, info.fingerprint_sha256, info.issuer, info.subject, info.serial,
+           info.valid_from, info.valid_to, opts.source || 'monitor');
+  } catch (_) { /* table may not exist yet */ }
+  let alerted = false;
+  if (status === 'expiring' || status === 'expired') {
+    alerted = await maybeSendAlert(host, info, status, opts);
+  }
+  return { host, status, days_until_expiry: info.days_until_expiry, alerted };
+}
+async function maybeSendAlert(host, info, status, opts) {
+  const row = db().prepare(`SELECT last_alert_at, owner_user_id FROM ssl_monitor WHERE host = ?`).get(host);
+  if (row && row.last_alert_at) {
+    const last = new Date(row.last_alert_at).getTime();
+    if (Date.now() - last < ALERT_REPEAT_HOURS * 3600 * 1000) return false;
+  }
+  let to = opts.alertEmail || process.env.WAB_SSL_ALERT_EMAIL;
+  try {
+    if (!to && row && row.owner_user_id) {
+      const u = db().prepare('SELECT email FROM users WHERE id = ?').get(row.owner_user_id);
+      if (u && u.email) to = u.email;
+    }
+  } catch (_) { /* users table may not exist in tests */ }
+  if (!to) return false;
+  try {
+    const { sendEmail } = require('./email');
+    await sendEmail({
+      to, template: 'sslExpiringAlert',
+      data: {
+        host,
+        daysLeft: Math.max(0, info.days_until_expiry),
+        validTo: info.valid_to,
+        issuer: info.issuer,
+        fingerprint: info.fingerprint_sha256,
+      },
+    });
+    db().prepare(`UPDATE ssl_monitor SET last_alert_at = ? WHERE host = ?`)
+      .run(new Date().toISOString(), host);
+    return true;
+  } catch (_) { return false; }
+}
+/** Run a sweep across every active site domain (and optional extra hosts). */
+async function runSweep({ extraHosts = [] } = {}) {
+  let hosts = [...extraHosts];
+  try {
+    const rows = db().prepare(
+      "SELECT DISTINCT LOWER(REPLACE(domain, 'http://', '')) AS host, user_id FROM sites WHERE active = 1"
+    ).all();
+    for (const r of rows) {
+      const h = (r.host || '').replace(/^https?:\/\//, '').replace(/\/.*$/, '').replace(/^www\./, 'www.');
+      if (!h) continue;
+      hosts.push({ host: h, userId: r.user_id });
+    }
+  } catch (_) { /* sites table may not exist */ }
+  const results = [];
+  for (const item of hosts) {
+    const host = typeof item === 'string' ? item : item.host;
+    const userId = typeof item === 'string' ? null : item.userId;
+    try {
+      results.push(await checkHost(host, { userId }));
+    } catch (e) {
+      results.push({ host, status: 'error', error: e.message });
+    }
+  }
+  return results;
+}
+let _interval = null;
+function start() {
+  if (_interval || process.env.WAB_SSL_MONITOR === 'off') return;
+  if (process.env.NODE_ENV === 'test' || process.env.JEST_WORKER_ID) return;
+  // Run immediately, then once per day.
+  setTimeout(() => runSweep().catch(() => {}), 30_000);
+  _interval = setInterval(() => runSweep().catch(() => {}), 24 * 3600 * 1000);
+  if (_interval.unref) _interval.unref();
+}
+function stop() {
+  if (_interval) { clearInterval(_interval); _interval = null; }
+}
+module.exports = { checkHost, runSweep, classify, start, stop };