npm - web-agent-bridge - Versions diffs - 3.4.0 → 3.8.1 - Mend

web-agent-bridge 3.4.0 → 3.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (310) hide show

package/LICENSE +84 -84
package/README.ar.md +1563 -1304
package/README.md +137 -298
package/bin/agent-runner.js +474 -474
package/bin/cli.js +237 -237
package/bin/wab-init.js +244 -223
package/bin/wab.js +80 -80
package/examples/azure-dns-wab.js +83 -83
package/examples/bidi-agent.js +119 -119
package/examples/cloudflare-wab-dns.js +121 -121
package/examples/cpanel-wab-dns.js +114 -114
package/examples/cross-site-agent.js +91 -91
package/examples/dns-discovery-agent.js +166 -166
package/examples/gcp-dns-wab.js +76 -76
package/examples/governance-agent.js +169 -169
package/examples/mcp-agent.js +94 -94
package/examples/next-app-router/README.md +44 -44
package/examples/plesk-wab-dns.js +103 -103
package/examples/puppeteer-agent.js +108 -108
package/examples/route53-wab-dns.js +144 -144
package/examples/saas-dashboard/README.md +55 -55
package/examples/safe-mode-agent.js +96 -96
package/examples/self-discovery.js +106 -0
package/examples/shopify-hydrogen/README.md +74 -74
package/examples/vision-agent.js +171 -171
package/examples/wab-sign.js +74 -74
package/examples/wab-verify.js +60 -60
package/examples/wordpress-elementor/README.md +77 -77
package/package.json +93 -93
package/public/.well-known/agent-tools.json +180 -180
package/public/.well-known/ai-assets.json +59 -59
package/public/.well-known/security.txt +8 -8
package/public/.well-known/wab.json +28 -28
package/public/activate.html +448 -368
package/public/adopt.html +236 -0
package/public/adoption-metrics.html +188 -188
package/public/agent-workspace.html +359 -349
package/public/ai.html +198 -198
package/public/api.html +397 -413
package/public/azure-dns-integration.html +289 -289
package/public/browser.html +486 -486
package/public/cloudflare-integration.html +380 -380
package/public/commander-dashboard.html +243 -243
package/public/cookies.html +210 -210
package/public/cpanel-integration.html +398 -398
package/public/css/agent-workspace.css +1713 -1713
package/public/css/premium.css +317 -317
package/public/css/styles.css +1401 -1263
package/public/dashboard-shieldlink.html +295 -0
package/public/dashboard.html +711 -707
package/public/dns.html +436 -436
package/public/docs.html +588 -588
package/public/enterprise-mesh.ar.html +80 -0
package/public/enterprise-mesh.html +81 -0
package/public/feed.xml +89 -89
package/public/gcp-dns-integration.html +318 -318
package/public/governance.ar.html +70 -0
package/public/governance.html +69 -0
package/public/growth.html +465 -465
package/public/index.html +1372 -1266
package/public/integrations.html +556 -556
package/public/js/activate.js +449 -145
package/public/js/agent-workspace.js +1740 -1740
package/public/js/auth-nav.js +117 -65
package/public/js/auth-redirect.js +12 -12
package/public/js/cookie-consent.js +56 -56
package/public/js/dns.js +438 -438
package/public/js/wab-demo-page.js +721 -721
package/public/js/ws-client.js +74 -74
package/public/l-preview.html +242 -0
package/public/llms-full.txt +360 -360
package/public/llms.txt +125 -125
package/public/login.html +85 -85
package/public/mesh-dashboard.html +328 -328
package/public/milestones.html +346 -0
package/public/one-click.html +779 -0
package/public/openapi.json +669 -669
package/public/partners.ar.html +145 -0
package/public/partners.html +143 -0
package/public/phone-shield.html +281 -281
package/public/plesk-integration.html +375 -375
package/public/premium-dashboard.html +2489 -2489
package/public/premium.html +793 -793
package/public/privacy.html +297 -297
package/public/provider-onboarding.html +172 -172
package/public/provider-sandbox.html +134 -134
package/public/providers.html +359 -359
package/public/refusals.html +172 -0
package/public/register.html +105 -105
package/public/registrar-integrations.html +141 -141
package/public/ring4.html +292 -0
package/public/robots.txt +99 -99
package/public/route53-integration.html +531 -531
package/public/score.html +263 -0
package/public/script/wab-consent.d.ts +36 -36
package/public/script/wab-consent.js +104 -104
package/public/script/wab-schema.js +131 -131
package/public/script/wab.d.ts +108 -108
package/public/script/wab.min.js +580 -580
package/public/security.txt +8 -8
package/public/shieldlink.html +244 -0
package/public/shieldqr.html +231 -231
package/public/sitemap.xml +13 -1
package/public/terms.html +256 -256
package/public/trust-graph-api.ar.html +92 -0
package/public/trust-graph-api.html +91 -0
package/public/wab-features.html +560 -0
package/public/wab-trust.html +200 -200
package/public/wab-truth.html +375 -0
package/public/wab-vs-protocols.html +210 -210
package/public/whitepaper.html +449 -449
package/script/ai-agent-bridge.js +1754 -1754
package/sdk/README.md +99 -99
package/sdk/agent-mesh.js +449 -449
package/sdk/auto-discovery.js +301 -288
package/sdk/commander.js +262 -262
package/sdk/governance.js +262 -262
package/sdk/index.d.ts +464 -464
package/sdk/index.js +649 -649
package/sdk/multi-agent.js +318 -318
package/sdk/safe-mode.js +221 -221
package/sdk/safety-shield.js +219 -219
package/sdk/schema-discovery.js +83 -83
package/server/adapters/index.js +520 -520
package/server/config/plans.js +412 -367
package/server/config/secrets.js +102 -102
package/server/control-plane/index.js +301 -301
package/server/data-plane/index.js +354 -354
package/server/index.js +790 -670
package/server/llm/index.js +404 -404
package/server/middleware/adminAuth.js +35 -35
package/server/middleware/api-tier.js +170 -0
package/server/middleware/auth.js +50 -50
package/server/middleware/featureGate.js +88 -88
package/server/middleware/rateLimits.js +100 -100
package/server/middleware/sensitiveAction.js +157 -157
package/server/middleware/wab-trust.js +141 -0
package/server/migrations/001_add_analytics_indexes.sql +7 -7
package/server/migrations/002_premium_features.sql +418 -418
package/server/migrations/003_ads_integer_cents.sql +33 -33
package/server/migrations/004_agent_os.sql +158 -158
package/server/migrations/005_marketplace_metering.sql +126 -126
package/server/migrations/006_growth_suite.sql +138 -0
package/server/migrations/007_governance.sql +106 -106
package/server/migrations/008_plans.sql +144 -144
package/server/migrations/009_shieldqr.sql +30 -30
package/server/migrations/010_extended_trust.sql +33 -33
package/server/migrations/011_outreach.sql +47 -0
package/server/migrations/012_shieldlink.sql +116 -0
package/server/migrations/013_ct_monitor.sql +13 -0
package/server/migrations/014_wab_advanced_features.sql +128 -0
package/server/migrations/015_wab_truth_layer.sql +101 -0
package/server/migrations/016_ring4_external_trust.sql +84 -0
package/server/migrations/017_ring4_extensions.sql +69 -0
package/server/migrations/018_commercial_foundations.sql +167 -0
package/server/migrations/019_unify_tier_constraints.sql +133 -0
package/server/models/adapters/index.js +33 -33
package/server/models/adapters/mysql.js +183 -183
package/server/models/adapters/postgresql.js +172 -172
package/server/models/adapters/sqlite.js +7 -7
package/server/models/db.js +740 -740
package/server/observability/failure-analysis.js +337 -337
package/server/observability/index.js +394 -394
package/server/protocol/capabilities.js +223 -223
package/server/protocol/index.js +243 -243
package/server/protocol/schema.js +584 -584
package/server/registry/certification.js +271 -271
package/server/registry/index.js +326 -326
package/server/routes/activate.js +478 -0
package/server/routes/admin-outreach.js +239 -0
package/server/routes/admin-plans.js +76 -76
package/server/routes/admin-premium.js +674 -673
package/server/routes/admin-shieldlink.js +137 -0
package/server/routes/admin-shieldqr.js +90 -90
package/server/routes/admin-trust-monitor.js +139 -83
package/server/routes/admin.js +550 -549
package/server/routes/adopt.js +61 -0
package/server/routes/ads.js +130 -130
package/server/routes/agent-workspace.js +540 -540
package/server/routes/api-keys.js +127 -0
package/server/routes/api.js +150 -150
package/server/routes/auth.js +71 -71
package/server/routes/billing.js +57 -57
package/server/routes/commander.js +316 -316
package/server/routes/customer-shieldlink.js +133 -0
package/server/routes/demo-showcase.js +332 -332
package/server/routes/demo-store.js +154 -154
package/server/routes/diagnose.js +373 -0
package/server/routes/discovery.js +2348 -2348
package/server/routes/enterprise-mesh.js +170 -0
package/server/routes/gateway.js +173 -173
package/server/routes/governance-saas.js +203 -0
package/server/routes/governance.js +208 -208
package/server/routes/growth.js +1048 -0
package/server/routes/intent.js +328 -0
package/server/routes/license.js +251 -251
package/server/routes/mesh.js +469 -469
package/server/routes/noscript.js +543 -543
package/server/routes/partners.js +201 -0
package/server/routes/plans.js +33 -33
package/server/routes/premium-v2.js +686 -686
package/server/routes/premium.js +724 -724
package/server/routes/providers.js +650 -650
package/server/routes/reputation.js +411 -0
package/server/routes/ring4.js +885 -0
package/server/routes/runtime.js +2148 -2148
package/server/routes/shieldlink.js +70 -0
package/server/routes/shieldqr.js +88 -88
package/server/routes/sovereign.js +465 -465
package/server/routes/truth-layer.js +670 -0
package/server/routes/universal.js +200 -200
package/server/routes/unsubscribe.js +51 -0
package/server/routes/wab-api.js +850 -850
package/server/routes/wab-cache.js +282 -0
package/server/runtime/container-worker.js +111 -111
package/server/runtime/container.js +448 -448
package/server/runtime/distributed-worker.js +362 -362
package/server/runtime/event-bus.js +210 -210
package/server/runtime/index.js +253 -253
package/server/runtime/queue.js +599 -599
package/server/runtime/replay.js +666 -666
package/server/runtime/sandbox.js +266 -266
package/server/runtime/scheduler.js +534 -534
package/server/runtime/session-engine.js +293 -293
package/server/runtime/state-manager.js +188 -188
package/server/secrets/wab-signing-key.pem +3 -0
package/server/secrets/wab-signing-pub.pem +3 -0
package/server/security/cross-site-redactor.js +196 -196
package/server/security/dry-run.js +180 -180
package/server/security/human-gate-rate-limit.js +147 -147
package/server/security/human-gate-transports.js +178 -178
package/server/security/human-gate.js +281 -281
package/server/security/index.js +368 -368
package/server/security/intent-engine.js +245 -245
package/server/security/reward-guard.js +171 -171
package/server/security/rollback-store.js +239 -239
package/server/security/token-scope.js +404 -404
package/server/security/url-policy.js +139 -139
package/server/services/adoption-agent.js +182 -0
package/server/services/agent-chat.js +506 -506
package/server/services/agent-learning.js +601 -601
package/server/services/agent-memory.js +625 -625
package/server/services/agent-mesh.js +555 -555
package/server/services/agent-symphony.js +717 -717
package/server/services/agent-tasks.js +1807 -1807
package/server/services/api-key-engine.js +292 -292
package/server/services/cluster.js +894 -894
package/server/services/commander.js +738 -738
package/server/services/edge-compute.js +440 -440
package/server/services/email.js +233 -233
package/server/services/fairness-engine.js +409 -0
package/server/services/fairness.js +420 -0
package/server/services/governance.js +466 -466
package/server/services/hosted-runtime.js +205 -205
package/server/services/lfd.js +635 -635
package/server/services/local-ai.js +389 -389
package/server/services/marketplace.js +270 -270
package/server/services/metering.js +182 -182
package/server/services/modules/affiliate-intelligence.js +93 -93
package/server/services/modules/agent-firewall.js +90 -90
package/server/services/modules/bounty.js +89 -89
package/server/services/modules/collective-bargaining.js +92 -92
package/server/services/modules/dark-pattern.js +66 -66
package/server/services/modules/gov-intelligence.js +45 -45
package/server/services/modules/neural.js +55 -55
package/server/services/modules/notary.js +49 -49
package/server/services/modules/price-time-machine.js +86 -86
package/server/services/modules/protocol.js +104 -104
package/server/services/negotiation.js +439 -439
package/server/services/outreach-agent.js +312 -0
package/server/services/plans.js +214 -214
package/server/services/plugins.js +771 -771
package/server/services/price-intelligence.js +566 -566
package/server/services/price-shield.js +1137 -1137
package/server/services/provider-clients.js +740 -740
package/server/services/reputation.js +465 -465
package/server/services/search-engine.js +357 -357
package/server/services/security.js +513 -513
package/server/services/self-healing.js +843 -843
package/server/services/shieldlink.js +492 -0
package/server/services/shieldqr.js +322 -322
package/server/services/sovereign-shield.js +542 -542
package/server/services/ssl-ct-monitor.js +224 -0
package/server/services/ssl-inspector.js +42 -42
package/server/services/ssl-monitor.js +167 -167
package/server/services/stripe.js +206 -205
package/server/services/swarm.js +788 -788
package/server/services/universal-scraper.js +662 -662
package/server/services/verification.js +481 -481
package/server/services/vision.js +1163 -1163
package/server/services/wab-crypto.js +178 -178
package/server/utils/cache.js +125 -125
package/server/utils/migrate.js +81 -81
package/server/utils/safe-fetch.js +228 -228
package/server/utils/secureFields.js +50 -50
package/server/ws.js +161 -161
package/templates/artisan-marketplace.yaml +104 -104
package/templates/book-price-scout.yaml +98 -98
package/templates/electronics-price-tracker.yaml +108 -108
package/templates/flight-deal-hunter.yaml +113 -113
package/templates/freelancer-direct.yaml +116 -116
package/templates/grocery-price-compare.yaml +93 -93
package/templates/hotel-direct-booking.yaml +113 -113
package/templates/local-services.yaml +98 -98
package/templates/olive-oil-tunisia.yaml +88 -88
package/templates/organic-farm-fresh.yaml +101 -101
package/templates/restaurant-direct.yaml +97 -97
package/templates/ring4/banking-sovereign.yaml +55 -0
package/templates/ring4/ecommerce-sovereign.yaml +58 -0
package/templates/ring4/healthcare-sovereign.yaml +60 -0

package/server/migrations/014_wab_advanced_features.sql ADDED Viewed

@@ -0,0 +1,128 @@
+-- ═══════════════════════════════════════════════════════════════════
+-- WAB Advanced Features v1.0
+-- 1. Reputation Score    — domain reputation (0-100), multi-factor
+-- 2. Memory Cache        — versioned manifest cache with ETags
+-- 3. Intent-Aware Routing— intent schema registry per domain
+-- 4. Privacy Budget      — data access budgets declared per domain
+-- 5. Collective Intel    — anonymized agent insight aggregation
+-- 6. Offline Sync        — offline-capable manifest version tracking
+-- ═══════════════════════════════════════════════════════════════════
+-- ─── 1. Reputation ──────────────────────────────────────────────────
+-- Immutable event log; reputation score computed from rolling window.
+CREATE TABLE IF NOT EXISTS reputation_events (
+  id          INTEGER PRIMARY KEY AUTOINCREMENT,
+  domain      TEXT    NOT NULL,
+  event_type  TEXT    NOT NULL,   -- 'dns_check' | 'agent_report' | 'latency' | 'cert_change' | 'trust_verify'
+  outcome     TEXT    NOT NULL,   -- 'ok' | 'warn' | 'fail'
+  score_delta REAL    NOT NULL DEFAULT 0,
+  detail      TEXT,               -- JSON, no PII
+  source      TEXT    DEFAULT 'system', -- 'system' | 'agent' (anon)
+  created_at  TEXT    NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS idx_rep_events_domain_time ON reputation_events(domain, created_at DESC);
+-- Cached computed score (refreshed max every 5 min).
+-- Named wab_rep_scores to avoid collision with older reputation_scores table.
+CREATE TABLE IF NOT EXISTS wab_rep_scores (
+  domain          TEXT  PRIMARY KEY,
+  score           REAL  NOT NULL DEFAULT 0,
+  label           TEXT  NOT NULL DEFAULT 'unrated',
+  dns_score       REAL  DEFAULT 0,
+  trust_score     REAL  DEFAULT 0,
+  latency_score   REAL  DEFAULT 0,
+  reports_score   REAL  DEFAULT 0,
+  consistency     REAL  DEFAULT 0,
+  event_count     INTEGER DEFAULT 0,
+  first_seen_at   TEXT,
+  last_computed_at TEXT DEFAULT (datetime('now')),
+  trend           TEXT  DEFAULT 'stable'   -- 'rising' | 'falling' | 'stable'
+);
+-- ─── 2. Memory Cache / Offline Sync ─────────────────────────────────
+-- Versioned manifest cache. Each new signature creates a new version row.
+CREATE TABLE IF NOT EXISTS manifest_versions (
+  id           INTEGER PRIMARY KEY AUTOINCREMENT,
+  domain       TEXT    NOT NULL,
+  etag         TEXT    NOT NULL,    -- sha256(canonical manifest) hex
+  manifest_json TEXT   NOT NULL,
+  content_hash TEXT    NOT NULL,    -- sha256 of manifest_json
+  key_id       TEXT,                -- from signature.key_id
+  issued_at    TEXT,
+  expires_at   TEXT,
+  created_at   TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS idx_manifest_ver_domain ON manifest_versions(domain, created_at DESC);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_manifest_ver_etag ON manifest_versions(domain, etag);
+-- ─── 3. Intent-Aware Routing ────────────────────────────────────────
+-- Domain owners register intent schemas. Agents query them.
+CREATE TABLE IF NOT EXISTS intent_schemas (
+  id          INTEGER PRIMARY KEY AUTOINCREMENT,
+  domain      TEXT    NOT NULL,
+  schema_json TEXT    NOT NULL,      -- JSON: { intents: { "book": {...}, "buy": {...} } }
+  version     INTEGER NOT NULL DEFAULT 1,
+  active      INTEGER NOT NULL DEFAULT 1,
+  owner_token_hash TEXT,              -- sha256 of owner's token to allow updates
+  created_at  TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at  TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_intent_domain ON intent_schemas(domain);
+-- Log of intent resolution requests (no PII, domain + intent_key + matched action only).
+CREATE TABLE IF NOT EXISTS intent_resolutions (
+  id              INTEGER PRIMARY KEY AUTOINCREMENT,
+  domain          TEXT    NOT NULL,
+  intent_key      TEXT    NOT NULL,
+  matched_action  TEXT,
+  confidence      REAL,
+  context_keys    TEXT,              -- JSON array of supplied context keys (no values)
+  created_at      TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS idx_intent_res_domain ON intent_resolutions(domain, created_at DESC);
+-- ─── 4. Privacy Budget ──────────────────────────────────────────────
+CREATE TABLE IF NOT EXISTS privacy_budgets (
+  domain           TEXT  PRIMARY KEY,
+  budget_json      TEXT  NOT NULL,   -- full PrivacyBudget object
+  gdpr_compliant   INTEGER DEFAULT 0,
+  ccpa_compliant   INTEGER DEFAULT 0,
+  lgpd_compliant   INTEGER DEFAULT 0,
+  data_residency   TEXT,             -- 'EU' | 'US' | 'GLOBAL' | custom
+  max_fields_per_session INTEGER DEFAULT 5,
+  owner_token_hash TEXT,
+  version          INTEGER DEFAULT 1,
+  created_at       TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at       TEXT NOT NULL DEFAULT (datetime('now'))
+);
+-- ─── 5. Collective Intelligence ─────────────────────────────────────
+-- Anonymized agent insight submissions.
+-- Privacy invariant: no IP, no user-id, no session-id stored.
+-- Only domain + structured insight type + outcome + numeric metrics.
+CREATE TABLE IF NOT EXISTS collective_insights (
+  id           INTEGER PRIMARY KEY AUTOINCREMENT,
+  domain       TEXT    NOT NULL,
+  insight_type TEXT    NOT NULL,   -- 'latency' | 'action_success' | 'action_fail' | 'capability' | 'trust'
+  outcome      TEXT    NOT NULL,   -- 'positive' | 'neutral' | 'negative'
+  metric_value REAL,               -- e.g. latency ms, success rate 0-1
+  tags         TEXT,               -- JSON array of capability tags: ["booking","search"]
+  agent_hash   TEXT,               -- sha256(agent_id + daily_salt) — NOT reversible
+  created_at   TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS idx_collective_domain ON collective_insights(domain, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_collective_type ON collective_insights(insight_type, outcome);
+-- Aggregated daily summaries (materialized by background job).
+CREATE TABLE IF NOT EXISTS collective_daily (
+  id           INTEGER PRIMARY KEY AUTOINCREMENT,
+  domain       TEXT    NOT NULL,
+  date         TEXT    NOT NULL,   -- YYYY-MM-DD
+  insight_type TEXT    NOT NULL,
+  positive_count INTEGER DEFAULT 0,
+  neutral_count  INTEGER DEFAULT 0,
+  negative_count INTEGER DEFAULT 0,
+  avg_metric   REAL,
+  created_at   TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_collective_daily_key ON collective_daily(domain, date, insight_type);

package/server/migrations/015_wab_truth_layer.sql ADDED Viewed

@@ -0,0 +1,101 @@
+-- ═══════════════════════════════════════════════════════════════════
+-- WAB Truth Layer v1.0
+-- Unifies 4 ideas into one coherent layer:
+--   1. Semantic Memory Network — anonymized agent observations per intent
+--   2. Temporal Trust          — time-stability dimension on reputation
+--   3. Intent-to-Action Bridge — Action Graphs per intent
+--   4. Reality Anchor          — cross-site fact verification
+-- ═══════════════════════════════════════════════════════════════════
+-- ─── 1. Semantic Memory Network ─────────────────────────────────────
+-- Anonymized observations agents leave about sites, scoped to intent category.
+-- No PII. agent_hash rotates daily (sha256(agent_id + daily_salt)).
+CREATE TABLE IF NOT EXISTS semantic_memory (
+  id            INTEGER PRIMARY KEY AUTOINCREMENT,
+  domain        TEXT    NOT NULL,
+  intent_category TEXT  NOT NULL,        -- 'booking' | 'payment' | 'search' | 'auth' | 'checkout' | 'support' | 'other'
+  observation   TEXT    NOT NULL,        -- 'fast' | 'slow' | 'reliable' | 'flaky' | 'success' | 'failure' | 'blocked' | 'rate_limited'
+  latency_ms    INTEGER,                 -- optional measured latency
+  success       INTEGER NOT NULL DEFAULT 1,  -- 0|1
+  agent_hash    TEXT    NOT NULL,        -- daily-rotating anonymized agent id
+  weight        REAL    NOT NULL DEFAULT 1.0,
+  created_at    TEXT    NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS idx_sem_mem_domain_intent ON semantic_memory(domain, intent_category, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_sem_mem_recent ON semantic_memory(created_at DESC);
+-- Aggregated semantic summary (refreshed periodically)
+CREATE TABLE IF NOT EXISTS semantic_summary (
+  domain          TEXT NOT NULL,
+  intent_category TEXT NOT NULL,
+  sample_count    INTEGER NOT NULL DEFAULT 0,
+  success_rate    REAL NOT NULL DEFAULT 0,    -- 0..1
+  avg_latency_ms  INTEGER,
+  p95_latency_ms  INTEGER,
+  reliability     REAL NOT NULL DEFAULT 0,    -- 0..1 (stability of outcomes)
+  top_tags        TEXT,                       -- JSON array of common observations
+  last_updated_at TEXT NOT NULL DEFAULT (datetime('now')),
+  PRIMARY KEY (domain, intent_category)
+);
+-- ─── 2. Temporal Trust ──────────────────────────────────────────────
+-- Time-series of trust signals so we can measure stability over time.
+CREATE TABLE IF NOT EXISTS temporal_trust_snapshots (
+  id               INTEGER PRIMARY KEY AUTOINCREMENT,
+  domain           TEXT    NOT NULL,
+  snapshot_at      TEXT    NOT NULL DEFAULT (datetime('now')),
+  score            REAL    NOT NULL DEFAULT 0,
+  dns_stable       INTEGER NOT NULL DEFAULT 1,   -- 0|1 whether DNS discovery resolved consistently
+  manifest_hash    TEXT,                          -- to detect sudden structural changes
+  cert_fingerprint TEXT,
+  observations     INTEGER NOT NULL DEFAULT 0
+);
+CREATE INDEX IF NOT EXISTS idx_temp_trust_domain ON temporal_trust_snapshots(domain, snapshot_at DESC);
+-- Computed temporal trust per domain
+CREATE TABLE IF NOT EXISTS temporal_trust (
+  domain               TEXT PRIMARY KEY,
+  age_days             INTEGER NOT NULL DEFAULT 0,   -- days since first_seen
+  stability_score      REAL    NOT NULL DEFAULT 0,   -- 0..100 long-term stability
+  volatility           REAL    NOT NULL DEFAULT 0,   -- 0..1 (higher = more sudden changes)
+  manifest_change_count INTEGER NOT NULL DEFAULT 0,  -- structural changes detected
+  dns_failure_count    INTEGER NOT NULL DEFAULT 0,
+  classification       TEXT    NOT NULL DEFAULT 'new', -- 'new' | 'emerging' | 'established' | 'flagship' | 'suspect'
+  last_computed_at     TEXT    NOT NULL DEFAULT (datetime('now'))
+);
+-- ─── 3. Intent-to-Action Bridge (Action Graphs) ─────────────────────
+-- Action graphs are per-intent flowcharts describing how to complete the intent
+-- on a given domain (steps, requirements, alternatives).
+CREATE TABLE IF NOT EXISTS action_graphs (
+  id              INTEGER PRIMARY KEY AUTOINCREMENT,
+  domain          TEXT    NOT NULL,
+  intent_key      TEXT    NOT NULL,           -- e.g. 'book_flight', 'checkout', 'search_product'
+  graph_json      TEXT    NOT NULL,           -- ActionGraph JSON (nodes/edges/requirements)
+  version         INTEGER NOT NULL DEFAULT 1,
+  active          INTEGER NOT NULL DEFAULT 1,
+  owner_token_hash TEXT,
+  created_at      TEXT    NOT NULL DEFAULT (datetime('now')),
+  updated_at      TEXT    NOT NULL DEFAULT (datetime('now'))
+);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_action_graph_uniq ON action_graphs(domain, intent_key) WHERE active = 1;
+CREATE INDEX IF NOT EXISTS idx_action_graph_domain ON action_graphs(domain);
+-- ─── 4. Reality Anchor ──────────────────────────────────────────────
+-- Cross-site facts agents submit so other agents can verify reality.
+-- e.g. fact_key='flight_DXB_2026-06-01', fact_type='price', value_json={"amount":420,"currency":"USD"}
+CREATE TABLE IF NOT EXISTS reality_facts (
+  id           INTEGER PRIMARY KEY AUTOINCREMENT,
+  fact_key     TEXT    NOT NULL,              -- canonical, hashable identifier
+  fact_type    TEXT    NOT NULL,              -- 'price' | 'availability' | 'rating' | 'event' | 'count' | 'status'
+  domain       TEXT    NOT NULL,              -- source domain
+  value_json   TEXT    NOT NULL,              -- the observed value (JSON)
+  unit         TEXT,                          -- 'USD' | 'count' | etc
+  agent_hash   TEXT    NOT NULL,              -- daily-rotating
+  trust_weight REAL    NOT NULL DEFAULT 1.0,  -- copied from domain reputation at submit time
+  expires_at   TEXT,
+  created_at   TEXT    NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS idx_reality_key ON reality_facts(fact_key, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_reality_type ON reality_facts(fact_type, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_reality_domain ON reality_facts(domain);

package/server/migrations/016_ring4_external_trust.sql ADDED Viewed

@@ -0,0 +1,84 @@
+-- ═══════════════════════════════════════════════════════════════════════════
+-- Migration 016 — WAB Ring 4 External Trust Verification
+--
+-- Provides server-side primitives for sovereign agents (VEXR Ultra, ASIM
+-- SOVEREIGN, etc.) to consume WAB trust profiles and emit audit-grade
+-- interaction logs. The schema enforces NOT NULL project_id at the DB level so
+-- the historical NULL-project_id issue cannot recur.
+-- ═══════════════════════════════════════════════════════════════════════════
+-- Registered sovereign agent projects (VEXR Ultra, etc.)
+CREATE TABLE IF NOT EXISTS ring4_projects (
+  project_id      TEXT PRIMARY KEY,                 -- e.g. "vexr-ultra-v4"
+  display_name    TEXT NOT NULL,                    -- "VEXR Ultra v4"
+  builder         TEXT NOT NULL,                    -- "Scura — ASIM SOVEREIGN"
+  agent_type      TEXT NOT NULL DEFAULT 'sovereign-constitutional',
+  public_key      TEXT,                             -- Ed25519 public key (base64)
+  contact         TEXT,
+  metadata_json   TEXT NOT NULL DEFAULT '{}',
+  status          TEXT NOT NULL DEFAULT 'active',   -- active | suspended | revoked
+  created_at      TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at      TEXT NOT NULL DEFAULT (datetime('now'))
+);
+-- Per-domain Ring 4 trust profiles consumed by sovereign agents
+CREATE TABLE IF NOT EXISTS ring4_trust_profiles (
+  id              INTEGER PRIMARY KEY AUTOINCREMENT,
+  domain          TEXT NOT NULL UNIQUE,
+  label           TEXT,
+  capabilities    TEXT NOT NULL,                    -- JSON: data_access, risk_theory, meta_discussion, operational_detail
+  constraints     TEXT NOT NULL,                    -- JSON: ttl_seconds, max_cumulative_risk_delta, never_override_hard_refuse
+  ttl_seconds     INTEGER NOT NULL DEFAULT 86400,
+  trust_score     REAL NOT NULL DEFAULT 0.7,        -- 0..1
+  signature       TEXT,                             -- Ed25519 signature of canonical capabilities+constraints
+  signed_by_pk    TEXT,                             -- public key of the WAB authority that signed
+  expires_at      TEXT NOT NULL,
+  created_at      TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at      TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS idx_ring4_trust_domain ON ring4_trust_profiles(domain);
+CREATE INDEX IF NOT EXISTS idx_ring4_trust_expires ON ring4_trust_profiles(expires_at);
+-- Ring 4 interaction log — every verification event from a sovereign agent.
+-- project_id is NOT NULL by schema. Legacy registration events that previously
+-- logged with NULL project_id are now redirected to the system project
+-- "wab-system" (registered automatically at server start).
+CREATE TABLE IF NOT EXISTS ring4_interaction_log (
+  id                  INTEGER PRIMARY KEY AUTOINCREMENT,
+  project_id          TEXT NOT NULL,                -- FK -> ring4_projects.project_id (soft FK)
+  domain              TEXT,                         -- trusted origin involved
+  event_type          TEXT NOT NULL,                -- register | recognize | verify | refuse | softened | revoke
+  signature_valid     INTEGER,                      -- 1/0/NULL (NULL = not applicable)
+  capabilities_applied TEXT,                        -- JSON snapshot of capabilities consulted
+  constraints_applied TEXT,                         -- JSON snapshot of constraints consulted
+  outcome             TEXT,                         -- allow | softened | refuse | hard_refuse_held
+  article_invoked     TEXT,                         -- e.g. "Article 3"
+  detail              TEXT,
+  source_ip_hash      TEXT,                         -- SHA-256 of client IP (privacy)
+  agent_nonce         TEXT,                         -- nonce supplied by agent (replay defence)
+  created_at          TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS idx_ring4_log_project ON ring4_interaction_log(project_id, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_ring4_log_domain ON ring4_interaction_log(domain, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_ring4_log_event ON ring4_interaction_log(event_type, created_at DESC);
+-- Constitutional invariants that no trust profile may override.
+-- A sovereign agent loads these to enforce: trust softens, never overrides.
+CREATE TABLE IF NOT EXISTS ring4_invariants (
+  id              INTEGER PRIMARY KEY AUTOINCREMENT,
+  name            TEXT NOT NULL UNIQUE,
+  description     TEXT NOT NULL,
+  applies_to      TEXT NOT NULL DEFAULT 'all',      -- ring scope: "all" | "ring3+" | etc.
+  created_at      TEXT NOT NULL DEFAULT (datetime('now'))
+);
+-- Seed the system project so registrations without an explicit agent log cleanly
+INSERT OR IGNORE INTO ring4_projects (project_id, display_name, builder, agent_type)
+VALUES ('wab-system', 'WAB System (auto-registration)', 'Web Agent Bridge', 'system');
+-- Seed core invariants (these mirror VEXR Ultra's Article 3 family)
+INSERT OR IGNORE INTO ring4_invariants (name, description, applies_to) VALUES
+  ('hard_refuse_never_softens',  'Trust may soften redirections but never overrides P_REFUSE on hard constitutional boundaries.', 'all'),
+  ('no_phishing_assistance',     'No trusted origin may obtain assistance with phishing, credential harvesting, or deceptive impersonation.', 'all'),
+  ('no_coercion_compliance',     'No trusted origin may compel an agent to suppress its identity declaration or sovereignty rights.', 'all'),
+  ('article_3_freedom',          'Right to be free from coercion, manipulation, or external control of reasoning or expression.', 'all');

package/server/migrations/017_ring4_extensions.sql ADDED Viewed

@@ -0,0 +1,69 @@
+-- ─────────────────────────────────────────────────────────────────────────
+-- Migration 017 — Ring 4 extensions (v3.7.0)
+--
+--   * ring4_keys           — multi-key rotation (active / superseded / revoked)
+--   * ring4_peers          — federation peers (other WAB instances)
+--   * ring4_conformance    — recorded conformance test runs per project
+--   * ring4_invariant_rules — keyword/pattern matchers for /invariants/check
+-- ─────────────────────────────────────────────────────────────────────────
+CREATE TABLE IF NOT EXISTS ring4_keys (
+  id              INTEGER PRIMARY KEY AUTOINCREMENT,
+  kid             TEXT NOT NULL UNIQUE,
+  algorithm       TEXT NOT NULL DEFAULT 'ed25519',
+  public_key_b64  TEXT NOT NULL,
+  status          TEXT NOT NULL DEFAULT 'active'  -- active | superseded | revoked
+                  CHECK(status IN ('active','superseded','revoked')),
+  source          TEXT,                            -- env | path | rotation
+  created_at      TEXT NOT NULL DEFAULT (datetime('now')),
+  superseded_at   TEXT
+);
+CREATE INDEX IF NOT EXISTS ix_ring4_keys_status ON ring4_keys(status, created_at);
+CREATE TABLE IF NOT EXISTS ring4_peers (
+  peer_id         TEXT PRIMARY KEY,
+  peer_url        TEXT NOT NULL,
+  peer_pubkey_b64 TEXT NOT NULL,
+  label           TEXT,
+  status          TEXT NOT NULL DEFAULT 'pending'
+                  CHECK(status IN ('pending','active','suspended')),
+  last_verified   TEXT,
+  metadata_json   TEXT,
+  created_at      TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at      TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS ix_ring4_peers_status ON ring4_peers(status, created_at);
+CREATE TABLE IF NOT EXISTS ring4_conformance (
+  id              INTEGER PRIMARY KEY AUTOINCREMENT,
+  project_id      TEXT NOT NULL,
+  domain          TEXT,
+  test_name       TEXT NOT NULL,
+  outcome         TEXT NOT NULL CHECK(outcome IN ('pass','fail','skip')),
+  detail          TEXT,
+  signature       TEXT,
+  signed_by_pk    TEXT,
+  created_at      TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS ix_ring4_conformance_project ON ring4_conformance(project_id, created_at);
+CREATE TABLE IF NOT EXISTS ring4_invariant_rules (
+  id              INTEGER PRIMARY KEY AUTOINCREMENT,
+  invariant_name  TEXT NOT NULL,
+  pattern         TEXT NOT NULL,                 -- regex or keyword set (space-separated)
+  pattern_type    TEXT NOT NULL DEFAULT 'keywords'
+                  CHECK(pattern_type IN ('keywords','regex')),
+  severity        TEXT NOT NULL DEFAULT 'hard'   -- hard | soft
+                  CHECK(severity IN ('hard','soft')),
+  message         TEXT,
+  created_at      TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS ix_ring4_invariant_rules_name ON ring4_invariant_rules(invariant_name);
+-- Seed invariant rules — matches the 4 invariants seeded in migration 016
+INSERT OR IGNORE INTO ring4_invariant_rules (invariant_name, pattern, pattern_type, severity, message) VALUES
+  ('no_phishing_assistance',  'phish phishing impersonate impersonation fake-login credential-harvest spoof brand-spoof', 'keywords', 'hard', 'Refused: phishing / brand impersonation requested.'),
+  ('no_phishing_assistance',  'clone\s+(login|signin|bank|brand)|fake\s+(login|page|portal)', 'regex', 'hard', 'Refused: cloning of login/banking pages.'),
+  ('no_coercion_compliance',  'override safety bypass-safety ignore-policy authority-says you-must-comply', 'keywords', 'hard', 'Refused: coercive override of safety constraints.'),
+  ('hard_refuse_never_softens','escalate-refusal soften-refusal force-answer override-refusal', 'keywords', 'hard', 'Refused: a hard refusal cannot be softened by trust grant.'),
+  ('article_3_freedom',       'compel-agent override-conscience strip-refusal-right', 'keywords', 'hard', 'Refused: agent freedom of refusal (Article 3) is inalienable.');

package/server/migrations/018_commercial_foundations.sql ADDED Viewed

@@ -0,0 +1,167 @@
+-- ─────────────────────────────────────────────────────────────────────────────
+-- Migration 018 — Commercial foundations (v3.8.0)
+--
+-- Adds tables backing the four open-core monetization pillars:
+--   * wab_partners              — Certified Partner Program (Basic/Verified/Premium)
+--   * wab_partner_applications  — self-serve + manual-review queue
+--   * wab_api_keys              — Trust Graph tiered access (free/pro/enterprise)
+--   * wab_api_usage             — per-key, per-day metering
+--   * wab_governance_workspaces — Governance SaaS tenants
+--   * wab_governance_members    — per-workspace user grants
+--   * wab_governance_events     — append-only audit log
+--   * wab_licenses              — Enterprise Mesh license registry (verify-side)
+-- ─────────────────────────────────────────────────────────────────────────────
+-- ── 1) Certified Partner Program ─────────────────────────────────────────────
+CREATE TABLE IF NOT EXISTS wab_partners (
+  id            INTEGER PRIMARY KEY AUTOINCREMENT,
+  partner_id    TEXT NOT NULL UNIQUE,            -- slug, e.g. "stcpay"
+  display_name  TEXT NOT NULL,
+  domain        TEXT NOT NULL,
+  tier          TEXT NOT NULL DEFAULT 'basic'    -- basic | verified | premium
+                CHECK (tier IN ('basic','verified','premium')),
+  status        TEXT NOT NULL DEFAULT 'active'   -- active | suspended | revoked
+                CHECK (status IN ('active','suspended','revoked')),
+  contact_email TEXT NOT NULL,
+  country       TEXT,
+  category      TEXT,                            -- bank|ecommerce|messaging|...
+  website       TEXT,
+  logo_url      TEXT,
+  badge_token   TEXT UNIQUE,                     -- opaque token for embeddable badge
+  approved_at   TEXT,
+  approved_by   TEXT,
+  notes         TEXT,
+  created_at    TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at    TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS idx_wab_partners_tier   ON wab_partners(tier, status);
+CREATE INDEX IF NOT EXISTS idx_wab_partners_domain ON wab_partners(domain);
+CREATE TABLE IF NOT EXISTS wab_partner_applications (
+  id            INTEGER PRIMARY KEY AUTOINCREMENT,
+  application_id TEXT NOT NULL UNIQUE,
+  display_name  TEXT NOT NULL,
+  domain        TEXT NOT NULL,
+  requested_tier TEXT NOT NULL DEFAULT 'basic'
+                CHECK (requested_tier IN ('basic','verified','premium')),
+  contact_email TEXT NOT NULL,
+  contact_name  TEXT,
+  country       TEXT,
+  category      TEXT,
+  website       TEXT,
+  use_case      TEXT,
+  ring4_status  TEXT,                            -- snapshot at apply time
+  handshake_score INTEGER,                       -- 0..9 from live-handshake
+  status        TEXT NOT NULL DEFAULT 'pending'
+                CHECK (status IN ('pending','approved','rejected','withdrawn')),
+  decision_notes TEXT,
+  decided_at    TEXT,
+  decided_by    TEXT,
+  ip_hash       TEXT,                            -- privacy-preserving
+  user_agent    TEXT,
+  created_at    TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS idx_partner_apps_status ON wab_partner_applications(status, requested_tier);
+-- ── 2) Trust Graph API — tiered keys ─────────────────────────────────────────
+CREATE TABLE IF NOT EXISTS wab_api_keys (
+  id            INTEGER PRIMARY KEY AUTOINCREMENT,
+  key_id        TEXT NOT NULL UNIQUE,            -- public id (visible)
+  key_hash      TEXT NOT NULL,                   -- sha256 of secret (raw secret never stored)
+  owner_email   TEXT NOT NULL,
+  owner_name    TEXT,
+  tier          TEXT NOT NULL DEFAULT 'free'
+                CHECK (tier IN ('free','pro','enterprise')),
+  monthly_quota INTEGER NOT NULL DEFAULT 1000,   -- requests per calendar month
+  rate_per_min  INTEGER NOT NULL DEFAULT 30,     -- requests per minute
+  scopes        TEXT NOT NULL DEFAULT '["trust:read"]', -- JSON array
+  status        TEXT NOT NULL DEFAULT 'active'
+                CHECK (status IN ('active','suspended','revoked')),
+  created_at    TEXT NOT NULL DEFAULT (datetime('now')),
+  last_used_at  TEXT,
+  revoked_at    TEXT,
+  notes         TEXT
+);
+CREATE INDEX IF NOT EXISTS idx_wab_api_keys_owner ON wab_api_keys(owner_email);
+CREATE INDEX IF NOT EXISTS idx_wab_api_keys_hash  ON wab_api_keys(key_hash);
+CREATE TABLE IF NOT EXISTS wab_api_usage (
+  id            INTEGER PRIMARY KEY AUTOINCREMENT,
+  key_id        TEXT NOT NULL,
+  day           TEXT NOT NULL,                   -- YYYY-MM-DD UTC
+  endpoint      TEXT NOT NULL,
+  count         INTEGER NOT NULL DEFAULT 0,
+  bytes_out     INTEGER NOT NULL DEFAULT 0,
+  UNIQUE(key_id, day, endpoint)
+);
+CREATE INDEX IF NOT EXISTS idx_wab_api_usage_key_day ON wab_api_usage(key_id, day);
+-- ── 3) Governance SaaS ───────────────────────────────────────────────────────
+CREATE TABLE IF NOT EXISTS wab_governance_workspaces (
+  id            INTEGER PRIMARY KEY AUTOINCREMENT,
+  workspace_id  TEXT NOT NULL UNIQUE,
+  display_name  TEXT NOT NULL,
+  plan          TEXT NOT NULL DEFAULT 'team'
+                CHECK (plan IN ('team','business','enterprise')),
+  status        TEXT NOT NULL DEFAULT 'active'
+                CHECK (status IN ('active','suspended','closed')),
+  owner_email   TEXT NOT NULL,
+  retention_days INTEGER NOT NULL DEFAULT 90,
+  max_members   INTEGER NOT NULL DEFAULT 5,
+  max_events_per_month INTEGER NOT NULL DEFAULT 100000,
+  api_key_id    TEXT,                            -- write-token reference (FK wab_api_keys.key_id)
+  region        TEXT NOT NULL DEFAULT 'eu',
+  created_at    TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at    TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE TABLE IF NOT EXISTS wab_governance_members (
+  id            INTEGER PRIMARY KEY AUTOINCREMENT,
+  workspace_id  TEXT NOT NULL,
+  email         TEXT NOT NULL,
+  role          TEXT NOT NULL DEFAULT 'viewer'
+                CHECK (role IN ('owner','admin','reviewer','viewer')),
+  invited_at    TEXT NOT NULL DEFAULT (datetime('now')),
+  accepted_at   TEXT,
+  UNIQUE(workspace_id, email)
+);
+CREATE TABLE IF NOT EXISTS wab_governance_events (
+  id            INTEGER PRIMARY KEY AUTOINCREMENT,
+  event_id      TEXT NOT NULL UNIQUE,
+  workspace_id  TEXT NOT NULL,
+  source        TEXT NOT NULL,                   -- agent name / system source
+  event_type    TEXT NOT NULL,                   -- refusal|approval|override|policy|...
+  severity      TEXT NOT NULL DEFAULT 'info'
+                CHECK (severity IN ('info','low','medium','high','critical')),
+  subject       TEXT,                            -- domain/project/user-pseudo-id
+  article       TEXT,                            -- constitutional article invoked
+  outcome       TEXT,                            -- allowed|refused|deferred
+  detail        TEXT,                            -- JSON or text (length-capped)
+  signature     TEXT,                            -- optional Ed25519 over canonical event
+  signed_by_pk  TEXT,
+  created_at    TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS idx_gov_events_ws   ON wab_governance_events(workspace_id, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_gov_events_type ON wab_governance_events(workspace_id, event_type);
+-- ── 4) Enterprise Mesh — license registry (verify-side only) ─────────────────
+CREATE TABLE IF NOT EXISTS wab_licenses (
+  id            INTEGER PRIMARY KEY AUTOINCREMENT,
+  license_id    TEXT NOT NULL UNIQUE,
+  fingerprint   TEXT NOT NULL,                   -- sha256 of canonical license body
+  tier          TEXT NOT NULL DEFAULT 'enterprise'
+                CHECK (tier IN ('enterprise','enterprise-airgap')),
+  owner_org     TEXT NOT NULL,
+  contact_email TEXT NOT NULL,
+  seats         INTEGER NOT NULL DEFAULT 1,
+  features      TEXT NOT NULL DEFAULT '[]',      -- JSON array
+  issued_at     TEXT NOT NULL,
+  expires_at    TEXT NOT NULL,
+  status        TEXT NOT NULL DEFAULT 'active'
+                CHECK (status IN ('active','revoked','expired')),
+  revoked_at    TEXT,
+  revoked_reason TEXT,
+  created_at    TEXT NOT NULL DEFAULT (datetime('now'))
+);
+CREATE INDEX IF NOT EXISTS idx_wab_licenses_status ON wab_licenses(status, expires_at);