web-agent-bridge 3.4.0 → 3.8.1

package/public/whitepaper.html

@@ -1,449 +1,449 @@
-<!DOCTYPE html>
-<html lang="en" dir="ltr">
-<head>
-  <meta charset="UTF-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-  <title>WAB DNS Discovery Whitepaper — Web Agent Bridge</title>
-  <meta name="description" content="Web Agent Bridge (WAB) DNS Discovery Protocol — A Zero-Probe, Cryptographically Verified Infrastructure Layer for AI Agents. Whitepaper v1.3.0." />
-  <meta name="robots" content="index, follow, noarchive, nosnippet, noimageindex" />
-  <link rel="canonical" href="https://webagentbridge.com/whitepaper" />
-  <meta property="og:title" content="WAB DNS Discovery Whitepaper" />
-  <meta property="og:description" content="Zero-probe, cryptographically verified discovery protocol for AI agents." />
-  <meta property="og:url" content="https://webagentbridge.com/whitepaper" />
-  <meta property="og:type" content="article" />
-
-  <!-- Anti-embedding / clickjacking defense -->
-  <meta http-equiv="X-Content-Type-Options" content="nosniff" />
-  <meta http-equiv="Referrer-Policy" content="strict-origin-when-cross-origin" />
-  <meta name="copyright" content="© 2026 Web Agent Bridge — All Rights Reserved" />
-  <meta name="rights" content="All Rights Reserved. Reproduction prohibited without written consent." />
-
-  <link rel="icon" type="image/svg+xml" href="/assets/logo.svg" />
-  <style>
-    /* === RESET / BASE === */
-    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
-    html, body {
-      background: #0b1020;
-      color: #e7ecf5;
-      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
-      line-height: 1.7;
-      min-height: 100vh;
-      overflow-x: hidden;
-    }
-
-    /* === ANTI-COPY DEFENSE LAYER === */
-    /* Disable text selection across the document (best-effort browser deterrent) */
-    .wp-protect, .wp-protect * {
-      -webkit-user-select: none !important;
-      -moz-user-select: none !important;
-      -ms-user-select: none !important;
-      user-select: none !important;
-      -webkit-touch-callout: none !important;
-      -webkit-tap-highlight-color: transparent;
-    }
-    /* Block image dragging */
-    .wp-protect img { -webkit-user-drag: none; user-drag: none; pointer-events: none; }
-
-    /* === LAYOUT === */
-    .topbar {
-      position: sticky; top: 0; z-index: 50;
-      background: rgba(11, 16, 32, 0.92);
-      backdrop-filter: blur(10px);
-      border-bottom: 1px solid rgba(255,255,255,0.08);
-      padding: 14px 24px;
-      display: flex; align-items: center; justify-content: space-between;
-    }
-    .topbar a.brand { color: #4ea3ff; text-decoration: none; font-weight: 600; font-size: 1rem; }
-    .topbar .meta { font-size: 0.8rem; color: #8b96ad; }
-    .topbar .badge {
-      display: inline-block;
-      background: linear-gradient(135deg, #f97316, #ef4444);
-      color: white;
-      padding: 3px 10px;
-      border-radius: 999px;
-      font-size: 0.72rem;
-      font-weight: 600;
-      letter-spacing: 0.5px;
-      margin-left: 8px;
-      vertical-align: middle;
-    }
-
-    .container {
-      max-width: 820px;
-      margin: 0 auto;
-      padding: 48px 28px 96px;
-      position: relative;
-    }
-
-    /* === DIAGONAL WATERMARK === */
-    .watermark {
-      position: fixed;
-      top: 0; left: 0; right: 0; bottom: 0;
-      pointer-events: none;
-      z-index: 1;
-      opacity: 0.06;
-      background-image:
-        repeating-linear-gradient(
-          -45deg,
-          transparent 0,
-          transparent 180px,
-          rgba(78, 163, 255, 0.0) 180px,
-          rgba(78, 163, 255, 0.0) 200px
-        );
-      overflow: hidden;
-    }
-    .watermark::before {
-      content: "WEBAGENTBRIDGE.COM • © 2026 • CONFIDENTIAL READ-ONLY • WEBAGENTBRIDGE.COM • © 2026 • CONFIDENTIAL READ-ONLY • WEBAGENTBRIDGE.COM • © 2026";
-      position: absolute;
-      top: -50%; left: -50%; right: -50%; bottom: -50%;
-      transform: rotate(-30deg);
-      font-size: 28px;
-      font-weight: 700;
-      color: #4ea3ff;
-      white-space: pre-wrap;
-      word-spacing: 18px;
-      line-height: 220px;
-      letter-spacing: 4px;
-      text-align: center;
-      opacity: 0.65;
-    }
-
-    /* === CONTENT === */
-    .doc { position: relative; z-index: 2; }
-    h1 {
-      font-size: 2.1rem;
-      line-height: 1.3;
-      margin-bottom: 8px;
-      background: linear-gradient(135deg, #4ea3ff, #8b5cf6);
-      -webkit-background-clip: text;
-      background-clip: text;
-      -webkit-text-fill-color: transparent;
-      letter-spacing: -0.5px;
-    }
-    h2 {
-      font-size: 1.5rem;
-      margin: 36px 0 14px;
-      color: #ffffff;
-      border-left: 3px solid #4ea3ff;
-      padding-left: 12px;
-    }
-    h3 {
-      font-size: 1.15rem;
-      margin: 26px 0 10px;
-      color: #cdd6e3;
-    }
-    p { margin: 0 0 14px; color: #cdd6e3; }
-    ul, ol { margin: 0 0 16px 22px; color: #cdd6e3; }
-    li { margin-bottom: 6px; }
-    code, pre {
-      font-family: "JetBrains Mono", "SF Mono", Menlo, Consolas, monospace;
-      font-size: 0.88rem;
-    }
-    code {
-      background: rgba(78, 163, 255, 0.12);
-      color: #b8d4ff;
-      padding: 2px 6px;
-      border-radius: 4px;
-    }
-    pre {
-      background: #060914;
-      border: 1px solid rgba(255,255,255,0.08);
-      border-radius: 8px;
-      padding: 16px 18px;
-      overflow-x: auto;
-      margin: 12px 0 18px;
-    }
-    pre code { background: transparent; padding: 0; color: #b8d4ff; }
-    blockquote {
-      border-left: 3px solid #f97316;
-      background: rgba(249, 115, 22, 0.08);
-      padding: 14px 18px;
-      margin: 18px 0;
-      border-radius: 0 6px 6px 0;
-      font-size: 0.95rem;
-    }
-    table {
-      width: 100%; border-collapse: collapse;
-      margin: 14px 0;
-      background: rgba(255,255,255,0.02);
-      border-radius: 6px;
-      overflow: hidden;
-    }
-    th, td {
-      padding: 10px 14px;
-      text-align: left;
-      border-bottom: 1px solid rgba(255,255,255,0.06);
-      font-size: 0.92rem;
-    }
-    th { background: rgba(78,163,255,0.08); color: #ffffff; font-weight: 600; }
-    hr {
-      border: none;
-      height: 1px;
-      background: linear-gradient(90deg, transparent, rgba(255,255,255,0.15), transparent);
-      margin: 32px 0;
-    }
-    .lead-card {
-      background: linear-gradient(135deg, rgba(78,163,255,0.08), rgba(139,92,246,0.06));
-      border: 1px solid rgba(78,163,255,0.2);
-      border-radius: 12px;
-      padding: 22px 26px;
-      margin: 24px 0;
-    }
-    .lead-card .meta-grid {
-      display: grid; grid-template-columns: repeat(auto-fit, minmax(160px, 1fr));
-      gap: 12px;
-      margin-top: 12px;
-      font-size: 0.86rem;
-    }
-    .lead-card .meta-grid div { color: #8b96ad; }
-    .lead-card .meta-grid b { color: #ffffff; }
-    .footnote {
-      margin-top: 48px;
-      padding-top: 24px;
-      border-top: 1px solid rgba(255,255,255,0.08);
-      font-size: 0.82rem;
-      color: #8b96ad;
-      text-align: center;
-    }
-    .footnote a { color: #4ea3ff; text-decoration: none; }
-
-    /* Print suppression */
-    @media print {
-      html, body { display: none !important; visibility: hidden !important; }
-      body::after {
-        content: "Printing of this document is not authorized. Visit https://webagentbridge.com/whitepaper to view.";
-        display: block !important;
-        visibility: visible !important;
-        position: fixed; top: 50%; left: 50%; transform: translate(-50%, -50%);
-        font-size: 18px; color: #000;
-      }
-    }
-  </style>
-</head>
-<body class="wp-protect" oncontextmenu="return false;" oncopy="return false;" oncut="return false;" onpaste="return false;" ondragstart="return false;" onselectstart="return false;">
-
-  <div class="watermark" aria-hidden="true"></div>
-
-  <header class="topbar">
-    <a href="/" class="brand">← Web Agent Bridge</a>
-    <div class="meta">
-      Whitepaper v1.3.0 <span class="badge">READ-ONLY</span>
-    </div>
-  </header>
-
-  <main class="container">
-    <article class="doc" id="whitepaper">
-
-      <h1>Web Agent Bridge (WAB) DNS Discovery Protocol</h1>
-      <p style="font-size: 1.1rem; color: #cdd6e3; margin-top: 6px;">
-        A Zero-Probe, Cryptographically Verified Infrastructure Layer for AI Agents
-      </p>
-
-      <div class="lead-card">
-        <div><b>© 2026 Web Agent Bridge.</b> All Rights Reserved.</div>
-        <p style="margin: 8px 0 0; font-size: 0.9rem;">
-          This whitepaper is the intellectual property of the Web Agent Bridge project.
-          Reproduction, redistribution, or modification — in whole or in part — is <b>prohibited</b>
-          without prior written permission. The canonical, authoritative version is published at
-          <code>webagentbridge.com/whitepaper</code>.
-        </p>
-        <div class="meta-grid">
-          <div><b>Version</b><br>1.3.0</div>
-          <div><b>Status</b><br>Published</div>
-          <div><b>Date</b><br>May 2026</div>
-          <div><b>License</b><br>All Rights Reserved</div>
-        </div>
-      </div>
-
-      <h2>Abstract</h2>
-      <p>As artificial intelligence agents transition from isolated chatbots to autonomous web navigators, the absence of a standardized, machine-readable discovery mechanism creates significant friction. Agents currently rely on heuristic DOM scraping, trial-and-error HTTP probing, and reverse-engineered APIs, leading to excessive server load, brittle integrations, and privacy risks. This paper introduces the <b>Web Agent Bridge (WAB) DNS Discovery Protocol</b>, a lightweight, infrastructure-first mechanism that allows AI agents to instantly discover a domain's AI capabilities and cryptographic trust attestations without prior HTTP interaction. Modeled after email authentication standards like SPF, DKIM, and DMARC, the WAB DNS Discovery Protocol utilizes DNS TXT records resolved over DNS over HTTPS (DoH) to advertise protocol support and endpoint locations. Furthermore, we detail the <b>WAB Cryptographic Trust Layer (v1.3)</b>, which employs Ed25519 signatures to ensure the integrity and authenticity of the discovery document, mitigating man-in-the-middle attacks and establishing a robust foundation for autonomous agent-web interactions.</p>
-
-      <h2>1. Introduction</h2>
-      <p>The proliferation of Large Language Models (LLMs) and autonomous AI agents has fundamentally altered how digital information is accessed and processed. Unlike human users who rely on visual interfaces and HTML/CSS rendering, AI agents require structured, deterministic access to web capabilities. However, the current web architecture lacks a native discovery layer for machine-to-machine interactions.</p>
-      <p>Currently, agents attempting to interact with a website face a "blind fetch" problem. They must either parse complex HTML structures, guess API endpoints, or probe for well-known files (e.g., <code>/.well-known/ai-plugin.json</code>), often resulting in HTTP 404 errors, increased latency, and unnecessary server overhead. Furthermore, the rise of "cookie-wall taxes" and aggressive bot mitigation strategies disproportionately penalize legitimate, beneficial AI traffic.</p>
-      <p>To address these challenges, we propose the <b>Web Agent Bridge (WAB) DNS Discovery Protocol</b>. By shifting the discovery phase to the Domain Name System (DNS) infrastructure, WAB enables <b>zero-probe discovery</b>. Agents can resolve a single DNS record to ascertain AI readiness, locate the capabilities document (<code>wab.json</code>), and verify the cryptographic signature of the provider, all before initiating an HTTP connection.</p>
-
-      <h2>2. The WAB DNS Discovery Protocol (DDP)</h2>
-      <p>The DNS Discovery Protocol (DDP) is an infrastructure-layer mechanism that allows domains to advertise their WAB endpoint and trust parameters. It is designed to be highly cacheable, universally supported, and easily verifiable.</p>
-
-      <h3>2.1 Protocol Mechanics</h3>
-      <p>The core of the DDP is a DNS TXT record placed at the <code>_wab</code> subdomain of the apex domain (e.g., <code>_wab.example.com</code>). This approach mirrors established email authentication protocols such as the Sender Policy Framework (SPF) [1] and DomainKeys Identified Mail (DKIM) [2].</p>
-      <p>When an AI agent intends to interact with a domain, it MUST first query the <code>_wab.{apex}</code> TXT record. If the DNS query returns <code>NXDOMAIN</code>, the agent concludes that the domain does not explicitly support the WAB protocol and falls back to traditional, heuristic methods. If the record exists, the agent parses the key-value pairs to locate the discovery document.</p>
-
-      <h3>2.2 Record Format and Syntax</h3>
-      <p>The WAB TXT record utilizes a semicolon-separated key-value format. The primary fields are defined as follows:</p>
-      <table>
-        <thead>
-          <tr><th>Field</th><th>Value Type</th><th>Requirement</th><th>Description</th></tr>
-        </thead>
-        <tbody>
-          <tr><td><code>v</code></td><td>string</td><td>REQUIRED</td><td>Protocol version identifier. Current standard is <code>wab1</code>.</td></tr>
-          <tr><td><code>endpoint</code></td><td>URL</td><td>REQUIRED</td><td>The absolute HTTPS URL of the <code>wab.json</code> discovery document.</td></tr>
-          <tr><td><code>pk</code></td><td>string</td><td>OPTIONAL</td><td>The public key for cryptographic verification, prefixed with the algorithm (e.g., <code>ed25519:&lt;base64&gt;</code>).</td></tr>
-        </tbody>
-      </table>
-      <p><b>Example TXT Record:</b></p>
-      <pre><code>_wab.example.com. 3600 IN TXT "v=wab1; endpoint=https://example.com/.well-known/wab.json; pk=ed25519:PkQ7aq1E3jvMI2oL0rvYtTgOplWd+USw26Y/D4JzPxo="</code></pre>
-
-      <h3>2.3 DNS over HTTPS (DoH) Requirement</h3>
-      <p>To prevent ISP-level interception, manipulation, and tracking of discovery queries, WAB-aware agents SHOULD resolve the <code>_wab</code> records using DNS over HTTPS (DoH) [3]. DoH encrypts the DNS query, shifting the trust boundary from the local network to a trusted DoH resolver (e.g., Cloudflare 1.1.1.1 or Google 8.8.8.8).</p>
-
-      <h2>3. The Discovery Document (<code>wab.json</code>)</h2>
-      <p>The discovery document, typically hosted at <code>/.well-known/wab.json</code>, is a structured JSON file that defines the domain's capabilities, permitted actions, and transport mechanisms.</p>
-
-      <h3>3.1 Schema Overview (v1.3)</h3>
-      <p>The <code>wab.json</code> schema is designed for extensibility and strict typing. Key components include:</p>
-      <ul>
-        <li><code>wab_version</code> — Specifies the schema version (e.g., <code>"1.3.0"</code>).</li>
-        <li><code>provider</code> — Metadata regarding the domain owner, including name, category, and URL.</li>
-        <li><code>capabilities</code> — Defines the permitted actions (<code>commands</code>) and granular access rights (<code>permissions</code>).</li>
-        <li><code>endpoints</code> — Specifies the API endpoints for agent interaction (e.g., <code>/api/wab/discover</code>, <code>/api/wab/ping</code>).</li>
-        <li><code>signature</code> — The cryptographic signature block (detailed in Section 4).</li>
-      </ul>
-
-      <h3>3.2 Action Definitions</h3>
-      <p>Actions (or commands) are explicitly defined within the <code>capabilities.commands</code> array. This eliminates the need for agents to infer functionality. Each command specifies its trigger mechanism (e.g., <code>api</code>, <code>navigate</code>), required parameters, and authentication prerequisites, providing a deterministic execution path.</p>
-
-      <h2>4. Cryptographic Trust Layer (v1.3)</h2>
-      <p>While DNS discovery provides routing, it does not inherently guarantee the integrity of the fetched <code>wab.json</code> document, especially if the HTTPS connection is compromised or misconfigured. To establish a robust chain of trust, WAB v1.3 introduces a <b>Cryptographic Trust Layer</b> based on Ed25519 signatures.</p>
-
-      <h3>4.1 Ed25519 Signatures</h3>
-      <p>Ed25519 [4] is a public-key signature system utilizing the Edwards-curve Digital Signature Algorithm (EdDSA). It was selected for WAB due to its high performance, small key size (32 bytes), and resilience against side-channel attacks.</p>
-
-      <h3>4.2 Signature Generation and Verification</h3>
-      <p>The trust layer operates through a deterministic canonicalization and signing process:</p>
-      <ol>
-        <li><b>Key Generation</b> — The domain owner generates an Ed25519 keypair. The private key is securely stored offline or within a secure enclave.</li>
-        <li><b>DNS Publication</b> — The public key is published in the <code>_wab</code> DNS TXT record using the <code>pk=</code> parameter (e.g., <code>pk=ed25519:&lt;base64_public_key&gt;</code>).</li>
-        <li><b>Canonicalization</b> — Before signing, the <code>wab.json</code> document undergoes RFC 8785-style JSON canonicalization [5]. This process sorts object keys lexicographically, removes insignificant whitespace, and excludes the top-level <code>signature</code> field to ensure a consistent byte representation.</li>
-        <li><b>Signing</b> — The canonicalized JSON string is signed using the Ed25519 private key.</li>
-        <li><b>Manifest Embedding</b> — The resulting signature is embedded back into the <code>wab.json</code> document under the <code>signature</code> object.</li>
-      </ol>
-      <p><b>Signature Block Example:</b></p>
-      <pre><code>"signature": {
-  "algorithm": "ed25519",
-  "value": "base64_encoded_signature_string...",
-  "key_id": "pYu7X5PF/HoE2yDx",
-  "signed_at": "2026-05-02T10:00:00Z"
-}</code></pre>
-
-      <h3>4.3 Agent Verification Flow</h3>
-      <p>Upon fetching the <code>wab.json</code> document, a WAB-compliant agent performs the following verification steps:</p>
-      <ol>
-        <li>Extracts the <code>pk</code> value from the previously resolved <code>_wab</code> DNS TXT record.</li>
-        <li>Extracts the <code>signature</code> object from the <code>wab.json</code> document.</li>
-        <li>Verifies that <code>signature.algorithm</code> is <code>ed25519</code>.</li>
-        <li>Canonicalizes the <code>wab.json</code> document (excluding the <code>signature</code> field).</li>
-        <li>Verifies the canonicalized string against the <code>signature.value</code> using the extracted public key.</li>
-      </ol>
-      <p>If the verification succeeds, the agent possesses cryptographic proof that the capabilities document was authorized by the entity controlling the domain's DNS records, effectively neutralizing unauthorized modifications.</p>
-
-      <h2>5. Implementation and Adoption</h2>
-      <p>The WAB protocol is designed for frictionless adoption by both site owners and agent developers.</p>
-
-      <h3>5.1 Zero-Code Infrastructure Onboarding</h3>
-      <p>Site owners can enable WAB discovery without deploying new code. By simply adding the <code>_wab</code> TXT record and hosting a static <code>wab.json</code> file, a domain becomes "Agent-Ready." This infrastructure-first approach lowers the barrier to entry compared to complex API integrations.</p>
-
-      <h3>5.2 The Proof Lab and Live Verification</h3>
-      <p>To facilitate adoption and ensure compliance, the Web Agent Bridge provides a <b>"Proof Lab."</b> This tool performs a live, end-to-end verification of the integration:</p>
-      <ol>
-        <li><b>DNS Resolution</b> — Verifies the presence and syntax of the <code>_wab</code> TXT record via DoH.</li>
-        <li><b>Document Fetch</b> — Retrieves and parses the <code>wab.json</code> file.</li>
-        <li><b>Agent Execution</b> — Simulates an agent flow by calling the defined endpoints (e.g., <code>/api/wab/discover</code>, <code>/api/wab/ping</code>) to confirm execution readiness (<code>execution_ok=true</code>).</li>
-      </ol>
-
-      <h2>6. Conclusion</h2>
-      <p>The Web Agent Bridge (WAB) DNS Discovery Protocol and its Cryptographic Trust Layer provide a critical missing piece in the architecture of the autonomous web. By leveraging proven DNS infrastructure and Ed25519 cryptography, WAB enables zero-probe, secure, and deterministic discovery of AI capabilities. This protocol reduces server overhead, enhances privacy through DoH, and establishes a verifiable chain of trust, paving the way for scalable and secure machine-to-machine interactions on the internet.</p>
-
-      <h2>References</h2>
-      <ol>
-        <li>S. Kitterman, <i>"Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1,"</i> RFC 7208, April 2014.</li>
-        <li>D. Crocker, T. Hansen, and M. Kucherawy, <i>"DomainKeys Identified Mail (DKIM) Signatures,"</i> RFC 6376, September 2011.</li>
-        <li>P. Hoffman and P. McManus, <i>"DNS Queries over HTTPS (DoH),"</i> RFC 8484, October 2018.</li>
-        <li>S. Josefsson and I. Liusvaara, <i>"Edwards-Curve Digital Signature Algorithm (EdDSA),"</i> RFC 8032, January 2017.</li>
-        <li>A. Rundgren, B. Jordan, and S. Erdtman, <i>"JSON Canonicalization Scheme (JCS),"</i> RFC 8785, June 2020.</li>
-      </ol>
-
-      <hr />
-
-      <div class="footnote">
-        <p>This document is read-only reference material.<br>
-        The canonical version lives at <a href="https://webagentbridge.com/whitepaper">webagentbridge.com/whitepaper</a>.<br>
-        <b>All rights reserved © 2026 Web Agent Bridge.</b> Reproduction, redistribution, or modification — in whole or in part — is prohibited without prior written permission.</p>
-      </div>
-
-    </article>
-  </main>
-
-  <script>
-    /* === Anti-copy / anti-extraction defense ===
-       Browser-side defenses are deterrents; they cannot defeat a determined attacker.
-       Combined with server-side rights notice, this discourages casual copying. */
-    (function () {
-      var doc = document;
-
-      // Block context menu
-      doc.addEventListener('contextmenu', function (e) { e.preventDefault(); return false; }, { capture: true });
-
-      // Block copy / cut / paste / select-all
-      ['copy', 'cut', 'paste'].forEach(function (evt) {
-        doc.addEventListener(evt, function (e) {
-          e.preventDefault();
-          if (e.clipboardData) {
-            try { e.clipboardData.setData('text/plain', '© Web Agent Bridge — copying this whitepaper is not permitted. See https://webagentbridge.com/whitepaper'); } catch (_) {}
-          }
-          return false;
-        }, { capture: true });
-      });
-
-      // Block drag and selection
-      doc.addEventListener('dragstart', function (e) { e.preventDefault(); return false; }, { capture: true });
-      doc.addEventListener('selectstart', function (e) { e.preventDefault(); return false; }, { capture: true });
-
-      // Block common keyboard shortcuts: Ctrl+C/X/A/S/P/U, F12, Ctrl+Shift+I/J/C, Cmd equivalents
-      doc.addEventListener('keydown', function (e) {
-        var k = (e.key || '').toLowerCase();
-        var meta = e.ctrlKey || e.metaKey;
-        if (e.key === 'F12') { e.preventDefault(); return false; }
-        if (meta && e.shiftKey && (k === 'i' || k === 'j' || k === 'c')) { e.preventDefault(); return false; }
-        if (meta && (k === 'c' || k === 'x' || k === 'a' || k === 's' || k === 'p' || k === 'u')) {
-          e.preventDefault();
-          return false;
-        }
-      }, { capture: true });
-
-      // Detect and discourage devtools (best effort — shows a notice; cannot truly block)
-      var devtoolsOpen = false;
-      var threshold = 160;
-      setInterval(function () {
-        var widthDelta = window.outerWidth - window.innerWidth;
-        var heightDelta = window.outerHeight - window.innerHeight;
-        if (widthDelta > threshold || heightDelta > threshold) {
-          if (!devtoolsOpen) {
-            devtoolsOpen = true;
-            console.clear && console.clear();
-            console.log('%c⚠ Web Agent Bridge — Read-Only Whitepaper',
-              'color:#f97316;font-size:18px;font-weight:bold;');
-            console.log('%cThis document is © 2026 Web Agent Bridge. Reproduction prohibited.\nSee https://webagentbridge.com/whitepaper for the canonical version.',
-              'color:#cdd6e3;font-size:12px;');
-          }
-        } else {
-          devtoolsOpen = false;
-        }
-      }, 1000);
-
-      // Block iframe embedding (frame-busting)
-      try {
-        if (window.top !== window.self) {
-          window.top.location = window.self.location;
-        }
-      } catch (_) {
-        document.body.innerHTML = '<p style="padding:40px;text-align:center;color:#fff;background:#0b1020;">This whitepaper cannot be embedded. Visit <a style="color:#4ea3ff" href="https://webagentbridge.com/whitepaper">webagentbridge.com/whitepaper</a>.</p>';
-      }
-
-      // Sign-of-life log
-      console.log('%cWAB Whitepaper v1.3.0 — Read-Only', 'color:#4ea3ff;font-weight:bold;');
-    })();
-  </script>
-</body>
-</html>
+<!DOCTYPE html>
+<html lang="en" dir="ltr">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>WAB DNS Discovery Whitepaper — Web Agent Bridge</title>
+  <meta name="description" content="Web Agent Bridge (WAB) DNS Discovery Protocol — A Zero-Probe, Cryptographically Verified Infrastructure Layer for AI Agents. Whitepaper v1.3.0." />
+  <meta name="robots" content="index, follow, noarchive, nosnippet, noimageindex" />
+  <link rel="canonical" href="https://webagentbridge.com/whitepaper" />
+  <meta property="og:title" content="WAB DNS Discovery Whitepaper" />
+  <meta property="og:description" content="Zero-probe, cryptographically verified discovery protocol for AI agents." />
+  <meta property="og:url" content="https://webagentbridge.com/whitepaper" />
+  <meta property="og:type" content="article" />
+
+  <!-- Anti-embedding / clickjacking defense -->
+  <meta http-equiv="X-Content-Type-Options" content="nosniff" />
+  <meta http-equiv="Referrer-Policy" content="strict-origin-when-cross-origin" />
+  <meta name="copyright" content="© 2026 Web Agent Bridge — All Rights Reserved" />
+  <meta name="rights" content="All Rights Reserved. Reproduction prohibited without written consent." />
+
+  <link rel="icon" type="image/svg+xml" href="/assets/logo.svg" />
+  <style>
+    /* === RESET / BASE === */
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    html, body {
+      background: #0b1020;
+      color: #e7ecf5;
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+      line-height: 1.7;
+      min-height: 100vh;
+      overflow-x: hidden;
+    }
+
+    /* === ANTI-COPY DEFENSE LAYER === */
+    /* Disable text selection across the document (best-effort browser deterrent) */
+    .wp-protect, .wp-protect * {
+      -webkit-user-select: none !important;
+      -moz-user-select: none !important;
+      -ms-user-select: none !important;
+      user-select: none !important;
+      -webkit-touch-callout: none !important;
+      -webkit-tap-highlight-color: transparent;
+    }
+    /* Block image dragging */
+    .wp-protect img { -webkit-user-drag: none; user-drag: none; pointer-events: none; }
+
+    /* === LAYOUT === */
+    .topbar {
+      position: sticky; top: 0; z-index: 50;
+      background: rgba(11, 16, 32, 0.92);
+      backdrop-filter: blur(10px);
+      border-bottom: 1px solid rgba(255,255,255,0.08);
+      padding: 14px 24px;
+      display: flex; align-items: center; justify-content: space-between;
+    }
+    .topbar a.brand { color: #4ea3ff; text-decoration: none; font-weight: 600; font-size: 1rem; }
+    .topbar .meta { font-size: 0.8rem; color: #8b96ad; }
+    .topbar .badge {
+      display: inline-block;
+      background: linear-gradient(135deg, #f97316, #ef4444);
+      color: white;
+      padding: 3px 10px;
+      border-radius: 999px;
+      font-size: 0.72rem;
+      font-weight: 600;
+      letter-spacing: 0.5px;
+      margin-left: 8px;
+      vertical-align: middle;
+    }
+
+    .container {
+      max-width: 820px;
+      margin: 0 auto;
+      padding: 48px 28px 96px;
+      position: relative;
+    }
+
+    /* === DIAGONAL WATERMARK === */
+    .watermark {
+      position: fixed;
+      top: 0; left: 0; right: 0; bottom: 0;
+      pointer-events: none;
+      z-index: 1;
+      opacity: 0.06;
+      background-image:
+        repeating-linear-gradient(
+          -45deg,
+          transparent 0,
+          transparent 180px,
+          rgba(78, 163, 255, 0.0) 180px,
+          rgba(78, 163, 255, 0.0) 200px
+        );
+      overflow: hidden;
+    }
+    .watermark::before {
+      content: "WEBAGENTBRIDGE.COM • © 2026 • CONFIDENTIAL READ-ONLY • WEBAGENTBRIDGE.COM • © 2026 • CONFIDENTIAL READ-ONLY • WEBAGENTBRIDGE.COM • © 2026";
+      position: absolute;
+      top: -50%; left: -50%; right: -50%; bottom: -50%;
+      transform: rotate(-30deg);
+      font-size: 28px;
+      font-weight: 700;
+      color: #4ea3ff;
+      white-space: pre-wrap;
+      word-spacing: 18px;
+      line-height: 220px;
+      letter-spacing: 4px;
+      text-align: center;
+      opacity: 0.65;
+    }
+
+    /* === CONTENT === */
+    .doc { position: relative; z-index: 2; }
+    h1 {
+      font-size: 2.1rem;
+      line-height: 1.3;
+      margin-bottom: 8px;
+      background: linear-gradient(135deg, #4ea3ff, #8b5cf6);
+      -webkit-background-clip: text;
+      background-clip: text;
+      -webkit-text-fill-color: transparent;
+      letter-spacing: -0.5px;
+    }
+    h2 {
+      font-size: 1.5rem;
+      margin: 36px 0 14px;
+      color: #ffffff;
+      border-left: 3px solid #4ea3ff;
+      padding-left: 12px;
+    }
+    h3 {
+      font-size: 1.15rem;
+      margin: 26px 0 10px;
+      color: #cdd6e3;
+    }
+    p { margin: 0 0 14px; color: #cdd6e3; }
+    ul, ol { margin: 0 0 16px 22px; color: #cdd6e3; }
+    li { margin-bottom: 6px; }
+    code, pre {
+      font-family: "JetBrains Mono", "SF Mono", Menlo, Consolas, monospace;
+      font-size: 0.88rem;
+    }
+    code {
+      background: rgba(78, 163, 255, 0.12);
+      color: #b8d4ff;
+      padding: 2px 6px;
+      border-radius: 4px;
+    }
+    pre {
+      background: #060914;
+      border: 1px solid rgba(255,255,255,0.08);
+      border-radius: 8px;
+      padding: 16px 18px;
+      overflow-x: auto;
+      margin: 12px 0 18px;
+    }
+    pre code { background: transparent; padding: 0; color: #b8d4ff; }
+    blockquote {
+      border-left: 3px solid #f97316;
+      background: rgba(249, 115, 22, 0.08);
+      padding: 14px 18px;
+      margin: 18px 0;
+      border-radius: 0 6px 6px 0;
+      font-size: 0.95rem;
+    }
+    table {
+      width: 100%; border-collapse: collapse;
+      margin: 14px 0;
+      background: rgba(255,255,255,0.02);
+      border-radius: 6px;
+      overflow: hidden;
+    }
+    th, td {
+      padding: 10px 14px;
+      text-align: left;
+      border-bottom: 1px solid rgba(255,255,255,0.06);
+      font-size: 0.92rem;
+    }
+    th { background: rgba(78,163,255,0.08); color: #ffffff; font-weight: 600; }
+    hr {
+      border: none;
+      height: 1px;
+      background: linear-gradient(90deg, transparent, rgba(255,255,255,0.15), transparent);
+      margin: 32px 0;
+    }
+    .lead-card {
+      background: linear-gradient(135deg, rgba(78,163,255,0.08), rgba(139,92,246,0.06));
+      border: 1px solid rgba(78,163,255,0.2);
+      border-radius: 12px;
+      padding: 22px 26px;
+      margin: 24px 0;
+    }
+    .lead-card .meta-grid {
+      display: grid; grid-template-columns: repeat(auto-fit, minmax(160px, 1fr));
+      gap: 12px;
+      margin-top: 12px;
+      font-size: 0.86rem;
+    }
+    .lead-card .meta-grid div { color: #8b96ad; }
+    .lead-card .meta-grid b { color: #ffffff; }
+    .footnote {
+      margin-top: 48px;
+      padding-top: 24px;
+      border-top: 1px solid rgba(255,255,255,0.08);
+      font-size: 0.82rem;
+      color: #8b96ad;
+      text-align: center;
+    }
+    .footnote a { color: #4ea3ff; text-decoration: none; }
+
+    /* Print suppression */
+    @media print {
+      html, body { display: none !important; visibility: hidden !important; }
+      body::after {
+        content: "Printing of this document is not authorized. Visit https://webagentbridge.com/whitepaper to view.";
+        display: block !important;
+        visibility: visible !important;
+        position: fixed; top: 50%; left: 50%; transform: translate(-50%, -50%);
+        font-size: 18px; color: #000;
+      }
+    }
+  </style>
+</head>
+<body class="wp-protect" oncontextmenu="return false;" oncopy="return false;" oncut="return false;" onpaste="return false;" ondragstart="return false;" onselectstart="return false;">
+
+  <div class="watermark" aria-hidden="true"></div>
+
+  <header class="topbar">
+    <a href="/" class="brand">← Web Agent Bridge</a>
+    <div class="meta">
+      Whitepaper v1.3.0 <span class="badge">READ-ONLY</span>
+    </div>
+  </header>
+
+  <main class="container">
+    <article class="doc" id="whitepaper">
+
+      <h1>Web Agent Bridge (WAB) DNS Discovery Protocol</h1>
+      <p style="font-size: 1.1rem; color: #cdd6e3; margin-top: 6px;">
+        A Zero-Probe, Cryptographically Verified Infrastructure Layer for AI Agents
+      </p>
+
+      <div class="lead-card">
+        <div><b>© 2026 Web Agent Bridge.</b> All Rights Reserved.</div>
+        <p style="margin: 8px 0 0; font-size: 0.9rem;">
+          This whitepaper is the intellectual property of the Web Agent Bridge project.
+          Reproduction, redistribution, or modification — in whole or in part — is <b>prohibited</b>
+          without prior written permission. The canonical, authoritative version is published at
+          <code>webagentbridge.com/whitepaper</code>.
+        </p>
+        <div class="meta-grid">
+          <div><b>Version</b><br>1.3.0</div>
+          <div><b>Status</b><br>Published</div>
+          <div><b>Date</b><br>May 2026</div>
+          <div><b>License</b><br>All Rights Reserved</div>
+        </div>
+      </div>
+
+      <h2>Abstract</h2>
+      <p>As artificial intelligence agents transition from isolated chatbots to autonomous web navigators, the absence of a standardized, machine-readable discovery mechanism creates significant friction. Agents currently rely on heuristic DOM scraping, trial-and-error HTTP probing, and reverse-engineered APIs, leading to excessive server load, brittle integrations, and privacy risks. This paper introduces the <b>Web Agent Bridge (WAB) DNS Discovery Protocol</b>, a lightweight, infrastructure-first mechanism that allows AI agents to instantly discover a domain's AI capabilities and cryptographic trust attestations without prior HTTP interaction. Modeled after email authentication standards like SPF, DKIM, and DMARC, the WAB DNS Discovery Protocol utilizes DNS TXT records resolved over DNS over HTTPS (DoH) to advertise protocol support and endpoint locations. Furthermore, we detail the <b>WAB Cryptographic Trust Layer (v1.3)</b>, which employs Ed25519 signatures to ensure the integrity and authenticity of the discovery document, mitigating man-in-the-middle attacks and establishing a robust foundation for autonomous agent-web interactions.</p>
+
+      <h2>1. Introduction</h2>
+      <p>The proliferation of Large Language Models (LLMs) and autonomous AI agents has fundamentally altered how digital information is accessed and processed. Unlike human users who rely on visual interfaces and HTML/CSS rendering, AI agents require structured, deterministic access to web capabilities. However, the current web architecture lacks a native discovery layer for machine-to-machine interactions.</p>
+      <p>Currently, agents attempting to interact with a website face a "blind fetch" problem. They must either parse complex HTML structures, guess API endpoints, or probe for well-known files (e.g., <code>/.well-known/ai-plugin.json</code>), often resulting in HTTP 404 errors, increased latency, and unnecessary server overhead. Furthermore, the rise of "cookie-wall taxes" and aggressive bot mitigation strategies disproportionately penalize legitimate, beneficial AI traffic.</p>
+      <p>To address these challenges, we propose the <b>Web Agent Bridge (WAB) DNS Discovery Protocol</b>. By shifting the discovery phase to the Domain Name System (DNS) infrastructure, WAB enables <b>zero-probe discovery</b>. Agents can resolve a single DNS record to ascertain AI readiness, locate the capabilities document (<code>wab.json</code>), and verify the cryptographic signature of the provider, all before initiating an HTTP connection.</p>
+
+      <h2>2. The WAB DNS Discovery Protocol (DDP)</h2>
+      <p>The DNS Discovery Protocol (DDP) is an infrastructure-layer mechanism that allows domains to advertise their WAB endpoint and trust parameters. It is designed to be highly cacheable, universally supported, and easily verifiable.</p>
+
+      <h3>2.1 Protocol Mechanics</h3>
+      <p>The core of the DDP is a DNS TXT record placed at the <code>_wab</code> subdomain of the apex domain (e.g., <code>_wab.example.com</code>). This approach mirrors established email authentication protocols such as the Sender Policy Framework (SPF) [1] and DomainKeys Identified Mail (DKIM) [2].</p>
+      <p>When an AI agent intends to interact with a domain, it MUST first query the <code>_wab.{apex}</code> TXT record. If the DNS query returns <code>NXDOMAIN</code>, the agent concludes that the domain does not explicitly support the WAB protocol and falls back to traditional, heuristic methods. If the record exists, the agent parses the key-value pairs to locate the discovery document.</p>
+
+      <h3>2.2 Record Format and Syntax</h3>
+      <p>The WAB TXT record utilizes a semicolon-separated key-value format. The primary fields are defined as follows:</p>
+      <table>
+        <thead>
+          <tr><th>Field</th><th>Value Type</th><th>Requirement</th><th>Description</th></tr>
+        </thead>
+        <tbody>
+          <tr><td><code>v</code></td><td>string</td><td>REQUIRED</td><td>Protocol version identifier. Current standard is <code>wab1</code>.</td></tr>
+          <tr><td><code>endpoint</code></td><td>URL</td><td>REQUIRED</td><td>The absolute HTTPS URL of the <code>wab.json</code> discovery document.</td></tr>
+          <tr><td><code>pk</code></td><td>string</td><td>OPTIONAL</td><td>The public key for cryptographic verification, prefixed with the algorithm (e.g., <code>ed25519:&lt;base64&gt;</code>).</td></tr>
+        </tbody>
+      </table>
+      <p><b>Example TXT Record:</b></p>
+      <pre><code>_wab.example.com. 3600 IN TXT "v=wab1; endpoint=https://example.com/.well-known/wab.json; pk=ed25519:PkQ7aq1E3jvMI2oL0rvYtTgOplWd+USw26Y/D4JzPxo="</code></pre>
+
+      <h3>2.3 DNS over HTTPS (DoH) Requirement</h3>
+      <p>To prevent ISP-level interception, manipulation, and tracking of discovery queries, WAB-aware agents SHOULD resolve the <code>_wab</code> records using DNS over HTTPS (DoH) [3]. DoH encrypts the DNS query, shifting the trust boundary from the local network to a trusted DoH resolver (e.g., Cloudflare 1.1.1.1 or Google 8.8.8.8).</p>
+
+      <h2>3. The Discovery Document (<code>wab.json</code>)</h2>
+      <p>The discovery document, typically hosted at <code>/.well-known/wab.json</code>, is a structured JSON file that defines the domain's capabilities, permitted actions, and transport mechanisms.</p>
+
+      <h3>3.1 Schema Overview (v1.3)</h3>
+      <p>The <code>wab.json</code> schema is designed for extensibility and strict typing. Key components include:</p>
+      <ul>
+        <li><code>wab_version</code> — Specifies the schema version (e.g., <code>"1.3.0"</code>).</li>
+        <li><code>provider</code> — Metadata regarding the domain owner, including name, category, and URL.</li>
+        <li><code>capabilities</code> — Defines the permitted actions (<code>commands</code>) and granular access rights (<code>permissions</code>).</li>
+        <li><code>endpoints</code> — Specifies the API endpoints for agent interaction (e.g., <code>/api/wab/discover</code>, <code>/api/wab/ping</code>).</li>
+        <li><code>signature</code> — The cryptographic signature block (detailed in Section 4).</li>
+      </ul>
+
+      <h3>3.2 Action Definitions</h3>
+      <p>Actions (or commands) are explicitly defined within the <code>capabilities.commands</code> array. This eliminates the need for agents to infer functionality. Each command specifies its trigger mechanism (e.g., <code>api</code>, <code>navigate</code>), required parameters, and authentication prerequisites, providing a deterministic execution path.</p>
+
+      <h2>4. Cryptographic Trust Layer (v1.3)</h2>
+      <p>While DNS discovery provides routing, it does not inherently guarantee the integrity of the fetched <code>wab.json</code> document, especially if the HTTPS connection is compromised or misconfigured. To establish a robust chain of trust, WAB v1.3 introduces a <b>Cryptographic Trust Layer</b> based on Ed25519 signatures.</p>
+
+      <h3>4.1 Ed25519 Signatures</h3>
+      <p>Ed25519 [4] is a public-key signature system utilizing the Edwards-curve Digital Signature Algorithm (EdDSA). It was selected for WAB due to its high performance, small key size (32 bytes), and resilience against side-channel attacks.</p>
+
+      <h3>4.2 Signature Generation and Verification</h3>
+      <p>The trust layer operates through a deterministic canonicalization and signing process:</p>
+      <ol>
+        <li><b>Key Generation</b> — The domain owner generates an Ed25519 keypair. The private key is securely stored offline or within a secure enclave.</li>
+        <li><b>DNS Publication</b> — The public key is published in the <code>_wab</code> DNS TXT record using the <code>pk=</code> parameter (e.g., <code>pk=ed25519:&lt;base64_public_key&gt;</code>).</li>
+        <li><b>Canonicalization</b> — Before signing, the <code>wab.json</code> document undergoes RFC 8785-style JSON canonicalization [5]. This process sorts object keys lexicographically, removes insignificant whitespace, and excludes the top-level <code>signature</code> field to ensure a consistent byte representation.</li>
+        <li><b>Signing</b> — The canonicalized JSON string is signed using the Ed25519 private key.</li>
+        <li><b>Manifest Embedding</b> — The resulting signature is embedded back into the <code>wab.json</code> document under the <code>signature</code> object.</li>
+      </ol>
+      <p><b>Signature Block Example:</b></p>
+      <pre><code>"signature": {
+  "algorithm": "ed25519",
+  "value": "base64_encoded_signature_string...",
+  "key_id": "pYu7X5PF/HoE2yDx",
+  "signed_at": "2026-05-02T10:00:00Z"
+}</code></pre>
+
+      <h3>4.3 Agent Verification Flow</h3>
+      <p>Upon fetching the <code>wab.json</code> document, a WAB-compliant agent performs the following verification steps:</p>
+      <ol>
+        <li>Extracts the <code>pk</code> value from the previously resolved <code>_wab</code> DNS TXT record.</li>
+        <li>Extracts the <code>signature</code> object from the <code>wab.json</code> document.</li>
+        <li>Verifies that <code>signature.algorithm</code> is <code>ed25519</code>.</li>
+        <li>Canonicalizes the <code>wab.json</code> document (excluding the <code>signature</code> field).</li>
+        <li>Verifies the canonicalized string against the <code>signature.value</code> using the extracted public key.</li>
+      </ol>
+      <p>If the verification succeeds, the agent possesses cryptographic proof that the capabilities document was authorized by the entity controlling the domain's DNS records, effectively neutralizing unauthorized modifications.</p>
+
+      <h2>5. Implementation and Adoption</h2>
+      <p>The WAB protocol is designed for frictionless adoption by both site owners and agent developers.</p>
+
+      <h3>5.1 Zero-Code Infrastructure Onboarding</h3>
+      <p>Site owners can enable WAB discovery without deploying new code. By simply adding the <code>_wab</code> TXT record and hosting a static <code>wab.json</code> file, a domain becomes "Agent-Ready." This infrastructure-first approach lowers the barrier to entry compared to complex API integrations.</p>
+
+      <h3>5.2 The Proof Lab and Live Verification</h3>
+      <p>To facilitate adoption and ensure compliance, the Web Agent Bridge provides a <b>"Proof Lab."</b> This tool performs a live, end-to-end verification of the integration:</p>
+      <ol>
+        <li><b>DNS Resolution</b> — Verifies the presence and syntax of the <code>_wab</code> TXT record via DoH.</li>
+        <li><b>Document Fetch</b> — Retrieves and parses the <code>wab.json</code> file.</li>
+        <li><b>Agent Execution</b> — Simulates an agent flow by calling the defined endpoints (e.g., <code>/api/wab/discover</code>, <code>/api/wab/ping</code>) to confirm execution readiness (<code>execution_ok=true</code>).</li>
+      </ol>
+
+      <h2>6. Conclusion</h2>
+      <p>The Web Agent Bridge (WAB) DNS Discovery Protocol and its Cryptographic Trust Layer provide a critical missing piece in the architecture of the autonomous web. By leveraging proven DNS infrastructure and Ed25519 cryptography, WAB enables zero-probe, secure, and deterministic discovery of AI capabilities. This protocol reduces server overhead, enhances privacy through DoH, and establishes a verifiable chain of trust, paving the way for scalable and secure machine-to-machine interactions on the internet.</p>
+
+      <h2>References</h2>
+      <ol>
+        <li>S. Kitterman, <i>"Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1,"</i> RFC 7208, April 2014.</li>
+        <li>D. Crocker, T. Hansen, and M. Kucherawy, <i>"DomainKeys Identified Mail (DKIM) Signatures,"</i> RFC 6376, September 2011.</li>
+        <li>P. Hoffman and P. McManus, <i>"DNS Queries over HTTPS (DoH),"</i> RFC 8484, October 2018.</li>
+        <li>S. Josefsson and I. Liusvaara, <i>"Edwards-Curve Digital Signature Algorithm (EdDSA),"</i> RFC 8032, January 2017.</li>
+        <li>A. Rundgren, B. Jordan, and S. Erdtman, <i>"JSON Canonicalization Scheme (JCS),"</i> RFC 8785, June 2020.</li>
+      </ol>
+
+      <hr />
+
+      <div class="footnote">
+        <p>This document is read-only reference material.<br>
+        The canonical version lives at <a href="https://webagentbridge.com/whitepaper">webagentbridge.com/whitepaper</a>.<br>
+        <b>All rights reserved © 2026 Web Agent Bridge.</b> Reproduction, redistribution, or modification — in whole or in part — is prohibited without prior written permission.</p>
+      </div>
+
+    </article>
+  </main>
+
+  <script>
+    /* === Anti-copy / anti-extraction defense ===
+       Browser-side defenses are deterrents; they cannot defeat a determined attacker.
+       Combined with server-side rights notice, this discourages casual copying. */
+    (function () {
+      var doc = document;
+
+      // Block context menu
+      doc.addEventListener('contextmenu', function (e) { e.preventDefault(); return false; }, { capture: true });
+
+      // Block copy / cut / paste / select-all
+      ['copy', 'cut', 'paste'].forEach(function (evt) {
+        doc.addEventListener(evt, function (e) {
+          e.preventDefault();
+          if (e.clipboardData) {
+            try { e.clipboardData.setData('text/plain', '© Web Agent Bridge — copying this whitepaper is not permitted. See https://webagentbridge.com/whitepaper'); } catch (_) {}
+          }
+          return false;
+        }, { capture: true });
+      });
+
+      // Block drag and selection
+      doc.addEventListener('dragstart', function (e) { e.preventDefault(); return false; }, { capture: true });
+      doc.addEventListener('selectstart', function (e) { e.preventDefault(); return false; }, { capture: true });
+
+      // Block common keyboard shortcuts: Ctrl+C/X/A/S/P/U, F12, Ctrl+Shift+I/J/C, Cmd equivalents
+      doc.addEventListener('keydown', function (e) {
+        var k = (e.key || '').toLowerCase();
+        var meta = e.ctrlKey || e.metaKey;
+        if (e.key === 'F12') { e.preventDefault(); return false; }
+        if (meta && e.shiftKey && (k === 'i' || k === 'j' || k === 'c')) { e.preventDefault(); return false; }
+        if (meta && (k === 'c' || k === 'x' || k === 'a' || k === 's' || k === 'p' || k === 'u')) {
+          e.preventDefault();
+          return false;
+        }
+      }, { capture: true });
+
+      // Detect and discourage devtools (best effort — shows a notice; cannot truly block)
+      var devtoolsOpen = false;
+      var threshold = 160;
+      setInterval(function () {
+        var widthDelta = window.outerWidth - window.innerWidth;
+        var heightDelta = window.outerHeight - window.innerHeight;
+        if (widthDelta > threshold || heightDelta > threshold) {
+          if (!devtoolsOpen) {
+            devtoolsOpen = true;
+            console.clear && console.clear();
+            console.log('%c⚠ Web Agent Bridge — Read-Only Whitepaper',
+              'color:#f97316;font-size:18px;font-weight:bold;');
+            console.log('%cThis document is © 2026 Web Agent Bridge. Reproduction prohibited.\nSee https://webagentbridge.com/whitepaper for the canonical version.',
+              'color:#cdd6e3;font-size:12px;');
+          }
+        } else {
+          devtoolsOpen = false;
+        }
+      }, 1000);
+
+      // Block iframe embedding (frame-busting)
+      try {
+        if (window.top !== window.self) {
+          window.top.location = window.self.location;
+        }
+      } catch (_) {
+        document.body.innerHTML = '<p style="padding:40px;text-align:center;color:#fff;background:#0b1020;">This whitepaper cannot be embedded. Visit <a style="color:#4ea3ff" href="https://webagentbridge.com/whitepaper">webagentbridge.com/whitepaper</a>.</p>';
+      }
+
+      // Sign-of-life log
+      console.log('%cWAB Whitepaper v1.3.0 — Read-Only', 'color:#4ea3ff;font-weight:bold;');
+    })();
+  </script>
+</body>
+</html>