web-agent-bridge 3.4.0 → 3.9.0

package/server/routes/admin-shieldlink.js

@@ -0,0 +1,137 @@
+/**
+ * Admin ShieldLink — review brand requests, monitor reports, suspend abuse.
+ *   GET  /api/admin/shieldlink/brands?status=pending
+ *   PUT  /api/admin/shieldlink/brands/:id        { decision, notes, badge_level }
+ *   GET  /api/admin/shieldlink/links?status=&domain=
+ *   POST /api/admin/shieldlink/links/:id/suspend
+ *   GET  /api/admin/shieldlink/reports?status=open
+ *   PUT  /api/admin/shieldlink/reports/:id       { status }
+ *   GET  /api/admin/shieldlink/stats
+ *   POST /api/admin/shieldlink/holds              { pattern, reason }
+ *   DELETE /api/admin/shieldlink/holds/:id
+ */
+'use strict';
+
+const express = require('express');
+const Database = require('better-sqlite3');
+const path = require('path');
+const { authenticateAdmin } = require('../middleware/adminAuth');
+const { auditLog } = require('../services/security');
+const sl = require('../services/shieldlink');
+
+const router = express.Router();
+router.use(authenticateAdmin);
+
+const DATA_DIR = process.env.NODE_ENV === 'test'
+  ? path.join(__dirname, '..', '..', 'data-test')
+  : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
+const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+let _db = null;
+function db() { if (!_db) _db = new Database(path.join(DATA_DIR, DB_FILE)); return _db; }
+
+const VALID_BRAND_STATUSES = new Set(['pending', 'verified', 'rejected', 'suspended']);
+const VALID_REPORT_STATUSES = new Set(['open', 'reviewing', 'resolved', 'rejected']);
+
+router.get('/brands', (req, res) => {
+  const status = VALID_BRAND_STATUSES.has(req.query.status) ? req.query.status : null;
+  res.json({ brands: sl.listBrands({ status, limit: req.query.limit }) });
+});
+
+router.put('/brands/:id', express.json({ limit: '8kb' }), (req, res) => {
+  const id = parseInt(req.params.id, 10);
+  const body = req.body || {};
+  if (!Number.isFinite(id) || !VALID_BRAND_STATUSES.has(body.decision)) {
+    return res.status(400).json({ error: 'invalid_id_or_decision' });
+  }
+  const r = sl.reviewBrand({
+    id,
+    decision: body.decision,
+    reviewerId: String(req.admin.id),
+    notes: body.notes || null,
+    badgeLevel: body.badge_level || null,
+  });
+  if (!r.ok) return res.status(400).json(r);
+  auditLog({
+    actorType: 'admin', actorId: String(req.admin.id),
+    action: 'shieldlink_brand_review',
+    details: { id, decision: body.decision }, ip: req.ip,
+  });
+  res.json({ ok: true });
+});
+
+router.get('/links', (req, res) => {
+  const D = db();
+  const where = []; const params = [];
+  if (req.query.status) { where.push('l.status = ?'); params.push(req.query.status); }
+  if (req.query.domain) { where.push('b.domain = ?'); params.push(String(req.query.domain).toLowerCase()); }
+  const limit = Math.min(parseInt(req.query.limit, 10) || 100, 500);
+  const sql = `SELECT l.id, l.token, l.purpose, l.target_url, l.amount_cents, l.currency, l.payee_name,
+                      l.status, l.expires_at, l.created_at, b.domain, b.display_name, b.status AS brand_status
+                 FROM shieldlink_links l
+                 JOIN shieldlink_brands b ON b.id = l.brand_id
+                 ${where.length ? 'WHERE ' + where.join(' AND ') : ''}
+                 ORDER BY l.created_at DESC LIMIT ?`;
+  res.json({ links: D.prepare(sql).all(...params, limit) });
+});
+
+router.post('/links/:id/suspend', express.json({ limit: '4kb' }), (req, res) => {
+  const id = parseInt(req.params.id, 10);
+  if (!Number.isFinite(id)) return res.status(400).json({ error: 'bad_id' });
+  sl.revokeLink(id, (req.body && req.body.reason) || 'admin_suspended');
+  auditLog({
+    actorType: 'admin', actorId: String(req.admin.id),
+    action: 'shieldlink_link_suspend',
+    details: { id, reason: (req.body && req.body.reason) || null }, ip: req.ip,
+  });
+  res.json({ ok: true });
+});
+
+router.get('/reports', (req, res) => {
+  const status = VALID_REPORT_STATUSES.has(req.query.status) ? req.query.status : null;
+  res.json({ reports: sl.listReports({ status, limit: req.query.limit }) });
+});
+
+router.put('/reports/:id', express.json({ limit: '4kb' }), (req, res) => {
+  const id = parseInt(req.params.id, 10);
+  const status = req.body && req.body.status;
+  if (!Number.isFinite(id) || !VALID_REPORT_STATUSES.has(status)) {
+    return res.status(400).json({ error: 'invalid_id_or_status' });
+  }
+  const resolvedAt = (status === 'resolved' || status === 'rejected') ? `datetime('now')` : 'NULL';
+  db().prepare(`UPDATE shieldlink_reports SET status = ?, resolved_at = ${resolvedAt} WHERE id = ?`).run(status, id);
+  auditLog({
+    actorType: 'admin', actorId: String(req.admin.id),
+    action: 'shieldlink_report_update',
+    details: { id, status }, ip: req.ip,
+  });
+  res.json({ ok: true });
+});
+
+router.get('/stats', (req, res) => res.json(sl.getStats()));
+
+router.post('/holds', express.json({ limit: '4kb' }), (req, res) => {
+  const body = req.body || {};
+  const pattern = String(body.pattern || '').trim();
+  if (!pattern) return res.status(400).json({ error: 'pattern_required' });
+  try {
+    const info = db().prepare(
+      `INSERT OR IGNORE INTO shieldlink_name_holds (pattern, pattern_kind, reason, created_by) VALUES (?, ?, ?, ?)`
+    ).run(pattern, body.pattern_kind === 'regex' ? 'regex' : 'literal', body.reason || null, String(req.admin.id));
+    auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'shieldlink_hold_add', details: { pattern }, ip: req.ip });
+    res.json({ ok: true, id: info.lastInsertRowid });
+  } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+router.delete('/holds/:id', (req, res) => {
+  const id = parseInt(req.params.id, 10);
+  if (!Number.isFinite(id)) return res.status(400).json({ error: 'bad_id' });
+  db().prepare(`DELETE FROM shieldlink_name_holds WHERE id = ?`).run(id);
+  auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'shieldlink_hold_remove', details: { id }, ip: req.ip });
+  res.json({ ok: true });
+});
+
+router.get('/holds', (req, res) => {
+  res.json({ holds: db().prepare(`SELECT * FROM shieldlink_name_holds ORDER BY created_at DESC`).all() });
+});
+
+module.exports = router;

package/server/routes/admin-shieldqr.js

@@ -1,90 +1,90 @@
-/**
- * Admin ShieldQR — moderate user-submitted reports + browse recent scans.
- *   GET  /api/admin/shieldqr/reports?status=open
- *   PUT  /api/admin/shieldqr/reports/:id   { status }
- *   GET  /api/admin/shieldqr/scans?host=&level=&limit=
- *   GET  /api/admin/shieldqr/stats
- */
-'use strict';
-
-const express = require('express');
-const Database = require('better-sqlite3');
-const path = require('path');
-const { authenticateAdmin } = require('../middleware/adminAuth');
-const { auditLog } = require('../services/security');
-
-const router = express.Router();
-router.use(authenticateAdmin);
-
-const DATA_DIR = process.env.NODE_ENV === 'test'
-  ? path.join(__dirname, '..', '..', 'data-test')
-  : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
-const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
-
-let _db = null;
-function db() {
-  if (!_db) { _db = new Database(path.join(DATA_DIR, DB_FILE)); }
-  return _db;
-}
-
-const VALID_STATUSES = new Set(['open', 'reviewing', 'resolved', 'rejected']);
-const VALID_LEVELS = new Set(['green', 'yellow', 'red']);
-
-router.get('/reports', (req, res) => {
-  const status = req.query.status && VALID_STATUSES.has(req.query.status) ? req.query.status : null;
-  const limit = Math.min(parseInt(req.query.limit, 10) || 100, 500);
-  const sql = status
-    ? `SELECT r.*, s.level, s.score, s.host
-         FROM shieldqr_reports r
-         LEFT JOIN shieldqr_scans s ON s.id = r.scan_id
-        WHERE r.status = ? ORDER BY r.created_at DESC LIMIT ?`
-    : `SELECT r.*, s.level, s.score, s.host
-         FROM shieldqr_reports r
-         LEFT JOIN shieldqr_scans s ON s.id = r.scan_id
-        ORDER BY r.created_at DESC LIMIT ?`;
-  const rows = status ? db().prepare(sql).all(status, limit) : db().prepare(sql).all(limit);
-  res.json({ reports: rows, count: rows.length });
-});
-
-router.put('/reports/:id', (req, res) => {
-  const id = parseInt(req.params.id, 10);
-  const status = req.body && req.body.status;
-  if (!Number.isFinite(id) || !VALID_STATUSES.has(status)) {
-    return res.status(400).json({ error: 'invalid id or status' });
-  }
-  const info = db().prepare('UPDATE shieldqr_reports SET status = ? WHERE id = ?').run(status, id);
-  if (info.changes === 0) { return res.status(404).json({ error: 'report not found' }); }
-  auditLog({
-    actorType: 'admin', actorId: String(req.admin.id),
-    action: 'shieldqr_report_update',
-    details: { id, status }, ip: req.ip,
-  });
-  res.json({ ok: true, id, status });
-});
-
-router.get('/scans', (req, res) => {
-  const limit = Math.min(parseInt(req.query.limit, 10) || 100, 500);
-  const where = []; const params = [];
-  if (req.query.host) { where.push('host = ?'); params.push(String(req.query.host).toLowerCase()); }
-  if (req.query.level && VALID_LEVELS.has(req.query.level)) {
-    where.push('level = ?'); params.push(req.query.level);
-  }
-  const sql = `SELECT id, url, host, level, score, trust_ok, ssl_ok, created_at
-                 FROM shieldqr_scans
-                 ${where.length ? 'WHERE ' + where.join(' AND ') : ''}
-                 ORDER BY created_at DESC LIMIT ?`;
-  const rows = db().prepare(sql).all(...params, limit);
-  res.json({ scans: rows, count: rows.length });
-});
-
-router.get('/stats', (req, res) => {
-  const totalScans = db().prepare('SELECT COUNT(*) AS n FROM shieldqr_scans').get().n;
-  const byLevel = db().prepare('SELECT level, COUNT(*) AS n FROM shieldqr_scans GROUP BY level').all();
-  const reportsByStatus = db().prepare('SELECT status, COUNT(*) AS n FROM shieldqr_reports GROUP BY status').all();
-  const recent24h = db().prepare(
-    "SELECT COUNT(*) AS n FROM shieldqr_scans WHERE created_at >= datetime('now','-1 day')"
-  ).get().n;
-  res.json({ totalScans, recent24h, byLevel, reportsByStatus });
-});
-
-module.exports = router;
+/**
+ * Admin ShieldQR — moderate user-submitted reports + browse recent scans.
+ *   GET  /api/admin/shieldqr/reports?status=open
+ *   PUT  /api/admin/shieldqr/reports/:id   { status }
+ *   GET  /api/admin/shieldqr/scans?host=&level=&limit=
+ *   GET  /api/admin/shieldqr/stats
+ */
+'use strict';
+
+const express = require('express');
+const Database = require('better-sqlite3');
+const path = require('path');
+const { authenticateAdmin } = require('../middleware/adminAuth');
+const { auditLog } = require('../services/security');
+
+const router = express.Router();
+router.use(authenticateAdmin);
+
+const DATA_DIR = process.env.NODE_ENV === 'test'
+  ? path.join(__dirname, '..', '..', 'data-test')
+  : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
+const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+
+let _db = null;
+function db() {
+  if (!_db) { _db = new Database(path.join(DATA_DIR, DB_FILE)); }
+  return _db;
+}
+
+const VALID_STATUSES = new Set(['open', 'reviewing', 'resolved', 'rejected']);
+const VALID_LEVELS = new Set(['green', 'yellow', 'red']);
+
+router.get('/reports', (req, res) => {
+  const status = req.query.status && VALID_STATUSES.has(req.query.status) ? req.query.status : null;
+  const limit = Math.min(parseInt(req.query.limit, 10) || 100, 500);
+  const sql = status
+    ? `SELECT r.*, s.level, s.score, s.host
+         FROM shieldqr_reports r
+         LEFT JOIN shieldqr_scans s ON s.id = r.scan_id
+        WHERE r.status = ? ORDER BY r.created_at DESC LIMIT ?`
+    : `SELECT r.*, s.level, s.score, s.host
+         FROM shieldqr_reports r
+         LEFT JOIN shieldqr_scans s ON s.id = r.scan_id
+        ORDER BY r.created_at DESC LIMIT ?`;
+  const rows = status ? db().prepare(sql).all(status, limit) : db().prepare(sql).all(limit);
+  res.json({ reports: rows, count: rows.length });
+});
+
+router.put('/reports/:id', (req, res) => {
+  const id = parseInt(req.params.id, 10);
+  const status = req.body && req.body.status;
+  if (!Number.isFinite(id) || !VALID_STATUSES.has(status)) {
+    return res.status(400).json({ error: 'invalid id or status' });
+  }
+  const info = db().prepare('UPDATE shieldqr_reports SET status = ? WHERE id = ?').run(status, id);
+  if (info.changes === 0) { return res.status(404).json({ error: 'report not found' }); }
+  auditLog({
+    actorType: 'admin', actorId: String(req.admin.id),
+    action: 'shieldqr_report_update',
+    details: { id, status }, ip: req.ip,
+  });
+  res.json({ ok: true, id, status });
+});
+
+router.get('/scans', (req, res) => {
+  const limit = Math.min(parseInt(req.query.limit, 10) || 100, 500);
+  const where = []; const params = [];
+  if (req.query.host) { where.push('host = ?'); params.push(String(req.query.host).toLowerCase()); }
+  if (req.query.level && VALID_LEVELS.has(req.query.level)) {
+    where.push('level = ?'); params.push(req.query.level);
+  }
+  const sql = `SELECT id, url, host, level, score, trust_ok, ssl_ok, created_at
+                 FROM shieldqr_scans
+                 ${where.length ? 'WHERE ' + where.join(' AND ') : ''}
+                 ORDER BY created_at DESC LIMIT ?`;
+  const rows = db().prepare(sql).all(...params, limit);
+  res.json({ scans: rows, count: rows.length });
+});
+
+router.get('/stats', (req, res) => {
+  const totalScans = db().prepare('SELECT COUNT(*) AS n FROM shieldqr_scans').get().n;
+  const byLevel = db().prepare('SELECT level, COUNT(*) AS n FROM shieldqr_scans GROUP BY level').all();
+  const reportsByStatus = db().prepare('SELECT status, COUNT(*) AS n FROM shieldqr_reports GROUP BY status').all();
+  const recent24h = db().prepare(
+    "SELECT COUNT(*) AS n FROM shieldqr_scans WHERE created_at >= datetime('now','-1 day')"
+  ).get().n;
+  res.json({ totalScans, recent24h, byLevel, reportsByStatus });
+});
+
+module.exports = router;

package/server/routes/admin-trust-monitor.js

@@ -1,83 +1,139 @@
-/**
- * Admin Trust Monitor — SSL health + cert history (Extended Trust Layer).
- *   GET  /api/admin/trust-monitor/sites      — list ssl_monitor rows
- *   POST /api/admin/trust-monitor/check      { host } — re-check one host
- *   POST /api/admin/trust-monitor/sweep      — re-check every site
- *   GET  /api/admin/trust-monitor/history    ?host= — cert_history rows
- *   GET  /api/admin/trust-monitor/stats
- */
-'use strict';
-
-const express = require('express');
-const Database = require('better-sqlite3');
-const path = require('path');
-const { authenticateAdmin } = require('../middleware/adminAuth');
-const { auditLog } = require('../services/security');
-const monitor = require('../services/ssl-monitor');
-
-const router = express.Router();
-router.use(authenticateAdmin);
-
-const DATA_DIR = process.env.NODE_ENV === 'test'
-  ? path.join(__dirname, '..', '..', 'data-test')
-  : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
-const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
-
-let _db = null;
-function db() { if (!_db) { _db = new Database(path.join(DATA_DIR, DB_FILE)); } return _db; }
-
-router.get('/sites', (req, res) => {
-  const rows = db().prepare(`
-    SELECT host, fingerprint_sha256, issuer, valid_to, days_until_expiry,
-           status, error, last_checked_at, last_alert_at
-      FROM ssl_monitor ORDER BY
-      CASE status WHEN 'expired' THEN 0 WHEN 'error' THEN 1 WHEN 'expiring' THEN 2 ELSE 3 END,
-      days_until_expiry ASC
-  `).all();
-  res.json({ sites: rows, count: rows.length });
-});
-
-router.post('/check', async (req, res) => {
-  const host = (req.body && req.body.host || '').trim().toLowerCase();
-  if (!host) return res.status(400).json({ error: 'host required' });
-  try {
-    const r = await monitor.checkHost(host, { source: 'admin' });
-    auditLog({ actorType: 'admin', actorId: String(req.admin.id),
-      action: 'trust_check', details: { host, status: r.status }, ip: req.ip });
-    res.json(r);
-  } catch (e) { res.status(500).json({ error: e.message }); }
-});
-
-router.post('/sweep', async (req, res) => {
-  try {
-    const rs = await monitor.runSweep();
-    auditLog({ actorType: 'admin', actorId: String(req.admin.id),
-      action: 'trust_sweep', details: { count: rs.length }, ip: req.ip });
-    res.json({ count: rs.length, results: rs });
-  } catch (e) { res.status(500).json({ error: e.message }); }
-});
-
-router.get('/history', (req, res) => {
-  const host = (req.query.host || '').toLowerCase();
-  const limit = Math.min(parseInt(req.query.limit, 10) || 100, 500);
-  const sql = host
-    ? `SELECT * FROM cert_history WHERE host = ? ORDER BY observed_at DESC LIMIT ?`
-    : `SELECT * FROM cert_history ORDER BY observed_at DESC LIMIT ?`;
-  const rows = host ? db().prepare(sql).all(host, limit) : db().prepare(sql).all(limit);
-  res.json({ history: rows, count: rows.length });
-});
-
-router.get('/stats', (req, res) => {
-  const total = db().prepare('SELECT COUNT(*) AS n FROM ssl_monitor').get().n;
-  const byStatus = db().prepare('SELECT status, COUNT(*) AS n FROM ssl_monitor GROUP BY status').all();
-  const expiringSoon = db().prepare(
-    "SELECT COUNT(*) AS n FROM ssl_monitor WHERE status = 'expiring'"
-  ).get().n;
-  const expired = db().prepare(
-    "SELECT COUNT(*) AS n FROM ssl_monitor WHERE status = 'expired'"
-  ).get().n;
-  const certHistory = db().prepare('SELECT COUNT(*) AS n FROM cert_history').get().n;
-  res.json({ total, byStatus, expiringSoon, expired, certHistory });
-});
-
-module.exports = router;
+/**
+ * Admin Trust Monitor — SSL health + cert history (Extended Trust Layer).
+ *   GET  /api/admin/trust-monitor/sites      — list ssl_monitor rows
+ *   POST /api/admin/trust-monitor/check      { host } — re-check one host
+ *   POST /api/admin/trust-monitor/sweep      — re-check every site
+ *   GET  /api/admin/trust-monitor/history    ?host= — cert_history rows
+ *   GET  /api/admin/trust-monitor/stats
+ */
+'use strict';
+
+const express = require('express');
+const Database = require('better-sqlite3');
+const path = require('path');
+const { authenticateAdmin } = require('../middleware/adminAuth');
+const { auditLog } = require('../services/security');
+const monitor = require('../services/ssl-monitor');
+const ctMonitor = require('../services/ssl-ct-monitor');
+
+const router = express.Router();
+router.use(authenticateAdmin);
+
+const DATA_DIR = process.env.NODE_ENV === 'test'
+  ? path.join(__dirname, '..', '..', 'data-test')
+  : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
+const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+
+let _db = null;
+function db() { if (!_db) { _db = new Database(path.join(DATA_DIR, DB_FILE)); } return _db; }
+
+router.get('/sites', (req, res) => {
+  const rows = db().prepare(`
+    SELECT host, fingerprint_sha256, issuer, valid_to, days_until_expiry,
+           status, error, last_checked_at, last_alert_at,
+           ct_monitor_enabled, ct_last_checked, ct_pending_resign, ct_last_thumbprint
+      FROM ssl_monitor ORDER BY
+      CASE status WHEN 'expired' THEN 0 WHEN 'error' THEN 1 WHEN 'expiring' THEN 2 ELSE 3 END,
+      ct_pending_resign DESC,
+      days_until_expiry ASC
+  `).all();
+  res.json({ sites: rows, count: rows.length });
+});
+
+router.post('/check', async (req, res) => {
+  const host = (req.body && req.body.host || '').trim().toLowerCase();
+  if (!host) return res.status(400).json({ error: 'host required' });
+  try {
+    const r = await monitor.checkHost(host, { source: 'admin' });
+    auditLog({ actorType: 'admin', actorId: String(req.admin.id),
+      action: 'trust_check', details: { host, status: r.status }, ip: req.ip });
+    res.json(r);
+  } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+router.post('/sweep', async (req, res) => {
+  try {
+    const rs = await monitor.runSweep();
+    auditLog({ actorType: 'admin', actorId: String(req.admin.id),
+      action: 'trust_sweep', details: { count: rs.length }, ip: req.ip });
+    res.json({ count: rs.length, results: rs });
+  } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+router.get('/history', (req, res) => {
+  const host = (req.query.host || '').toLowerCase();
+  const limit = Math.min(parseInt(req.query.limit, 10) || 100, 500);
+  const sql = host
+    ? `SELECT * FROM cert_history WHERE host = ? ORDER BY observed_at DESC LIMIT ?`
+    : `SELECT * FROM cert_history ORDER BY observed_at DESC LIMIT ?`;
+  const rows = host ? db().prepare(sql).all(host, limit) : db().prepare(sql).all(limit);
+  res.json({ history: rows, count: rows.length });
+});
+
+router.get('/stats', (req, res) => {
+  const total = db().prepare('SELECT COUNT(*) AS n FROM ssl_monitor').get().n;
+  const byStatus = db().prepare('SELECT status, COUNT(*) AS n FROM ssl_monitor GROUP BY status').all();
+  const expiringSoon = db().prepare(
+    "SELECT COUNT(*) AS n FROM ssl_monitor WHERE status = 'expiring'"
+  ).get().n;
+  const expired = db().prepare(
+    "SELECT COUNT(*) AS n FROM ssl_monitor WHERE status = 'expired'"
+  ).get().n;
+  const certHistory = db().prepare('SELECT COUNT(*) AS n FROM cert_history').get().n;
+  let pendingResign = 0, ctEvents = 0, ctEnabled = 0;
+  try {
+    pendingResign = db().prepare('SELECT COUNT(*) AS n FROM ssl_monitor WHERE ct_pending_resign = 1').get().n;
+    ctEnabled     = db().prepare('SELECT COUNT(*) AS n FROM ssl_monitor WHERE ct_monitor_enabled = 1').get().n;
+    ctEvents      = db().prepare("SELECT COUNT(*) AS n FROM cert_history WHERE source = 'ct_log'").get().n;
+  } catch (_) { /* migration not applied yet */ }
+  res.json({ total, byStatus, expiringSoon, expired, certHistory, pendingResign, ctEvents, ctEnabled,
+             ctMonitorEnv: String(process.env.WAB_CT_MONITOR).toLowerCase() === 'true',
+             autoResignEnv: String(process.env.WAB_AUTO_RESIGN).toLowerCase() === 'true' });
+});
+
+// ---- Certificate Transparency endpoints ----
+
+router.post('/ct-sweep', async (req, res) => {
+  try {
+    const r = await ctMonitor.runCTMonitor();
+    auditLog({ actorType: 'admin', actorId: String(req.admin.id),
+      action: 'trust_ct_sweep', details: { count: r.count }, ip: req.ip });
+    res.json(r);
+  } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+router.post('/ct-check', async (req, res) => {
+  const host = (req.body && req.body.host || '').trim().toLowerCase();
+  if (!host) return res.status(400).json({ error: 'host required' });
+  try {
+    const r = await ctMonitor.checkDomain(host);
+    auditLog({ actorType: 'admin', actorId: String(req.admin.id),
+      action: 'trust_ct_check', details: { host, changed: !!r.changed }, ip: req.ip });
+    res.json(r);
+  } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+router.post('/ct-clear', (req, res) => {
+  const host = (req.body && req.body.host || '').trim().toLowerCase();
+  if (!host) return res.status(400).json({ error: 'host required' });
+  try {
+    const info = db().prepare('UPDATE ssl_monitor SET ct_pending_resign = 0 WHERE host = ?').run(host);
+    auditLog({ actorType: 'admin', actorId: String(req.admin.id),
+      action: 'trust_ct_clear', details: { host, changes: info.changes }, ip: req.ip });
+    res.json({ ok: true, changes: info.changes });
+  } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+router.post('/ct-toggle', (req, res) => {
+  const host = (req.body && req.body.host || '').trim().toLowerCase();
+  const enabled = req.body && req.body.enabled ? 1 : 0;
+  if (!host) return res.status(400).json({ error: 'host required' });
+  try {
+    db().prepare('UPDATE ssl_monitor SET ct_monitor_enabled = ? WHERE host = ?').run(enabled, host);
+    auditLog({ actorType: 'admin', actorId: String(req.admin.id),
+      action: 'trust_ct_toggle', details: { host, enabled }, ip: req.ip });
+    res.json({ ok: true, host, enabled: !!enabled });
+  } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+module.exports = router;