npm - web-agent-bridge - Versions diffs - 3.4.0 → 3.9.0 - Mend

web-agent-bridge 3.4.0 → 3.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (315) hide show

package/LICENSE +84 -84
package/README.ar.md +1565 -1304
package/README.md +171 -298
package/bin/agent-runner.js +474 -474
package/bin/cli.js +237 -237
package/bin/wab-init.js +244 -223
package/bin/wab.js +80 -80
package/examples/azure-dns-wab.js +83 -83
package/examples/bidi-agent.js +119 -119
package/examples/cloudflare-wab-dns.js +121 -121
package/examples/cpanel-wab-dns.js +114 -114
package/examples/cross-site-agent.js +91 -91
package/examples/dns-discovery-agent.js +166 -166
package/examples/gcp-dns-wab.js +76 -76
package/examples/governance-agent.js +169 -169
package/examples/mcp-agent.js +94 -94
package/examples/next-app-router/README.md +44 -44
package/examples/plesk-wab-dns.js +103 -103
package/examples/puppeteer-agent.js +108 -108
package/examples/route53-wab-dns.js +144 -144
package/examples/saas-dashboard/README.md +55 -55
package/examples/safe-mode-agent.js +96 -96
package/examples/self-discovery.js +106 -0
package/examples/shopify-hydrogen/README.md +74 -74
package/examples/vision-agent.js +171 -171
package/examples/wab-sign.js +74 -74
package/examples/wab-verify.js +60 -60
package/examples/wordpress-elementor/README.md +77 -77
package/package.json +93 -93
package/public/.well-known/agent-tools.json +180 -180
package/public/.well-known/ai-assets.json +59 -59
package/public/.well-known/security.txt +8 -8
package/public/.well-known/wab.json +28 -28
package/public/activate.html +448 -368
package/public/adopt.html +236 -0
package/public/adoption-metrics.html +188 -188
package/public/agent-workspace.html +359 -349
package/public/ai.html +198 -198
package/public/api.html +397 -413
package/public/atp.html +171 -0
package/public/azure-dns-integration.html +289 -289
package/public/browser.html +486 -486
package/public/cloudflare-integration.html +380 -380
package/public/commander-dashboard.html +243 -243
package/public/cookies.html +210 -210
package/public/cpanel-integration.html +398 -398
package/public/css/agent-workspace.css +1713 -1713
package/public/css/premium.css +317 -317
package/public/css/styles.css +1401 -1263
package/public/dashboard-shieldlink.html +295 -0
package/public/dashboard.html +711 -707
package/public/dns.html +436 -436
package/public/docs.html +588 -588
package/public/enterprise-mesh.ar.html +80 -0
package/public/enterprise-mesh.html +81 -0
package/public/feed.xml +89 -89
package/public/gcp-dns-integration.html +318 -318
package/public/governance.ar.html +70 -0
package/public/governance.html +69 -0
package/public/growth.html +465 -465
package/public/index.html +1372 -1266
package/public/integrations.html +556 -556
package/public/js/activate.js +449 -145
package/public/js/agent-workspace.js +1740 -1740
package/public/js/auth-nav.js +117 -65
package/public/js/auth-redirect.js +12 -12
package/public/js/cookie-consent.js +56 -56
package/public/js/dns.js +438 -438
package/public/js/wab-demo-page.js +721 -721
package/public/js/ws-client.js +74 -74
package/public/l-preview.html +242 -0
package/public/llms-full.txt +360 -360
package/public/llms.txt +125 -125
package/public/login.html +85 -85
package/public/mesh-dashboard.html +328 -328
package/public/milestones.html +346 -0
package/public/one-click.html +779 -0
package/public/openapi.json +669 -669
package/public/partners.ar.html +145 -0
package/public/partners.html +143 -0
package/public/phone-shield.html +281 -281
package/public/plesk-integration.html +375 -375
package/public/premium-dashboard.html +2489 -2489
package/public/premium.html +793 -793
package/public/privacy.html +297 -297
package/public/provider-onboarding.html +172 -172
package/public/provider-sandbox.html +134 -134
package/public/providers.html +359 -359
package/public/refusals.html +172 -0
package/public/register.html +105 -105
package/public/registrar-integrations.html +141 -141
package/public/ring4.html +292 -0
package/public/robots.txt +99 -99
package/public/route53-integration.html +531 -531
package/public/score.html +263 -0
package/public/script/wab-consent.d.ts +36 -36
package/public/script/wab-consent.js +104 -104
package/public/script/wab-schema.js +131 -131
package/public/script/wab.d.ts +108 -108
package/public/script/wab.min.js +580 -580
package/public/security.txt +8 -8
package/public/shieldlink.html +244 -0
package/public/shieldqr.html +231 -231
package/public/sitemap.xml +13 -1
package/public/terms.html +256 -256
package/public/trust-graph-api.ar.html +92 -0
package/public/trust-graph-api.html +91 -0
package/public/wab-features.html +560 -0
package/public/wab-trust.html +200 -200
package/public/wab-truth.html +375 -0
package/public/wab-vs-protocols.html +210 -210
package/public/whitepaper.html +449 -449
package/script/ai-agent-bridge.js +1754 -1754
package/sdk/README.md +99 -99
package/sdk/agent-mesh.js +449 -449
package/sdk/atp.js +103 -0
package/sdk/auto-discovery.js +301 -288
package/sdk/commander.js +262 -262
package/sdk/governance.js +262 -262
package/sdk/index.d.ts +464 -464
package/sdk/index.js +653 -649
package/sdk/multi-agent.js +318 -318
package/sdk/safe-mode.js +221 -221
package/sdk/safety-shield.js +219 -219
package/sdk/schema-discovery.js +83 -83
package/server/adapters/index.js +520 -520
package/server/config/plans.js +412 -367
package/server/config/secrets.js +102 -102
package/server/control-plane/index.js +301 -301
package/server/data-plane/index.js +354 -354
package/server/index.js +793 -670
package/server/llm/index.js +404 -404
package/server/middleware/adminAuth.js +35 -35
package/server/middleware/api-tier.js +170 -0
package/server/middleware/auth.js +50 -50
package/server/middleware/featureGate.js +88 -88
package/server/middleware/rateLimits.js +100 -100
package/server/middleware/sensitiveAction.js +157 -157
package/server/middleware/wab-trust.js +141 -0
package/server/migrations/001_add_analytics_indexes.sql +7 -7
package/server/migrations/002_premium_features.sql +418 -418
package/server/migrations/003_ads_integer_cents.sql +33 -33
package/server/migrations/004_agent_os.sql +158 -158
package/server/migrations/005_marketplace_metering.sql +126 -126
package/server/migrations/006_growth_suite.sql +138 -0
package/server/migrations/007_governance.sql +106 -106
package/server/migrations/008_plans.sql +144 -144
package/server/migrations/009_shieldqr.sql +30 -30
package/server/migrations/010_extended_trust.sql +33 -33
package/server/migrations/011_outreach.sql +47 -0
package/server/migrations/012_shieldlink.sql +116 -0
package/server/migrations/013_ct_monitor.sql +13 -0
package/server/migrations/014_wab_advanced_features.sql +128 -0
package/server/migrations/015_wab_truth_layer.sql +101 -0
package/server/migrations/016_ring4_external_trust.sql +84 -0
package/server/migrations/017_ring4_extensions.sql +69 -0
package/server/migrations/018_commercial_foundations.sql +167 -0
package/server/migrations/019_unify_tier_constraints.sql +133 -0
package/server/migrations/020_agent_transaction_primitive.sql +119 -0
package/server/models/adapters/index.js +33 -33
package/server/models/adapters/mysql.js +183 -183
package/server/models/adapters/postgresql.js +172 -172
package/server/models/adapters/sqlite.js +7 -7
package/server/models/db.js +740 -740
package/server/observability/failure-analysis.js +337 -337
package/server/observability/index.js +394 -394
package/server/protocol/capabilities.js +223 -223
package/server/protocol/index.js +243 -243
package/server/protocol/schema.js +584 -584
package/server/registry/certification.js +271 -271
package/server/registry/index.js +326 -326
package/server/routes/activate.js +478 -0
package/server/routes/admin-outreach.js +239 -0
package/server/routes/admin-plans.js +76 -76
package/server/routes/admin-premium.js +674 -673
package/server/routes/admin-shieldlink.js +137 -0
package/server/routes/admin-shieldqr.js +90 -90
package/server/routes/admin-trust-monitor.js +139 -83
package/server/routes/admin.js +550 -549
package/server/routes/adopt.js +61 -0
package/server/routes/ads.js +130 -130
package/server/routes/agent-workspace.js +540 -540
package/server/routes/api-keys.js +127 -0
package/server/routes/api.js +150 -150
package/server/routes/auth.js +71 -71
package/server/routes/billing.js +57 -57
package/server/routes/commander.js +316 -316
package/server/routes/customer-shieldlink.js +133 -0
package/server/routes/demo-showcase.js +332 -332
package/server/routes/demo-store.js +154 -154
package/server/routes/diagnose.js +373 -0
package/server/routes/discovery.js +2348 -2348
package/server/routes/enterprise-mesh.js +170 -0
package/server/routes/gateway.js +173 -173
package/server/routes/governance-saas.js +203 -0
package/server/routes/governance.js +208 -208
package/server/routes/growth.js +1048 -0
package/server/routes/intent.js +328 -0
package/server/routes/license.js +251 -251
package/server/routes/mesh.js +469 -469
package/server/routes/noscript.js +543 -543
package/server/routes/partners.js +201 -0
package/server/routes/plans.js +33 -33
package/server/routes/premium-v2.js +686 -686
package/server/routes/premium.js +724 -724
package/server/routes/providers.js +650 -650
package/server/routes/reputation.js +411 -0
package/server/routes/ring4.js +885 -0
package/server/routes/runtime.js +2148 -2148
package/server/routes/shieldlink.js +70 -0
package/server/routes/shieldqr.js +88 -88
package/server/routes/sovereign.js +465 -465
package/server/routes/transactions.js +233 -0
package/server/routes/truth-layer.js +670 -0
package/server/routes/universal.js +200 -200
package/server/routes/unsubscribe.js +51 -0
package/server/routes/wab-api.js +850 -850
package/server/routes/wab-cache.js +282 -0
package/server/runtime/container-worker.js +111 -111
package/server/runtime/container.js +448 -448
package/server/runtime/distributed-worker.js +362 -362
package/server/runtime/event-bus.js +210 -210
package/server/runtime/index.js +253 -253
package/server/runtime/queue.js +599 -599
package/server/runtime/replay.js +666 -666
package/server/runtime/sandbox.js +266 -266
package/server/runtime/scheduler.js +534 -534
package/server/runtime/session-engine.js +293 -293
package/server/runtime/state-manager.js +188 -188
package/server/secrets/wab-signing-key.pem +3 -0
package/server/secrets/wab-signing-pub.pem +3 -0
package/server/security/cross-site-redactor.js +196 -196
package/server/security/dry-run.js +180 -180
package/server/security/human-gate-rate-limit.js +147 -147
package/server/security/human-gate-transports.js +178 -178
package/server/security/human-gate.js +281 -281
package/server/security/index.js +368 -368
package/server/security/intent-engine.js +245 -245
package/server/security/reward-guard.js +171 -171
package/server/security/rollback-store.js +239 -239
package/server/security/token-scope.js +404 -404
package/server/security/url-policy.js +139 -139
package/server/services/adoption-agent.js +182 -0
package/server/services/agent-chat.js +506 -506
package/server/services/agent-learning.js +601 -601
package/server/services/agent-memory.js +625 -625
package/server/services/agent-mesh.js +555 -555
package/server/services/agent-symphony.js +717 -717
package/server/services/agent-tasks.js +1807 -1807
package/server/services/api-key-engine.js +292 -292
package/server/services/cluster.js +894 -894
package/server/services/commander.js +738 -738
package/server/services/edge-compute.js +440 -440
package/server/services/email.js +233 -233
package/server/services/fairness-engine.js +409 -0
package/server/services/fairness.js +420 -0
package/server/services/governance.js +466 -466
package/server/services/hosted-runtime.js +205 -205
package/server/services/lfd.js +635 -635
package/server/services/local-ai.js +389 -389
package/server/services/marketplace.js +270 -270
package/server/services/metering.js +182 -182
package/server/services/modules/affiliate-intelligence.js +93 -93
package/server/services/modules/agent-firewall.js +90 -90
package/server/services/modules/bounty.js +89 -89
package/server/services/modules/collective-bargaining.js +92 -92
package/server/services/modules/dark-pattern.js +66 -66
package/server/services/modules/gov-intelligence.js +45 -45
package/server/services/modules/neural.js +55 -55
package/server/services/modules/notary.js +49 -49
package/server/services/modules/price-time-machine.js +86 -86
package/server/services/modules/protocol.js +104 -104
package/server/services/negotiation.js +439 -439
package/server/services/outreach-agent.js +312 -0
package/server/services/plans.js +214 -214
package/server/services/plugins.js +771 -771
package/server/services/price-intelligence.js +566 -566
package/server/services/price-shield.js +1137 -1137
package/server/services/provider-clients.js +740 -740
package/server/services/reputation.js +465 -465
package/server/services/search-engine.js +357 -357
package/server/services/security.js +513 -513
package/server/services/self-healing.js +843 -843
package/server/services/shieldlink.js +492 -0
package/server/services/shieldqr.js +322 -322
package/server/services/sovereign-shield.js +542 -542
package/server/services/ssl-ct-monitor.js +224 -0
package/server/services/ssl-inspector.js +42 -42
package/server/services/ssl-monitor.js +167 -167
package/server/services/stripe.js +206 -205
package/server/services/swarm.js +788 -788
package/server/services/transactions.js +525 -0
package/server/services/universal-scraper.js +662 -662
package/server/services/verification.js +481 -481
package/server/services/vision.js +1163 -1163
package/server/services/wab-crypto.js +178 -178
package/server/utils/cache.js +125 -125
package/server/utils/migrate.js +81 -81
package/server/utils/safe-fetch.js +228 -228
package/server/utils/secureFields.js +50 -50
package/server/ws.js +161 -161
package/templates/artisan-marketplace.yaml +104 -104
package/templates/book-price-scout.yaml +98 -98
package/templates/electronics-price-tracker.yaml +108 -108
package/templates/flight-deal-hunter.yaml +113 -113
package/templates/freelancer-direct.yaml +116 -116
package/templates/grocery-price-compare.yaml +93 -93
package/templates/hotel-direct-booking.yaml +113 -113
package/templates/local-services.yaml +98 -98
package/templates/olive-oil-tunisia.yaml +88 -88
package/templates/organic-farm-fresh.yaml +101 -101
package/templates/restaurant-direct.yaml +97 -97
package/templates/ring4/banking-sovereign.yaml +55 -0
package/templates/ring4/ecommerce-sovereign.yaml +58 -0
package/templates/ring4/healthcare-sovereign.yaml +60 -0

package/server/routes/admin.js CHANGED Viewed

@@ -1,549 +1,550 @@
-/**
- * Admin API Routes
- * Full admin panel backend: users, sites, analytics, Stripe, SMTP, grants
- */
-const express = require('express');
-const router = express.Router();
-const { authenticateAdmin, generateAdminToken } = require('../middleware/adminAuth');
-const { adminLoginLimiter } = require('../middleware/rateLimits');
-const { auditLog, revokeJWT } = require('../services/security');
-const {
-  loginAdmin, findAdminById, createAdmin,
-  getAllUsers, getAllSites, getAdminStats, getPlatformAnalytics,
-  getUserFullDetails, adminUpdateUserTier, adminUpdateSite, adminDeleteUser,
-  grantFreeTier, revokeGrant, getActiveGrants,
-  getSmtpSettings, updateSmtpSettings, getNotificationLogs,
-  getPayments, getPlatformSetting, setPlatformSetting,
-  findUserByEmail,
-  findSiteById,
-  getAnalyticsBySite,
-  getAnalyticsTimeline,
-  db
-} = require('../models/db');
-const { sendEmail } = require('../services/email');
-const { createCheckoutSession, createPortalSession, isStripeConfigured, getStripePrices } = require('../services/stripe');
-// ─── Auth ──────────────────────────────────────────────────────────────
-router.post('/login', adminLoginLimiter, (req, res) => {
-  const { email, password } = req.body;
-  if (!email || !password) return res.status(400).json({ error: 'Email and password required' });
-  const admin = loginAdmin({ email, password });
-  if (!admin) {
-    auditLog({ actorType: 'admin', action: 'admin_login_failed', details: { email }, ip: req.ip, outcome: 'denied', severity: 'warning' });
-    return res.status(401).json({ error: 'Invalid credentials' });
-  }
-  const token = generateAdminToken(admin);
-  auditLog({ actorType: 'admin', actorId: String(admin.id), action: 'admin_login', ip: req.ip });
-  res.json({ admin, token });
-});
-router.post('/logout', authenticateAdmin, (req, res) => {
-  if (req._rawToken) {
-    revokeJWT(req._rawToken, 'admin_logout');
-    auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'admin_logout', ip: req.ip });
-  }
-  res.json({ success: true });
-});
-router.get('/me', authenticateAdmin, (req, res) => {
-  const admin = findAdminById(req.admin.id);
-  if (!admin) return res.status(404).json({ error: 'Admin not found' });
-  res.json({ admin });
-});
-// ─── Dashboard Stats ──────────────────────────────────────────────────
-router.get('/stats', authenticateAdmin, (req, res) => {
-  const stats = getAdminStats();
-  stats.stripeConfigured = isStripeConfigured();
-  res.json(stats);
-});
-router.get('/analytics', authenticateAdmin, (req, res) => {
-  const days = parseInt(req.query.days) || 30;
-  const data = getPlatformAnalytics(days);
-  res.json(data);
-});
-// ─── Users Management ─────────────────────────────────────────────────
-router.get('/users', authenticateAdmin, (req, res) => {
-  const users = getAllUsers();
-  res.json({ users });
-});
-router.get('/users/:id', authenticateAdmin, (req, res) => {
-  const user = getUserFullDetails(req.params.id);
-  if (!user) return res.status(404).json({ error: 'User not found' });
-  res.json({ user });
-});
-router.put('/users/:id/tier', authenticateAdmin, (req, res) => {
-  const { tier, siteId } = req.body;
-  if (!['free', 'starter', 'pro', 'enterprise'].includes(tier)) {
-    return res.status(400).json({ error: 'Invalid tier' });
-  }
-  adminUpdateUserTier(req.params.id, siteId, tier);
-  res.json({ success: true });
-});
-router.delete('/users/:id', authenticateAdmin, (req, res) => {
-  adminDeleteUser(req.params.id);
-  res.json({ success: true });
-});
-// ─── Sites Management ─────────────────────────────────────────────────
-router.get('/sites', authenticateAdmin, (req, res) => {
-  const sites = getAllSites();
-  res.json({ sites });
-});
-router.put('/sites/:id', authenticateAdmin, (req, res) => {
-  const { tier, active } = req.body;
-  const ok = adminUpdateSite(req.params.id, { tier, active });
-  if (!ok) return res.status(404).json({ error: 'Site not found or invalid tier' });
-  res.json({ success: true });
-});
-router.get('/sites/:id/analytics', authenticateAdmin, (req, res) => {
-  const site = findSiteById.get(req.params.id);
-  if (!site) return res.status(404).json({ error: 'Site not found' });
-  const days = parseInt(req.query.days, 10) || 30;
-  const since = new Date(Date.now() - days * 86400000).toISOString();
-  const summary = getAnalyticsBySite.all(site.id, since);
-  const timeline = getAnalyticsTimeline.all(site.id, since);
-  res.json({
-    site: {
-      id: site.id,
-      name: site.name,
-      domain: site.domain,
-      tier: site.tier,
-      license_key: site.license_key
-    },
-    summary,
-    timeline,
-    period: `${days} days`
-  });
-});
-// ─── Free Grants ──────────────────────────────────────────────────────
-router.get('/grants', authenticateAdmin, (req, res) => {
-  const grants = getActiveGrants();
-  res.json({ grants });
-});
-router.post('/grants', authenticateAdmin, (req, res) => {
-  const { userId, siteId, tier, reason, expiresAt } = req.body;
-  if (!userId || !tier) return res.status(400).json({ error: 'userId and tier required' });
-  if (!['starter', 'pro', 'enterprise'].includes(tier)) return res.status(400).json({ error: 'Invalid tier' });
-  const grant = grantFreeTier({ userId, siteId, tier, reason, grantedBy: req.admin.id, expiresAt });
-  // Send notification email
-  const user = getUserFullDetails(userId);
-  if (user) {
-    sendEmail({
-      to: user.email,
-      template: 'tier_upgrade',
-      data: { name: user.name, tier, reason: reason || 'Complimentary upgrade' },
-      userId
-    }).catch(() => {});
-  }
-  res.status(201).json({ grant });
-});
-router.delete('/grants/:id', authenticateAdmin, (req, res) => {
-  const ok = revokeGrant(req.params.id);
-  if (!ok) return res.status(404).json({ error: 'Grant not found' });
-  res.json({ success: true });
-});
-// ─── Stripe Settings ─────────────────────────────────────────────────
-router.get('/stripe/config', authenticateAdmin, (req, res) => {
-  const secretKey = getPlatformSetting('stripe_secret_key');
-  const publishableKey = getPlatformSetting('stripe_publishable_key');
-  const webhookSecret = getPlatformSetting('stripe_webhook_secret');
-  const prices = getStripePrices();
-  res.json({
-    configured: isStripeConfigured(),
-    hasSecretKey: !!secretKey,
-    publishableKey: publishableKey || '',
-    webhookSecret: webhookSecret ? '••••' + webhookSecret.slice(-4) : '',
-    prices
-  });
-});
-router.put('/stripe/config', authenticateAdmin, (req, res) => {
-  const { secretKey, publishableKey, webhookSecret, priceStarter, pricePro, priceEnterprise } = req.body;
-  if (secretKey) setPlatformSetting('stripe_secret_key', secretKey);
-  if (publishableKey) setPlatformSetting('stripe_publishable_key', publishableKey);
-  if (webhookSecret) setPlatformSetting('stripe_webhook_secret', webhookSecret);
-  if (priceStarter) setPlatformSetting('stripe_price_starter', priceStarter);
-  if (pricePro) setPlatformSetting('stripe_price_pro', pricePro);
-  if (priceEnterprise) setPlatformSetting('stripe_price_enterprise', priceEnterprise);
-  res.json({ success: true });
-});
-// ─── Payments ──────────────────────────────────────────────────────────
-router.get('/payments', authenticateAdmin, (req, res) => {
-  const limit = parseInt(req.query.limit) || 50;
-  const payments = getPayments(limit);
-  res.json({ payments });
-});
-// ─── SMTP Settings ────────────────────────────────────────────────────
-router.get('/smtp', authenticateAdmin, (req, res) => {
-  const settings = getSmtpSettings();
-  // Mask password
-  if (settings && settings.password) {
-    settings.password = '••••••••';
-  }
-  res.json({ settings });
-});
-router.put('/smtp', authenticateAdmin, (req, res) => {
-  const { host, port, secure, username, password, fromName, fromEmail, enabled } = req.body;
-  if (!host || !username || !fromEmail) {
-    return res.status(400).json({ error: 'Host, username, and fromEmail are required' });
-  }
-  updateSmtpSettings({ host, port, secure, username, password, fromName, fromEmail, enabled });
-  res.json({ success: true });
-});
-router.post('/smtp/test', authenticateAdmin, (req, res) => {
-  const { testEmail } = req.body;
-  if (!testEmail) return res.status(400).json({ error: 'testEmail required' });
-  sendEmail({
-    to: testEmail,
-    template: 'welcome',
-    data: { name: 'Test User', dashboardUrl: 'https://webagentbridge.com/dashboard' }
-  }).then(result => {
-    res.json(result);
-  }).catch(err => {
-    res.status(500).json({ success: false, error: err.message });
-  });
-});
-// ─── Notification Logs ────────────────────────────────────────────────
-router.get('/notifications', authenticateAdmin, (req, res) => {
-  const limit = parseInt(req.query.limit) || 100;
-  const logs = getNotificationLogs(limit);
-  res.json({ logs });
-});
-// ─── Send Custom Notification ─────────────────────────────────────────
-router.post('/notifications/send', authenticateAdmin, (req, res) => {
-  const { userId, email, template, data } = req.body;
-  if (!email || !template) return res.status(400).json({ error: 'email and template required' });
-  sendEmail({ to: email, template, data: data || {}, userId }).then(result => {
-    res.json(result);
-  }).catch(err => {
-    res.status(500).json({ success: false, error: err.message });
-  });
-});
-// ─── DNS Discovery Oversight ──────────────────────────────────────────
-//  Real-data views into discovery_usage_runs / discovery_trust_runs.
-//  Tables are auto-created by routes/discovery.js.
-function tableExists(name) {
-  try {
-    return !!db.prepare(`SELECT name FROM sqlite_master WHERE type='table' AND name = ?`).get(name);
-  } catch { return false; }
-}
-router.get('/discovery/stats', authenticateAdmin, (_req, res) => {
-  if (!tableExists('discovery_usage_runs')) {
-    return res.json({ enabled: false, totals: {}, last7d: [], topDomains: [] });
-  }
-  const totals = db.prepare(`
-    SELECT
-      COUNT(*) AS runs,
-      COUNT(DISTINCT domain) AS domains,
-      SUM(CASE WHEN execution_succeeded = 1 THEN 1 ELSE 0 END) AS successes,
-      AVG(value_score) AS avg_score
-    FROM discovery_usage_runs
-    WHERE created_at >= datetime('now', '-30 days')
-  `).get();
-  const last7d = db.prepare(`
-    SELECT date(created_at) AS day, COUNT(*) AS runs,
-           SUM(CASE WHEN execution_succeeded = 1 THEN 1 ELSE 0 END) AS successes
-    FROM discovery_usage_runs
-    WHERE created_at >= datetime('now', '-7 days')
-    GROUP BY day ORDER BY day ASC
-  `).all();
-  const topDomains = db.prepare(`
-    SELECT domain, COUNT(*) AS runs, AVG(value_score) AS score
-    FROM discovery_usage_runs
-    WHERE created_at >= datetime('now', '-30 days')
-    GROUP BY domain ORDER BY runs DESC LIMIT 25
-  `).all();
-  res.json({ enabled: true, totals, last7d, topDomains });
-});
-router.get('/discovery/runs', authenticateAdmin, (req, res) => {
-  if (!tableExists('discovery_usage_runs')) return res.json({ runs: [] });
-  const limit = Math.min(parseInt(req.query.limit, 10) || 100, 500);
-  const runs = db.prepare(`
-    SELECT id, domain, mode, preferred_use_case, selected_action,
-           readiness_ok, execution_attempted, execution_succeeded,
-           value_score, end_to_end_ms, created_at
-    FROM discovery_usage_runs
-    ORDER BY created_at DESC LIMIT ?
-  `).all(limit);
-  res.json({ runs });
-});
-router.get('/trust/stats', authenticateAdmin, (_req, res) => {
-  if (!tableExists('discovery_trust_runs')) {
-    return res.json({ enabled: false, totals: {}, leaderboard: [] });
-  }
-  const totals = db.prepare(`
-    SELECT COUNT(*) AS runs, COUNT(DISTINCT domain) AS domains,
-           AVG(score) AS avg_score,
-           SUM(sig_valid) AS valid_sigs,
-           SUM(signed_manifest) AS signed_manifests,
-           SUM(has_pk) AS domains_with_pk
-    FROM discovery_trust_runs
-    WHERE created_at >= datetime('now', '-30 days')
-  `).get();
-  const leaderboard = db.prepare(`
-    SELECT domain, MAX(score) AS score, MAX(created_at) AS last_run
-    FROM discovery_trust_runs
-    GROUP BY domain ORDER BY score DESC, last_run DESC LIMIT 25
-  `).all();
-  res.json({ enabled: true, totals, leaderboard });
-});
-router.get('/trust/runs', authenticateAdmin, (req, res) => {
-  if (!tableExists('discovery_trust_runs')) return res.json({ runs: [] });
-  const limit = Math.min(parseInt(req.query.limit, 10) || 100, 500);
-  const runs = db.prepare(`
-    SELECT id, domain, score, dnssec, has_pk, signed_manifest, sig_valid, https_ok, created_at
-    FROM discovery_trust_runs
-    ORDER BY created_at DESC LIMIT ?
-  `).all(limit);
-  res.json({ runs });
-});
-// ─── Providers Oversight (cross-user) ─────────────────────────────────
-router.get('/providers/stats', authenticateAdmin, (_req, res) => {
-  if (!tableExists('provider_accounts')) {
-    return res.json({ enabled: false, totals: {}, byProvider: [], recentActions: [] });
-  }
-  const totals = db.prepare(`
-    SELECT COUNT(*) AS accounts,
-           SUM(CASE WHEN status='active' THEN 1 ELSE 0 END) AS active,
-           SUM(CASE WHEN status='error' THEN 1 ELSE 0 END) AS errored,
-           SUM(domains_count) AS domains_under_management
-    FROM provider_accounts
-  `).get();
-  const byProvider = db.prepare(`
-    SELECT provider_type, COUNT(*) AS accounts,
-           SUM(CASE WHEN status='active' THEN 1 ELSE 0 END) AS active,
-           COALESCE(SUM(domains_count), 0) AS domains
-    FROM provider_accounts
-    GROUP BY provider_type ORDER BY accounts DESC
-  `).all();
-  const recentActions = tableExists('provider_action_log')
-    ? db.prepare(`
-        SELECT l.id, l.account_id, a.provider_type, l.domain, l.action, l.status,
-               l.duration_ms, l.detail, l.created_at
-        FROM provider_action_log l
-        LEFT JOIN provider_accounts a ON a.id = l.account_id
-        ORDER BY l.created_at DESC LIMIT 50
-      `).all()
-    : [];
-  const wabEnabled = tableExists('provider_domains')
-    ? db.prepare(`SELECT COUNT(*) AS c FROM provider_domains WHERE wab_enabled = 1`).get().c
-    : 0;
-  res.json({ enabled: true, totals: { ...totals, wab_enabled_domains: wabEnabled }, byProvider, recentActions });
-});
-router.get('/providers/accounts', authenticateAdmin, (req, res) => {
-  if (!tableExists('provider_accounts')) return res.json({ accounts: [] });
-  const limit = Math.min(parseInt(req.query.limit, 10) || 200, 1000);
-  const rows = db.prepare(`
-    SELECT a.id, a.user_id, u.email AS user_email, a.provider_type, a.label,
-           a.status, a.last_test_at, a.last_test_ok, a.last_test_error,
-           a.last_sync_at, a.domains_count, a.created_at, a.updated_at
-    FROM provider_accounts a
-    LEFT JOIN users u ON u.id = a.user_id
-    ORDER BY a.created_at DESC LIMIT ?
-  `).all(limit);
-  res.json({ accounts: rows });
-});
-router.get('/providers/domains', authenticateAdmin, (req, res) => {
-  if (!tableExists('provider_domains')) return res.json({ domains: [] });
-  const limit = Math.min(parseInt(req.query.limit, 10) || 200, 1000);
-  const rows = db.prepare(`
-    SELECT d.id, d.account_id, a.provider_type, a.user_id, u.email AS user_email,
-           d.domain, d.zone_id, d.wab_enabled, d.wab_record_value,
-           d.last_action, d.last_action_at, d.last_action_status, d.last_action_error
-    FROM provider_domains d
-    LEFT JOIN provider_accounts a ON a.id = d.account_id
-    LEFT JOIN users u ON u.id = a.user_id
-    ORDER BY d.updated_at DESC LIMIT ?
-  `).all(limit);
-  res.json({ domains: rows });
-});
-// ─── API Modules: real counts (replaces hardcoded dashboard placeholders) ──
-router.get('/modules/stats', authenticateAdmin, (_req, res) => {
-  // Source of truth: server/routes/* + service registry. We treat each
-  // top-level route module as one "API module" and return real numbers.
-  const modules = [
-    { id: 'auth',         label: 'Authentication',   openness: 'open' },
-    { id: 'wab',          label: 'WAB Core API',     openness: 'open' },
-    { id: 'discovery',    label: 'DNS Discovery',    openness: 'open' },
-    { id: 'sovereign',    label: 'Sovereign Mode',   openness: 'open' },
-    { id: 'commander',    label: 'Commander SDK',    openness: 'partial' },
-    { id: 'mesh',         label: 'Agent Mesh',       openness: 'partial' },
-    { id: 'workspace',    label: 'Agent Workspace',  openness: 'partial' },
-    { id: 'universal',    label: 'Universal Agent',  openness: 'partial' },
-    { id: 'gateway',      label: 'Gateway (v1)',     openness: 'closed' },
-    { id: 'premium',      label: 'Premium APIs',     openness: 'closed' },
-    { id: 'admin',        label: 'Admin APIs',       openness: 'closed' },
-    { id: 'providers',    label: 'DNS Providers',    openness: 'open' },
-  ];
-  const counts = modules.reduce((acc, m) => { acc[m.openness] = (acc[m.openness] || 0) + 1; return acc; }, {});
-  res.json({
-    total: modules.length,
-    open: counts.open || 0,
-    partial: counts.partial || 0,
-    closed: counts.closed || 0,
-    modules,
-  });
-});
-// ─── Governance Layer (Phase 20) — admin oversight of all agents ──
-// These endpoints expose the same data as /api/governance/* but authenticate
-// via admin token instead of an agent's own token, so an admin can see and
-// act across every agent on the platform.
-const gov = (() => { try { return require('../services/governance'); } catch { return null; } });
-function ensureGovTables() {
-  return tableExists('gov_agents');
-}
-router.get('/governance/stats', authenticateAdmin, (_req, res) => {
-  if (!ensureGovTables()) return res.json({ enabled: false, totals: {} });
-  const totals = db.prepare(`
-    SELECT
-      COUNT(*) AS agents,
-      SUM(CASE WHEN status='alive' THEN 1 ELSE 0 END) AS alive,
-      SUM(CASE WHEN status='killed' THEN 1 ELSE 0 END) AS killed,
-      SUM(CASE WHEN status='suspended' THEN 1 ELSE 0 END) AS suspended
-    FROM gov_agents
-  `).get() || {};
-  const policies = db.prepare(`SELECT COUNT(*) AS c FROM gov_policies`).get().c;
-  const audit = db.prepare(`SELECT COUNT(*) AS c FROM gov_audit`).get().c;
-  const pending = db.prepare(`SELECT COUNT(*) AS c FROM gov_approvals WHERE status='pending'`).get().c;
-  const recentDenies = db.prepare(`
-    SELECT id, agent_id, ts, resource, action, decision, reason
-    FROM gov_audit WHERE decision='deny' ORDER BY id DESC LIMIT 25
-  `).all();
-  res.json({ enabled: true, totals: { ...totals, policies, audit_events: audit, pending_approvals: pending }, recentDenies });
-});
-router.get('/governance/agents', authenticateAdmin, (_req, res) => {
-  if (!ensureGovTables()) return res.json({ agents: [] });
-  const rows = db.prepare(`
-    SELECT a.agent_id, a.owner_id, u.email AS owner_email, a.display_name,
-           a.status, a.killed_at, a.killed_reason, a.created_at, a.updated_at,
-           (SELECT COUNT(*) FROM gov_policies p WHERE p.agent_id = a.agent_id) AS policies,
-           (SELECT COUNT(*) FROM gov_audit g WHERE g.agent_id = a.agent_id) AS audit_events,
-           (SELECT COUNT(*) FROM gov_approvals ap WHERE ap.agent_id = a.agent_id AND ap.status='pending') AS pending_approvals
-    FROM gov_agents a
-    LEFT JOIN users u ON u.id = a.owner_id
-    ORDER BY a.created_at DESC
-  `).all();
-  res.json({ agents: rows });
-});
-router.get('/governance/agents/:id', authenticateAdmin, (req, res) => {
-  if (!ensureGovTables()) return res.status(404).json({ error: 'governance_disabled' });
-  const a = db.prepare(`SELECT agent_id, owner_id, display_name, status, killed_at, killed_reason, metadata, created_at, updated_at FROM gov_agents WHERE agent_id = ?`).get(req.params.id);
-  if (!a) return res.status(404).json({ error: 'agent_not_found' });
-  const policies = db.prepare(`SELECT * FROM gov_policies WHERE agent_id = ? ORDER BY id DESC`).all(req.params.id);
-  const approvals = db.prepare(`SELECT * FROM gov_approvals WHERE agent_id = ? AND status='pending' ORDER BY created_at DESC LIMIT 50`).all(req.params.id);
-  const audit = db.prepare(`SELECT id, ts, event_type, resource, action, scope, amount, currency, decision, reason FROM gov_audit WHERE agent_id = ? ORDER BY id DESC LIMIT 200`).all(req.params.id);
-  res.json({ agent: a, policies, approvals, audit });
-});
-router.get('/governance/agents/:id/audit/verify', authenticateAdmin, (req, res) => {
-  const g = gov(); if (!g) return res.status(503).json({ error: 'governance_unavailable' });
-  res.json(g.verifyAuditChain(req.params.id));
-});
-router.post('/governance/agents/:id/kill', authenticateAdmin, (req, res) => {
-  const g = gov(); if (!g) return res.status(503).json({ error: 'governance_unavailable' });
-  const reason = (req.body && req.body.reason) || ('admin:' + (req.admin.email || req.admin.id));
-  const ok = g.killAgent(req.params.id, reason);
-  auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'governance_kill', details: { agent_id: req.params.id, reason } });
-  res.json({ ok, status: 'killed', reason });
-});
-router.post('/governance/agents/:id/revive', authenticateAdmin, (req, res) => {
-  const g = gov(); if (!g) return res.status(503).json({ error: 'governance_unavailable' });
-  const reason = (req.body && req.body.reason) || ('admin:' + (req.admin.email || req.admin.id));
-  const ok = g.reviveAgent(req.params.id, reason);
-  auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'governance_revive', details: { agent_id: req.params.id, reason } });
-  res.json({ ok, status: 'alive', reason });
-});
-router.post('/governance/agents/:id/policies', authenticateAdmin, (req, res) => {
-  const g = gov(); if (!g) return res.status(503).json({ error: 'governance_unavailable' });
-  const b = req.body || {};
-  if (!b.resource || !b.action) return res.status(400).json({ error: 'missing_fields', need: ['resource', 'action'] });
-  const r = g.definePolicy({
-    agentId: req.params.id, resource: String(b.resource), action: String(b.action),
-    scope: b.scope || null, maxAmount: b.max_amount, currency: b.currency,
-    dailyCap: b.daily_cap, perCallRate: b.per_call_rate,
-    requiresApproval: !!b.requires_approval,
-    effect: b.effect === 'deny' ? 'deny' : 'allow',
-    expiresAt: b.expires_at || null,
-  });
-  auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'governance_policy_create', details: { agent_id: req.params.id, policy_id: r.id } });
-  res.status(201).json({ ok: true, id: r.id });
-});
-router.delete('/governance/agents/:id/policies/:pid', authenticateAdmin, (req, res) => {
-  const g = gov(); if (!g) return res.status(503).json({ error: 'governance_unavailable' });
-  const ok = g.deletePolicy(req.params.id, Number(req.params.pid));
-  auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'governance_policy_delete', details: { agent_id: req.params.id, policy_id: req.params.pid } });
-  res.json({ ok });
-});
-router.post('/governance/approvals/:rid/decide', authenticateAdmin, (req, res) => {
-  const g = gov(); if (!g) return res.status(503).json({ error: 'governance_unavailable' });
-  const decision = req.body?.decision === 'approved' ? 'approved' : 'rejected';
-  const out = g.decideApproval(req.params.rid, {
-    decision,
-    decidedBy: 'admin:' + req.admin.id,
-    note: req.body?.note || null,
-  });
-  if (!out.ok) return res.status(409).json(out);
-  auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'governance_approval_decide', details: { request_id: req.params.rid, decision } });
-  res.json(out);
-});
-module.exports = router;
+/**
+ * Admin API Routes
+ * Full admin panel backend: users, sites, analytics, Stripe, SMTP, grants
+ */
+const express = require('express');
+const router = express.Router();
+const { authenticateAdmin, generateAdminToken } = require('../middleware/adminAuth');
+const { adminLoginLimiter } = require('../middleware/rateLimits');
+const { auditLog, revokeJWT } = require('../services/security');
+const {
+  loginAdmin, findAdminById, createAdmin,
+  getAllUsers, getAllSites, getAdminStats, getPlatformAnalytics,
+  getUserFullDetails, adminUpdateUserTier, adminUpdateSite, adminDeleteUser,
+  grantFreeTier, revokeGrant, getActiveGrants,
+  getSmtpSettings, updateSmtpSettings, getNotificationLogs,
+  getPayments, getPlatformSetting, setPlatformSetting,
+  findUserByEmail,
+  findSiteById,
+  getAnalyticsBySite,
+  getAnalyticsTimeline,
+  db
+} = require('../models/db');
+const { sendEmail } = require('../services/email');
+const { createCheckoutSession, createPortalSession, isStripeConfigured, getStripePrices } = require('../services/stripe');
+// ─── Auth ──────────────────────────────────────────────────────────────
+router.post('/login', adminLoginLimiter, (req, res) => {
+  const { email, password } = req.body;
+  if (!email || !password) return res.status(400).json({ error: 'Email and password required' });
+  const admin = loginAdmin({ email, password });
+  if (!admin) {
+    auditLog({ actorType: 'admin', action: 'admin_login_failed', details: { email }, ip: req.ip, outcome: 'denied', severity: 'warning' });
+    return res.status(401).json({ error: 'Invalid credentials' });
+  }
+  const token = generateAdminToken(admin);
+  auditLog({ actorType: 'admin', actorId: String(admin.id), action: 'admin_login', ip: req.ip });
+  res.json({ admin, token });
+});
+router.post('/logout', authenticateAdmin, (req, res) => {
+  if (req._rawToken) {
+    revokeJWT(req._rawToken, 'admin_logout');
+    auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'admin_logout', ip: req.ip });
+  }
+  res.json({ success: true });
+});
+router.get('/me', authenticateAdmin, (req, res) => {
+  const admin = findAdminById(req.admin.id);
+  if (!admin) return res.status(404).json({ error: 'Admin not found' });
+  res.json({ admin });
+});
+// ─── Dashboard Stats ──────────────────────────────────────────────────
+router.get('/stats', authenticateAdmin, (req, res) => {
+  const stats = getAdminStats();
+  stats.stripeConfigured = isStripeConfigured();
+  res.json(stats);
+});
+router.get('/analytics', authenticateAdmin, (req, res) => {
+  const days = parseInt(req.query.days) || 30;
+  const data = getPlatformAnalytics(days);
+  res.json(data);
+});
+// ─── Users Management ─────────────────────────────────────────────────
+router.get('/users', authenticateAdmin, (req, res) => {
+  const users = getAllUsers();
+  res.json({ users });
+});
+router.get('/users/:id', authenticateAdmin, (req, res) => {
+  const user = getUserFullDetails(req.params.id);
+  if (!user) return res.status(404).json({ error: 'User not found' });
+  res.json({ user });
+});
+router.put('/users/:id/tier', authenticateAdmin, (req, res) => {
+  const { tier, siteId } = req.body;
+  if (!['free', 'starter', 'pro', 'business', 'enterprise'].includes(tier)) {
+    return res.status(400).json({ error: 'Invalid tier' });
+  }
+  adminUpdateUserTier(req.params.id, siteId, tier);
+  res.json({ success: true });
+});
+router.delete('/users/:id', authenticateAdmin, (req, res) => {
+  adminDeleteUser(req.params.id);
+  res.json({ success: true });
+});
+// ─── Sites Management ─────────────────────────────────────────────────
+router.get('/sites', authenticateAdmin, (req, res) => {
+  const sites = getAllSites();
+  res.json({ sites });
+});
+router.put('/sites/:id', authenticateAdmin, (req, res) => {
+  const { tier, active } = req.body;
+  const ok = adminUpdateSite(req.params.id, { tier, active });
+  if (!ok) return res.status(404).json({ error: 'Site not found or invalid tier' });
+  res.json({ success: true });
+});
+router.get('/sites/:id/analytics', authenticateAdmin, (req, res) => {
+  const site = findSiteById.get(req.params.id);
+  if (!site) return res.status(404).json({ error: 'Site not found' });
+  const days = parseInt(req.query.days, 10) || 30;
+  const since = new Date(Date.now() - days * 86400000).toISOString();
+  const summary = getAnalyticsBySite.all(site.id, since);
+  const timeline = getAnalyticsTimeline.all(site.id, since);
+  res.json({
+    site: {
+      id: site.id,
+      name: site.name,
+      domain: site.domain,
+      tier: site.tier,
+      license_key: site.license_key
+    },
+    summary,
+    timeline,
+    period: `${days} days`
+  });
+});
+// ─── Free Grants ──────────────────────────────────────────────────────
+router.get('/grants', authenticateAdmin, (req, res) => {
+  const grants = getActiveGrants();
+  res.json({ grants });
+});
+router.post('/grants', authenticateAdmin, (req, res) => {
+  const { userId, siteId, tier, reason, expiresAt } = req.body;
+  if (!userId || !tier) return res.status(400).json({ error: 'userId and tier required' });
+  if (!['starter', 'pro', 'business', 'enterprise'].includes(tier)) return res.status(400).json({ error: 'Invalid tier' });
+  const grant = grantFreeTier({ userId, siteId, tier, reason, grantedBy: req.admin.id, expiresAt });
+  // Send notification email
+  const user = getUserFullDetails(userId);
+  if (user) {
+    sendEmail({
+      to: user.email,
+      template: 'tier_upgrade',
+      data: { name: user.name, tier, reason: reason || 'Complimentary upgrade' },
+      userId
+    }).catch(() => {});
+  }
+  res.status(201).json({ grant });
+});
+router.delete('/grants/:id', authenticateAdmin, (req, res) => {
+  const ok = revokeGrant(req.params.id);
+  if (!ok) return res.status(404).json({ error: 'Grant not found' });
+  res.json({ success: true });
+});
+// ─── Stripe Settings ─────────────────────────────────────────────────
+router.get('/stripe/config', authenticateAdmin, (req, res) => {
+  const secretKey = getPlatformSetting('stripe_secret_key');
+  const publishableKey = getPlatformSetting('stripe_publishable_key');
+  const webhookSecret = getPlatformSetting('stripe_webhook_secret');
+  const prices = getStripePrices();
+  res.json({
+    configured: isStripeConfigured(),
+    hasSecretKey: !!secretKey,
+    publishableKey: publishableKey || '',
+    webhookSecret: webhookSecret ? '••••' + webhookSecret.slice(-4) : '',
+    prices
+  });
+});
+router.put('/stripe/config', authenticateAdmin, (req, res) => {
+  const { secretKey, publishableKey, webhookSecret, priceStarter, pricePro, priceBusiness, priceEnterprise } = req.body;
+  if (secretKey) setPlatformSetting('stripe_secret_key', secretKey);
+  if (publishableKey) setPlatformSetting('stripe_publishable_key', publishableKey);
+  if (webhookSecret) setPlatformSetting('stripe_webhook_secret', webhookSecret);
+  if (priceStarter) setPlatformSetting('stripe_price_starter', priceStarter);
+  if (pricePro) setPlatformSetting('stripe_price_pro', pricePro);
+  if (priceBusiness) setPlatformSetting('stripe_price_business', priceBusiness);
+  if (priceEnterprise) setPlatformSetting('stripe_price_enterprise', priceEnterprise);
+  res.json({ success: true });
+});
+// ─── Payments ──────────────────────────────────────────────────────────
+router.get('/payments', authenticateAdmin, (req, res) => {
+  const limit = parseInt(req.query.limit) || 50;
+  const payments = getPayments(limit);
+  res.json({ payments });
+});
+// ─── SMTP Settings ────────────────────────────────────────────────────
+router.get('/smtp', authenticateAdmin, (req, res) => {
+  const settings = getSmtpSettings();
+  // Mask password
+  if (settings && settings.password) {
+    settings.password = '••••••••';
+  }
+  res.json({ settings });
+});
+router.put('/smtp', authenticateAdmin, (req, res) => {
+  const { host, port, secure, username, password, fromName, fromEmail, enabled } = req.body;
+  if (!host || !username || !fromEmail) {
+    return res.status(400).json({ error: 'Host, username, and fromEmail are required' });
+  }
+  updateSmtpSettings({ host, port, secure, username, password, fromName, fromEmail, enabled });
+  res.json({ success: true });
+});
+router.post('/smtp/test', authenticateAdmin, (req, res) => {
+  const { testEmail } = req.body;
+  if (!testEmail) return res.status(400).json({ error: 'testEmail required' });
+  sendEmail({
+    to: testEmail,
+    template: 'welcome',
+    data: { name: 'Test User', dashboardUrl: 'https://webagentbridge.com/dashboard' }
+  }).then(result => {
+    res.json(result);
+  }).catch(err => {
+    res.status(500).json({ success: false, error: err.message });
+  });
+});
+// ─── Notification Logs ────────────────────────────────────────────────
+router.get('/notifications', authenticateAdmin, (req, res) => {
+  const limit = parseInt(req.query.limit) || 100;
+  const logs = getNotificationLogs(limit);
+  res.json({ logs });
+});
+// ─── Send Custom Notification ─────────────────────────────────────────
+router.post('/notifications/send', authenticateAdmin, (req, res) => {
+  const { userId, email, template, data } = req.body;
+  if (!email || !template) return res.status(400).json({ error: 'email and template required' });
+  sendEmail({ to: email, template, data: data || {}, userId }).then(result => {
+    res.json(result);
+  }).catch(err => {
+    res.status(500).json({ success: false, error: err.message });
+  });
+});
+// ─── DNS Discovery Oversight ──────────────────────────────────────────
+//  Real-data views into discovery_usage_runs / discovery_trust_runs.
+//  Tables are auto-created by routes/discovery.js.
+function tableExists(name) {
+  try {
+    return !!db.prepare(`SELECT name FROM sqlite_master WHERE type='table' AND name = ?`).get(name);
+  } catch { return false; }
+}
+router.get('/discovery/stats', authenticateAdmin, (_req, res) => {
+  if (!tableExists('discovery_usage_runs')) {
+    return res.json({ enabled: false, totals: {}, last7d: [], topDomains: [] });
+  }
+  const totals = db.prepare(`
+    SELECT
+      COUNT(*) AS runs,
+      COUNT(DISTINCT domain) AS domains,
+      SUM(CASE WHEN execution_succeeded = 1 THEN 1 ELSE 0 END) AS successes,
+      AVG(value_score) AS avg_score
+    FROM discovery_usage_runs
+    WHERE created_at >= datetime('now', '-30 days')
+  `).get();
+  const last7d = db.prepare(`
+    SELECT date(created_at) AS day, COUNT(*) AS runs,
+           SUM(CASE WHEN execution_succeeded = 1 THEN 1 ELSE 0 END) AS successes
+    FROM discovery_usage_runs
+    WHERE created_at >= datetime('now', '-7 days')
+    GROUP BY day ORDER BY day ASC
+  `).all();
+  const topDomains = db.prepare(`
+    SELECT domain, COUNT(*) AS runs, AVG(value_score) AS score
+    FROM discovery_usage_runs
+    WHERE created_at >= datetime('now', '-30 days')
+    GROUP BY domain ORDER BY runs DESC LIMIT 25
+  `).all();
+  res.json({ enabled: true, totals, last7d, topDomains });
+});
+router.get('/discovery/runs', authenticateAdmin, (req, res) => {
+  if (!tableExists('discovery_usage_runs')) return res.json({ runs: [] });
+  const limit = Math.min(parseInt(req.query.limit, 10) || 100, 500);
+  const runs = db.prepare(`
+    SELECT id, domain, mode, preferred_use_case, selected_action,
+           readiness_ok, execution_attempted, execution_succeeded,
+           value_score, end_to_end_ms, created_at
+    FROM discovery_usage_runs
+    ORDER BY created_at DESC LIMIT ?
+  `).all(limit);
+  res.json({ runs });
+});
+router.get('/trust/stats', authenticateAdmin, (_req, res) => {
+  if (!tableExists('discovery_trust_runs')) {
+    return res.json({ enabled: false, totals: {}, leaderboard: [] });
+  }
+  const totals = db.prepare(`
+    SELECT COUNT(*) AS runs, COUNT(DISTINCT domain) AS domains,
+           AVG(score) AS avg_score,
+           SUM(sig_valid) AS valid_sigs,
+           SUM(signed_manifest) AS signed_manifests,
+           SUM(has_pk) AS domains_with_pk
+    FROM discovery_trust_runs
+    WHERE created_at >= datetime('now', '-30 days')
+  `).get();
+  const leaderboard = db.prepare(`
+    SELECT domain, MAX(score) AS score, MAX(created_at) AS last_run
+    FROM discovery_trust_runs
+    GROUP BY domain ORDER BY score DESC, last_run DESC LIMIT 25
+  `).all();
+  res.json({ enabled: true, totals, leaderboard });
+});
+router.get('/trust/runs', authenticateAdmin, (req, res) => {
+  if (!tableExists('discovery_trust_runs')) return res.json({ runs: [] });
+  const limit = Math.min(parseInt(req.query.limit, 10) || 100, 500);
+  const runs = db.prepare(`
+    SELECT id, domain, score, dnssec, has_pk, signed_manifest, sig_valid, https_ok, created_at
+    FROM discovery_trust_runs
+    ORDER BY created_at DESC LIMIT ?
+  `).all(limit);
+  res.json({ runs });
+});
+// ─── Providers Oversight (cross-user) ─────────────────────────────────
+router.get('/providers/stats', authenticateAdmin, (_req, res) => {
+  if (!tableExists('provider_accounts')) {
+    return res.json({ enabled: false, totals: {}, byProvider: [], recentActions: [] });
+  }
+  const totals = db.prepare(`
+    SELECT COUNT(*) AS accounts,
+           SUM(CASE WHEN status='active' THEN 1 ELSE 0 END) AS active,
+           SUM(CASE WHEN status='error' THEN 1 ELSE 0 END) AS errored,
+           SUM(domains_count) AS domains_under_management
+    FROM provider_accounts
+  `).get();
+  const byProvider = db.prepare(`
+    SELECT provider_type, COUNT(*) AS accounts,
+           SUM(CASE WHEN status='active' THEN 1 ELSE 0 END) AS active,
+           COALESCE(SUM(domains_count), 0) AS domains
+    FROM provider_accounts
+    GROUP BY provider_type ORDER BY accounts DESC
+  `).all();
+  const recentActions = tableExists('provider_action_log')
+    ? db.prepare(`
+        SELECT l.id, l.account_id, a.provider_type, l.domain, l.action, l.status,
+               l.duration_ms, l.detail, l.created_at
+        FROM provider_action_log l
+        LEFT JOIN provider_accounts a ON a.id = l.account_id
+        ORDER BY l.created_at DESC LIMIT 50
+      `).all()
+    : [];
+  const wabEnabled = tableExists('provider_domains')
+    ? db.prepare(`SELECT COUNT(*) AS c FROM provider_domains WHERE wab_enabled = 1`).get().c
+    : 0;
+  res.json({ enabled: true, totals: { ...totals, wab_enabled_domains: wabEnabled }, byProvider, recentActions });
+});
+router.get('/providers/accounts', authenticateAdmin, (req, res) => {
+  if (!tableExists('provider_accounts')) return res.json({ accounts: [] });
+  const limit = Math.min(parseInt(req.query.limit, 10) || 200, 1000);
+  const rows = db.prepare(`
+    SELECT a.id, a.user_id, u.email AS user_email, a.provider_type, a.label,
+           a.status, a.last_test_at, a.last_test_ok, a.last_test_error,
+           a.last_sync_at, a.domains_count, a.created_at, a.updated_at
+    FROM provider_accounts a
+    LEFT JOIN users u ON u.id = a.user_id
+    ORDER BY a.created_at DESC LIMIT ?
+  `).all(limit);
+  res.json({ accounts: rows });
+});
+router.get('/providers/domains', authenticateAdmin, (req, res) => {
+  if (!tableExists('provider_domains')) return res.json({ domains: [] });
+  const limit = Math.min(parseInt(req.query.limit, 10) || 200, 1000);
+  const rows = db.prepare(`
+    SELECT d.id, d.account_id, a.provider_type, a.user_id, u.email AS user_email,
+           d.domain, d.zone_id, d.wab_enabled, d.wab_record_value,
+           d.last_action, d.last_action_at, d.last_action_status, d.last_action_error
+    FROM provider_domains d
+    LEFT JOIN provider_accounts a ON a.id = d.account_id
+    LEFT JOIN users u ON u.id = a.user_id
+    ORDER BY d.updated_at DESC LIMIT ?
+  `).all(limit);
+  res.json({ domains: rows });
+});
+// ─── API Modules: real counts (replaces hardcoded dashboard placeholders) ──
+router.get('/modules/stats', authenticateAdmin, (_req, res) => {
+  // Source of truth: server/routes/* + service registry. We treat each
+  // top-level route module as one "API module" and return real numbers.
+  const modules = [
+    { id: 'auth',         label: 'Authentication',   openness: 'open' },
+    { id: 'wab',          label: 'WAB Core API',     openness: 'open' },
+    { id: 'discovery',    label: 'DNS Discovery',    openness: 'open' },
+    { id: 'sovereign',    label: 'Sovereign Mode',   openness: 'open' },
+    { id: 'commander',    label: 'Commander SDK',    openness: 'partial' },
+    { id: 'mesh',         label: 'Agent Mesh',       openness: 'partial' },
+    { id: 'workspace',    label: 'Agent Workspace',  openness: 'partial' },
+    { id: 'universal',    label: 'Universal Agent',  openness: 'partial' },
+    { id: 'gateway',      label: 'Gateway (v1)',     openness: 'closed' },
+    { id: 'premium',      label: 'Premium APIs',     openness: 'closed' },
+    { id: 'admin',        label: 'Admin APIs',       openness: 'closed' },
+    { id: 'providers',    label: 'DNS Providers',    openness: 'open' },
+  ];
+  const counts = modules.reduce((acc, m) => { acc[m.openness] = (acc[m.openness] || 0) + 1; return acc; }, {});
+  res.json({
+    total: modules.length,
+    open: counts.open || 0,
+    partial: counts.partial || 0,
+    closed: counts.closed || 0,
+    modules,
+  });
+});
+// ─── Governance Layer (Phase 20) — admin oversight of all agents ──
+// These endpoints expose the same data as /api/governance/* but authenticate
+// via admin token instead of an agent's own token, so an admin can see and
+// act across every agent on the platform.
+const gov = (() => { try { return require('../services/governance'); } catch { return null; } });
+function ensureGovTables() {
+  return tableExists('gov_agents');
+}
+router.get('/governance/stats', authenticateAdmin, (_req, res) => {
+  if (!ensureGovTables()) return res.json({ enabled: false, totals: {} });
+  const totals = db.prepare(`
+    SELECT
+      COUNT(*) AS agents,
+      SUM(CASE WHEN status='alive' THEN 1 ELSE 0 END) AS alive,
+      SUM(CASE WHEN status='killed' THEN 1 ELSE 0 END) AS killed,
+      SUM(CASE WHEN status='suspended' THEN 1 ELSE 0 END) AS suspended
+    FROM gov_agents
+  `).get() || {};
+  const policies = db.prepare(`SELECT COUNT(*) AS c FROM gov_policies`).get().c;
+  const audit = db.prepare(`SELECT COUNT(*) AS c FROM gov_audit`).get().c;
+  const pending = db.prepare(`SELECT COUNT(*) AS c FROM gov_approvals WHERE status='pending'`).get().c;
+  const recentDenies = db.prepare(`
+    SELECT id, agent_id, ts, resource, action, decision, reason
+    FROM gov_audit WHERE decision='deny' ORDER BY id DESC LIMIT 25
+  `).all();
+  res.json({ enabled: true, totals: { ...totals, policies, audit_events: audit, pending_approvals: pending }, recentDenies });
+});
+router.get('/governance/agents', authenticateAdmin, (_req, res) => {
+  if (!ensureGovTables()) return res.json({ agents: [] });
+  const rows = db.prepare(`
+    SELECT a.agent_id, a.owner_id, u.email AS owner_email, a.display_name,
+           a.status, a.killed_at, a.killed_reason, a.created_at, a.updated_at,
+           (SELECT COUNT(*) FROM gov_policies p WHERE p.agent_id = a.agent_id) AS policies,
+           (SELECT COUNT(*) FROM gov_audit g WHERE g.agent_id = a.agent_id) AS audit_events,
+           (SELECT COUNT(*) FROM gov_approvals ap WHERE ap.agent_id = a.agent_id AND ap.status='pending') AS pending_approvals
+    FROM gov_agents a
+    LEFT JOIN users u ON u.id = a.owner_id
+    ORDER BY a.created_at DESC
+  `).all();
+  res.json({ agents: rows });
+});
+router.get('/governance/agents/:id', authenticateAdmin, (req, res) => {
+  if (!ensureGovTables()) return res.status(404).json({ error: 'governance_disabled' });
+  const a = db.prepare(`SELECT agent_id, owner_id, display_name, status, killed_at, killed_reason, metadata, created_at, updated_at FROM gov_agents WHERE agent_id = ?`).get(req.params.id);
+  if (!a) return res.status(404).json({ error: 'agent_not_found' });
+  const policies = db.prepare(`SELECT * FROM gov_policies WHERE agent_id = ? ORDER BY id DESC`).all(req.params.id);
+  const approvals = db.prepare(`SELECT * FROM gov_approvals WHERE agent_id = ? AND status='pending' ORDER BY created_at DESC LIMIT 50`).all(req.params.id);
+  const audit = db.prepare(`SELECT id, ts, event_type, resource, action, scope, amount, currency, decision, reason FROM gov_audit WHERE agent_id = ? ORDER BY id DESC LIMIT 200`).all(req.params.id);
+  res.json({ agent: a, policies, approvals, audit });
+});
+router.get('/governance/agents/:id/audit/verify', authenticateAdmin, (req, res) => {
+  const g = gov(); if (!g) return res.status(503).json({ error: 'governance_unavailable' });
+  res.json(g.verifyAuditChain(req.params.id));
+});
+router.post('/governance/agents/:id/kill', authenticateAdmin, (req, res) => {
+  const g = gov(); if (!g) return res.status(503).json({ error: 'governance_unavailable' });
+  const reason = (req.body && req.body.reason) || ('admin:' + (req.admin.email || req.admin.id));
+  const ok = g.killAgent(req.params.id, reason);
+  auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'governance_kill', details: { agent_id: req.params.id, reason } });
+  res.json({ ok, status: 'killed', reason });
+});
+router.post('/governance/agents/:id/revive', authenticateAdmin, (req, res) => {
+  const g = gov(); if (!g) return res.status(503).json({ error: 'governance_unavailable' });
+  const reason = (req.body && req.body.reason) || ('admin:' + (req.admin.email || req.admin.id));
+  const ok = g.reviveAgent(req.params.id, reason);
+  auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'governance_revive', details: { agent_id: req.params.id, reason } });
+  res.json({ ok, status: 'alive', reason });
+});
+router.post('/governance/agents/:id/policies', authenticateAdmin, (req, res) => {
+  const g = gov(); if (!g) return res.status(503).json({ error: 'governance_unavailable' });
+  const b = req.body || {};
+  if (!b.resource || !b.action) return res.status(400).json({ error: 'missing_fields', need: ['resource', 'action'] });
+  const r = g.definePolicy({
+    agentId: req.params.id, resource: String(b.resource), action: String(b.action),
+    scope: b.scope || null, maxAmount: b.max_amount, currency: b.currency,
+    dailyCap: b.daily_cap, perCallRate: b.per_call_rate,
+    requiresApproval: !!b.requires_approval,
+    effect: b.effect === 'deny' ? 'deny' : 'allow',
+    expiresAt: b.expires_at || null,
+  });
+  auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'governance_policy_create', details: { agent_id: req.params.id, policy_id: r.id } });
+  res.status(201).json({ ok: true, id: r.id });
+});
+router.delete('/governance/agents/:id/policies/:pid', authenticateAdmin, (req, res) => {
+  const g = gov(); if (!g) return res.status(503).json({ error: 'governance_unavailable' });
+  const ok = g.deletePolicy(req.params.id, Number(req.params.pid));
+  auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'governance_policy_delete', details: { agent_id: req.params.id, policy_id: req.params.pid } });
+  res.json({ ok });
+});
+router.post('/governance/approvals/:rid/decide', authenticateAdmin, (req, res) => {
+  const g = gov(); if (!g) return res.status(503).json({ error: 'governance_unavailable' });
+  const decision = req.body?.decision === 'approved' ? 'approved' : 'rejected';
+  const out = g.decideApproval(req.params.rid, {
+    decision,
+    decidedBy: 'admin:' + req.admin.id,
+    note: req.body?.note || null,
+  });
+  if (!out.ok) return res.status(409).json(out);
+  auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'governance_approval_decide', details: { request_id: req.params.rid, decision } });
+  res.json(out);
+});
+module.exports = router;