npm - web-agent-bridge - Versions diffs - 3.4.0 → 3.9.0 - Mend

web-agent-bridge 3.4.0 → 3.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (315) hide show

package/LICENSE +84 -84
package/README.ar.md +1565 -1304
package/README.md +171 -298
package/bin/agent-runner.js +474 -474
package/bin/cli.js +237 -237
package/bin/wab-init.js +244 -223
package/bin/wab.js +80 -80
package/examples/azure-dns-wab.js +83 -83
package/examples/bidi-agent.js +119 -119
package/examples/cloudflare-wab-dns.js +121 -121
package/examples/cpanel-wab-dns.js +114 -114
package/examples/cross-site-agent.js +91 -91
package/examples/dns-discovery-agent.js +166 -166
package/examples/gcp-dns-wab.js +76 -76
package/examples/governance-agent.js +169 -169
package/examples/mcp-agent.js +94 -94
package/examples/next-app-router/README.md +44 -44
package/examples/plesk-wab-dns.js +103 -103
package/examples/puppeteer-agent.js +108 -108
package/examples/route53-wab-dns.js +144 -144
package/examples/saas-dashboard/README.md +55 -55
package/examples/safe-mode-agent.js +96 -96
package/examples/self-discovery.js +106 -0
package/examples/shopify-hydrogen/README.md +74 -74
package/examples/vision-agent.js +171 -171
package/examples/wab-sign.js +74 -74
package/examples/wab-verify.js +60 -60
package/examples/wordpress-elementor/README.md +77 -77
package/package.json +93 -93
package/public/.well-known/agent-tools.json +180 -180
package/public/.well-known/ai-assets.json +59 -59
package/public/.well-known/security.txt +8 -8
package/public/.well-known/wab.json +28 -28
package/public/activate.html +448 -368
package/public/adopt.html +236 -0
package/public/adoption-metrics.html +188 -188
package/public/agent-workspace.html +359 -349
package/public/ai.html +198 -198
package/public/api.html +397 -413
package/public/atp.html +171 -0
package/public/azure-dns-integration.html +289 -289
package/public/browser.html +486 -486
package/public/cloudflare-integration.html +380 -380
package/public/commander-dashboard.html +243 -243
package/public/cookies.html +210 -210
package/public/cpanel-integration.html +398 -398
package/public/css/agent-workspace.css +1713 -1713
package/public/css/premium.css +317 -317
package/public/css/styles.css +1401 -1263
package/public/dashboard-shieldlink.html +295 -0
package/public/dashboard.html +711 -707
package/public/dns.html +436 -436
package/public/docs.html +588 -588
package/public/enterprise-mesh.ar.html +80 -0
package/public/enterprise-mesh.html +81 -0
package/public/feed.xml +89 -89
package/public/gcp-dns-integration.html +318 -318
package/public/governance.ar.html +70 -0
package/public/governance.html +69 -0
package/public/growth.html +465 -465
package/public/index.html +1372 -1266
package/public/integrations.html +556 -556
package/public/js/activate.js +449 -145
package/public/js/agent-workspace.js +1740 -1740
package/public/js/auth-nav.js +117 -65
package/public/js/auth-redirect.js +12 -12
package/public/js/cookie-consent.js +56 -56
package/public/js/dns.js +438 -438
package/public/js/wab-demo-page.js +721 -721
package/public/js/ws-client.js +74 -74
package/public/l-preview.html +242 -0
package/public/llms-full.txt +360 -360
package/public/llms.txt +125 -125
package/public/login.html +85 -85
package/public/mesh-dashboard.html +328 -328
package/public/milestones.html +346 -0
package/public/one-click.html +779 -0
package/public/openapi.json +669 -669
package/public/partners.ar.html +145 -0
package/public/partners.html +143 -0
package/public/phone-shield.html +281 -281
package/public/plesk-integration.html +375 -375
package/public/premium-dashboard.html +2489 -2489
package/public/premium.html +793 -793
package/public/privacy.html +297 -297
package/public/provider-onboarding.html +172 -172
package/public/provider-sandbox.html +134 -134
package/public/providers.html +359 -359
package/public/refusals.html +172 -0
package/public/register.html +105 -105
package/public/registrar-integrations.html +141 -141
package/public/ring4.html +292 -0
package/public/robots.txt +99 -99
package/public/route53-integration.html +531 -531
package/public/score.html +263 -0
package/public/script/wab-consent.d.ts +36 -36
package/public/script/wab-consent.js +104 -104
package/public/script/wab-schema.js +131 -131
package/public/script/wab.d.ts +108 -108
package/public/script/wab.min.js +580 -580
package/public/security.txt +8 -8
package/public/shieldlink.html +244 -0
package/public/shieldqr.html +231 -231
package/public/sitemap.xml +13 -1
package/public/terms.html +256 -256
package/public/trust-graph-api.ar.html +92 -0
package/public/trust-graph-api.html +91 -0
package/public/wab-features.html +560 -0
package/public/wab-trust.html +200 -200
package/public/wab-truth.html +375 -0
package/public/wab-vs-protocols.html +210 -210
package/public/whitepaper.html +449 -449
package/script/ai-agent-bridge.js +1754 -1754
package/sdk/README.md +99 -99
package/sdk/agent-mesh.js +449 -449
package/sdk/atp.js +103 -0
package/sdk/auto-discovery.js +301 -288
package/sdk/commander.js +262 -262
package/sdk/governance.js +262 -262
package/sdk/index.d.ts +464 -464
package/sdk/index.js +653 -649
package/sdk/multi-agent.js +318 -318
package/sdk/safe-mode.js +221 -221
package/sdk/safety-shield.js +219 -219
package/sdk/schema-discovery.js +83 -83
package/server/adapters/index.js +520 -520
package/server/config/plans.js +412 -367
package/server/config/secrets.js +102 -102
package/server/control-plane/index.js +301 -301
package/server/data-plane/index.js +354 -354
package/server/index.js +793 -670
package/server/llm/index.js +404 -404
package/server/middleware/adminAuth.js +35 -35
package/server/middleware/api-tier.js +170 -0
package/server/middleware/auth.js +50 -50
package/server/middleware/featureGate.js +88 -88
package/server/middleware/rateLimits.js +100 -100
package/server/middleware/sensitiveAction.js +157 -157
package/server/middleware/wab-trust.js +141 -0
package/server/migrations/001_add_analytics_indexes.sql +7 -7
package/server/migrations/002_premium_features.sql +418 -418
package/server/migrations/003_ads_integer_cents.sql +33 -33
package/server/migrations/004_agent_os.sql +158 -158
package/server/migrations/005_marketplace_metering.sql +126 -126
package/server/migrations/006_growth_suite.sql +138 -0
package/server/migrations/007_governance.sql +106 -106
package/server/migrations/008_plans.sql +144 -144
package/server/migrations/009_shieldqr.sql +30 -30
package/server/migrations/010_extended_trust.sql +33 -33
package/server/migrations/011_outreach.sql +47 -0
package/server/migrations/012_shieldlink.sql +116 -0
package/server/migrations/013_ct_monitor.sql +13 -0
package/server/migrations/014_wab_advanced_features.sql +128 -0
package/server/migrations/015_wab_truth_layer.sql +101 -0
package/server/migrations/016_ring4_external_trust.sql +84 -0
package/server/migrations/017_ring4_extensions.sql +69 -0
package/server/migrations/018_commercial_foundations.sql +167 -0
package/server/migrations/019_unify_tier_constraints.sql +133 -0
package/server/migrations/020_agent_transaction_primitive.sql +119 -0
package/server/models/adapters/index.js +33 -33
package/server/models/adapters/mysql.js +183 -183
package/server/models/adapters/postgresql.js +172 -172
package/server/models/adapters/sqlite.js +7 -7
package/server/models/db.js +740 -740
package/server/observability/failure-analysis.js +337 -337
package/server/observability/index.js +394 -394
package/server/protocol/capabilities.js +223 -223
package/server/protocol/index.js +243 -243
package/server/protocol/schema.js +584 -584
package/server/registry/certification.js +271 -271
package/server/registry/index.js +326 -326
package/server/routes/activate.js +478 -0
package/server/routes/admin-outreach.js +239 -0
package/server/routes/admin-plans.js +76 -76
package/server/routes/admin-premium.js +674 -673
package/server/routes/admin-shieldlink.js +137 -0
package/server/routes/admin-shieldqr.js +90 -90
package/server/routes/admin-trust-monitor.js +139 -83
package/server/routes/admin.js +550 -549
package/server/routes/adopt.js +61 -0
package/server/routes/ads.js +130 -130
package/server/routes/agent-workspace.js +540 -540
package/server/routes/api-keys.js +127 -0
package/server/routes/api.js +150 -150
package/server/routes/auth.js +71 -71
package/server/routes/billing.js +57 -57
package/server/routes/commander.js +316 -316
package/server/routes/customer-shieldlink.js +133 -0
package/server/routes/demo-showcase.js +332 -332
package/server/routes/demo-store.js +154 -154
package/server/routes/diagnose.js +373 -0
package/server/routes/discovery.js +2348 -2348
package/server/routes/enterprise-mesh.js +170 -0
package/server/routes/gateway.js +173 -173
package/server/routes/governance-saas.js +203 -0
package/server/routes/governance.js +208 -208
package/server/routes/growth.js +1048 -0
package/server/routes/intent.js +328 -0
package/server/routes/license.js +251 -251
package/server/routes/mesh.js +469 -469
package/server/routes/noscript.js +543 -543
package/server/routes/partners.js +201 -0
package/server/routes/plans.js +33 -33
package/server/routes/premium-v2.js +686 -686
package/server/routes/premium.js +724 -724
package/server/routes/providers.js +650 -650
package/server/routes/reputation.js +411 -0
package/server/routes/ring4.js +885 -0
package/server/routes/runtime.js +2148 -2148
package/server/routes/shieldlink.js +70 -0
package/server/routes/shieldqr.js +88 -88
package/server/routes/sovereign.js +465 -465
package/server/routes/transactions.js +233 -0
package/server/routes/truth-layer.js +670 -0
package/server/routes/universal.js +200 -200
package/server/routes/unsubscribe.js +51 -0
package/server/routes/wab-api.js +850 -850
package/server/routes/wab-cache.js +282 -0
package/server/runtime/container-worker.js +111 -111
package/server/runtime/container.js +448 -448
package/server/runtime/distributed-worker.js +362 -362
package/server/runtime/event-bus.js +210 -210
package/server/runtime/index.js +253 -253
package/server/runtime/queue.js +599 -599
package/server/runtime/replay.js +666 -666
package/server/runtime/sandbox.js +266 -266
package/server/runtime/scheduler.js +534 -534
package/server/runtime/session-engine.js +293 -293
package/server/runtime/state-manager.js +188 -188
package/server/secrets/wab-signing-key.pem +3 -0
package/server/secrets/wab-signing-pub.pem +3 -0
package/server/security/cross-site-redactor.js +196 -196
package/server/security/dry-run.js +180 -180
package/server/security/human-gate-rate-limit.js +147 -147
package/server/security/human-gate-transports.js +178 -178
package/server/security/human-gate.js +281 -281
package/server/security/index.js +368 -368
package/server/security/intent-engine.js +245 -245
package/server/security/reward-guard.js +171 -171
package/server/security/rollback-store.js +239 -239
package/server/security/token-scope.js +404 -404
package/server/security/url-policy.js +139 -139
package/server/services/adoption-agent.js +182 -0
package/server/services/agent-chat.js +506 -506
package/server/services/agent-learning.js +601 -601
package/server/services/agent-memory.js +625 -625
package/server/services/agent-mesh.js +555 -555
package/server/services/agent-symphony.js +717 -717
package/server/services/agent-tasks.js +1807 -1807
package/server/services/api-key-engine.js +292 -292
package/server/services/cluster.js +894 -894
package/server/services/commander.js +738 -738
package/server/services/edge-compute.js +440 -440
package/server/services/email.js +233 -233
package/server/services/fairness-engine.js +409 -0
package/server/services/fairness.js +420 -0
package/server/services/governance.js +466 -466
package/server/services/hosted-runtime.js +205 -205
package/server/services/lfd.js +635 -635
package/server/services/local-ai.js +389 -389
package/server/services/marketplace.js +270 -270
package/server/services/metering.js +182 -182
package/server/services/modules/affiliate-intelligence.js +93 -93
package/server/services/modules/agent-firewall.js +90 -90
package/server/services/modules/bounty.js +89 -89
package/server/services/modules/collective-bargaining.js +92 -92
package/server/services/modules/dark-pattern.js +66 -66
package/server/services/modules/gov-intelligence.js +45 -45
package/server/services/modules/neural.js +55 -55
package/server/services/modules/notary.js +49 -49
package/server/services/modules/price-time-machine.js +86 -86
package/server/services/modules/protocol.js +104 -104
package/server/services/negotiation.js +439 -439
package/server/services/outreach-agent.js +312 -0
package/server/services/plans.js +214 -214
package/server/services/plugins.js +771 -771
package/server/services/price-intelligence.js +566 -566
package/server/services/price-shield.js +1137 -1137
package/server/services/provider-clients.js +740 -740
package/server/services/reputation.js +465 -465
package/server/services/search-engine.js +357 -357
package/server/services/security.js +513 -513
package/server/services/self-healing.js +843 -843
package/server/services/shieldlink.js +492 -0
package/server/services/shieldqr.js +322 -322
package/server/services/sovereign-shield.js +542 -542
package/server/services/ssl-ct-monitor.js +224 -0
package/server/services/ssl-inspector.js +42 -42
package/server/services/ssl-monitor.js +167 -167
package/server/services/stripe.js +206 -205
package/server/services/swarm.js +788 -788
package/server/services/transactions.js +525 -0
package/server/services/universal-scraper.js +662 -662
package/server/services/verification.js +481 -481
package/server/services/vision.js +1163 -1163
package/server/services/wab-crypto.js +178 -178
package/server/utils/cache.js +125 -125
package/server/utils/migrate.js +81 -81
package/server/utils/safe-fetch.js +228 -228
package/server/utils/secureFields.js +50 -50
package/server/ws.js +161 -161
package/templates/artisan-marketplace.yaml +104 -104
package/templates/book-price-scout.yaml +98 -98
package/templates/electronics-price-tracker.yaml +108 -108
package/templates/flight-deal-hunter.yaml +113 -113
package/templates/freelancer-direct.yaml +116 -116
package/templates/grocery-price-compare.yaml +93 -93
package/templates/hotel-direct-booking.yaml +113 -113
package/templates/local-services.yaml +98 -98
package/templates/olive-oil-tunisia.yaml +88 -88
package/templates/organic-farm-fresh.yaml +101 -101
package/templates/restaurant-direct.yaml +97 -97
package/templates/ring4/banking-sovereign.yaml +55 -0
package/templates/ring4/ecommerce-sovereign.yaml +58 -0
package/templates/ring4/healthcare-sovereign.yaml +60 -0

package/server/routes/premium.js CHANGED Viewed

@@ -1,724 +1,724 @@
-const express = require('express');
-const router = express.Router();
-const { authenticateToken } = require('../middleware/auth');
-const premium = require('../services/premium');
-const { findSiteById, findSitesByUser } = require('../models/db');
-function requireSiteOwnership(req, res, next) {
-  const siteId = req.params.siteId || req.body.siteId;
-  if (!siteId) return res.status(400).json({ error: 'siteId required' });
-  const site = findSiteById.get(siteId);
-  if (!site || site.user_id !== req.user.id) return res.status(403).json({ error: 'Access denied' });
-  req.site = site;
-  next();
-}
-// ─── Traffic Intelligence ────────────────────────────────────────────────
-router.get('/traffic/:siteId/profiles', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { limit, offset, type } = req.query;
-    const profiles = await premium.getAgentProfiles(req.params.siteId, {
-      limit: limit ? parseInt(limit) : undefined,
-      offset: offset ? parseInt(offset) : undefined,
-      type
-    });
-    res.json({ profiles });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch agent profiles' });
-  }
-});
-router.get('/traffic/:siteId/stats', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const days = req.query.days ? parseInt(req.query.days) : 30;
-    const stats = await premium.getTrafficStats(req.params.siteId, days);
-    res.json({ stats });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch traffic stats' });
-  }
-});
-router.get('/traffic/:siteId/alerts', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { limit, acknowledged } = req.query;
-    const alerts = await premium.getAnomalyAlerts(req.params.siteId, {
-      limit: limit ? parseInt(limit) : undefined,
-      acknowledged: acknowledged !== undefined ? acknowledged === 'true' : undefined
-    });
-    res.json({ alerts });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch anomaly alerts' });
-  }
-});
-router.post('/traffic/:siteId/alerts/:alertId/acknowledge', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const ok = await premium.acknowledgeAlert(req.params.alertId, req.params.siteId);
-    if (!ok) return res.status(404).json({ error: 'Alert not found' });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to acknowledge alert' });
-  }
-});
-router.post('/traffic/:siteId/check-anomalies', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const alerts = await premium.checkForAnomalies(req.params.siteId);
-    res.json({ alerts });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to check for anomalies' });
-  }
-});
-// ─── Exploit Shield ──────────────────────────────────────────────────────
-router.get('/security/:siteId/events', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { limit, severity, since } = req.query;
-    const events = await premium.getSecurityEvents(req.params.siteId, {
-      limit: limit ? parseInt(limit) : undefined,
-      severity,
-      since
-    });
-    res.json({ events });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch security events' });
-  }
-});
-router.get('/security/:siteId/report', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const days = req.query.days ? parseInt(req.query.days) : 30;
-    const report = await premium.getSecurityReport(req.params.siteId, days);
-    res.json({ report });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to generate security report' });
-  }
-});
-router.get('/security/:siteId/blocked', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const blocked = await premium.getBlockedAgents(req.params.siteId);
-    res.json({ blocked });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch blocked agents' });
-  }
-});
-router.post('/security/:siteId/block', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { agentSignature, reason, expiresAt } = req.body;
-    if (!agentSignature) return res.status(400).json({ error: 'agentSignature is required' });
-    const record = await premium.blockAgent(req.params.siteId, { agentSignature, reason, expiresAt });
-    res.status(201).json({ blocked: record });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to block agent' });
-  }
-});
-router.delete('/security/:siteId/block/:blockId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const ok = await premium.unblockAgent(req.params.blockId, req.params.siteId);
-    if (!ok) return res.status(404).json({ error: 'Block record not found' });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to unblock agent' });
-  }
-});
-// ─── Actions Library ─────────────────────────────────────────────────────
-router.get('/actions/packs', authenticateToken, async (req, res) => {
-  try {
-    const { platform, tier } = req.query;
-    const packs = await premium.getActionPacks({
-      platform,
-      tierRequired: tier
-    });
-    res.json({ packs });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch action packs' });
-  }
-});
-router.get('/actions/packs/:packId', authenticateToken, async (req, res) => {
-  try {
-    const pack = await premium.getActionPack(req.params.packId);
-    if (!pack) return res.status(404).json({ error: 'Pack not found' });
-    res.json({ pack });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch action pack' });
-  }
-});
-router.get('/actions/packs/:packId/actions', authenticateToken, async (req, res) => {
-  try {
-    const actions = await premium.getPackActions(req.params.packId);
-    res.json({ actions });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch pack actions' });
-  }
-});
-router.get('/actions/:siteId/installed', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const installed = await premium.getInstalledPacks(req.params.siteId);
-    res.json({ installed });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch installed packs' });
-  }
-});
-router.post('/actions/:siteId/install', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { packId, config } = req.body;
-    if (!packId) return res.status(400).json({ error: 'packId is required' });
-    const installation = await premium.installPack(req.params.siteId, packId, config);
-    res.status(201).json({ installation });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to install pack' });
-  }
-});
-router.delete('/actions/:siteId/install/:installId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const ok = await premium.uninstallPack(req.params.installId, req.params.siteId);
-    if (!ok) return res.status(404).json({ error: 'Installation not found' });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to uninstall pack' });
-  }
-});
-// ─── Custom Agents ───────────────────────────────────────────────────────
-router.get('/agents/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const agents = await premium.getAgents(req.user.id, req.params.siteId);
-    res.json({ agents });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch agents' });
-  }
-});
-router.post('/agents/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { name, description, steps, schedule } = req.body;
-    if (!name || !steps) return res.status(400).json({ error: 'name and steps are required' });
-    const agent = await premium.createAgent(req.user.id, req.params.siteId, { name, description, steps, schedule });
-    res.status(201).json({ agent });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to create agent' });
-  }
-});
-router.get('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const agent = await premium.getAgent(req.params.agentId, req.user.id);
-    if (!agent) return res.status(404).json({ error: 'Agent not found' });
-    res.json({ agent });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch agent' });
-  }
-});
-router.put('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { name, description, steps, schedule } = req.body;
-    const ok = await premium.updateAgent(req.params.agentId, req.user.id, { name, description, steps, schedule });
-    if (!ok) return res.status(404).json({ error: 'Agent not found' });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to update agent' });
-  }
-});
-router.delete('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const ok = await premium.deleteAgent(req.params.agentId, req.user.id);
-    if (!ok) return res.status(404).json({ error: 'Agent not found' });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to delete agent' });
-  }
-});
-router.post('/agents/:siteId/:agentId/run', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const result = await premium.runAgent(req.params.agentId, req.user.id);
-    res.json({ result });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to run agent' });
-  }
-});
-router.get('/agents/:siteId/:agentId/runs', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { limit } = req.query;
-    const runs = await premium.getAgentRuns(req.params.agentId, {
-      limit: limit ? parseInt(limit) : undefined
-    });
-    res.json({ runs });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch agent runs' });
-  }
-});
-// ─── Webhooks & CRM ─────────────────────────────────────────────────────
-router.get('/webhooks/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const webhooks = await premium.getWebhooks(req.params.siteId);
-    res.json({ webhooks });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch webhooks' });
-  }
-});
-router.post('/webhooks/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { name, url, events, secret } = req.body;
-    if (!name || !url || !events) return res.status(400).json({ error: 'name, url, and events are required' });
-    const webhook = await premium.createWebhook(req.params.siteId, { name, url, events, secret });
-    res.status(201).json({ webhook });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to create webhook' });
-  }
-});
-router.put('/webhooks/:siteId/:webhookId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { name, url, events, secret, active } = req.body;
-    const ok = await premium.updateWebhook(req.params.webhookId, req.params.siteId, { name, url, events, secret, active });
-    if (!ok) return res.status(404).json({ error: 'Webhook not found' });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to update webhook' });
-  }
-});
-router.delete('/webhooks/:siteId/:webhookId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const ok = await premium.deleteWebhook(req.params.webhookId, req.params.siteId);
-    if (!ok) return res.status(404).json({ error: 'Webhook not found' });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to delete webhook' });
-  }
-});
-router.get('/webhooks/:siteId/:webhookId/logs', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { limit } = req.query;
-    const logs = await premium.getWebhookLogs(req.params.webhookId, {
-      limit: limit ? parseInt(limit) : undefined
-    });
-    res.json({ logs });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch webhook logs' });
-  }
-});
-router.post('/webhooks/:siteId/test', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { eventType, payload } = req.body;
-    if (!eventType) return res.status(400).json({ error: 'eventType is required' });
-    const results = await premium.triggerWebhooks(req.params.siteId, eventType, payload || {});
-    res.json({ results });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to trigger webhooks' });
-  }
-});
-router.get('/crm/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const integrations = await premium.getCrmIntegrations(req.params.siteId);
-    res.json({ integrations });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch CRM integrations' });
-  }
-});
-router.post('/crm/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { provider, config } = req.body;
-    if (!provider || !config) return res.status(400).json({ error: 'provider and config are required' });
-    const integration = await premium.addCrmIntegration(req.params.siteId, { provider, config });
-    res.status(201).json({ integration });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to add CRM integration' });
-  }
-});
-router.put('/crm/:siteId/:integrationId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { provider, config, active } = req.body;
-    const ok = await premium.updateCrmIntegration(req.params.integrationId, req.params.siteId, { provider, config, active });
-    if (!ok) return res.status(404).json({ error: 'Integration not found' });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to update CRM integration' });
-  }
-});
-router.delete('/crm/:siteId/:integrationId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const ok = await premium.deleteCrmIntegration(req.params.integrationId, req.params.siteId);
-    if (!ok) return res.status(404).json({ error: 'Integration not found' });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to delete CRM integration' });
-  }
-});
-// ─── Multi-Tenant ────────────────────────────────────────────────────────
-router.get('/team', authenticateToken, async (req, res) => {
-  try {
-    const subUsers = await premium.getSubUsers(req.user.id);
-    res.json({ subUsers });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch team members' });
-  }
-});
-router.post('/team', authenticateToken, async (req, res) => {
-  try {
-    const { email, name, password, role, siteAccess, quotaActionsMonth } = req.body;
-    if (!email || !name || !password) return res.status(400).json({ error: 'email, name, and password are required' });
-    const subUser = await premium.inviteSubUser(req.user.id, { email, name, password, role, siteAccess, quotaActionsMonth });
-    res.status(201).json({ subUser });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to invite team member' });
-  }
-});
-router.put('/team/:subUserId', authenticateToken, async (req, res) => {
-  try {
-    const { name, role, siteAccess, quotaActionsMonth, active } = req.body;
-    const ok = await premium.updateSubUser(req.params.subUserId, req.user.id, { name, role, siteAccess, quotaActionsMonth, active });
-    if (!ok) return res.status(404).json({ error: 'Team member not found' });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to update team member' });
-  }
-});
-router.delete('/team/:subUserId', authenticateToken, async (req, res) => {
-  try {
-    const ok = await premium.deleteSubUser(req.params.subUserId, req.user.id);
-    if (!ok) return res.status(404).json({ error: 'Team member not found' });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to delete team member' });
-  }
-});
-// ─── Support ─────────────────────────────────────────────────────────────
-router.get('/support/tickets', authenticateToken, async (req, res) => {
-  try {
-    const { status, limit } = req.query;
-    const tickets = await premium.getTickets(req.user.id, {
-      status,
-      limit: limit ? parseInt(limit) : undefined
-    });
-    res.json({ tickets });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch tickets' });
-  }
-});
-router.post('/support/tickets', authenticateToken, async (req, res) => {
-  try {
-    const { subject, priority, category } = req.body;
-    if (!subject) return res.status(400).json({ error: 'subject is required' });
-    const ticket = await premium.createTicket(req.user.id, { subject, priority, category });
-    res.status(201).json({ ticket });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to create ticket' });
-  }
-});
-router.get('/support/stats', authenticateToken, async (req, res) => {
-  try {
-    const stats = await premium.getTicketStats(req.user.id);
-    res.json({ stats });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch ticket stats' });
-  }
-});
-router.get('/support/tickets/:ticketId', authenticateToken, async (req, res) => {
-  try {
-    const ticket = await premium.getTicket(req.params.ticketId, req.user.id);
-    if (!ticket) return res.status(404).json({ error: 'Ticket not found' });
-    const messages = await premium.getTicketMessages(req.params.ticketId);
-    res.json({ ticket, messages });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch ticket' });
-  }
-});
-router.put('/support/tickets/:ticketId/status', authenticateToken, async (req, res) => {
-  try {
-    const { status } = req.body;
-    if (!status) return res.status(400).json({ error: 'status is required' });
-    const ok = await premium.updateTicketStatus(req.params.ticketId, req.user.id, status);
-    if (!ok) return res.status(404).json({ error: 'Ticket not found' });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to update ticket status' });
-  }
-});
-router.post('/support/tickets/:ticketId/messages', authenticateToken, async (req, res) => {
-  try {
-    const { message } = req.body;
-    if (!message) return res.status(400).json({ error: 'message is required' });
-    const msg = await premium.addTicketMessage(req.params.ticketId, {
-      senderType: 'user',
-      senderId: req.user.id,
-      message
-    });
-    const botReply = await premium.generateBotResponse(message);
-    let botMsg = null;
-    if (botReply) {
-      botMsg = await premium.addTicketMessage(req.params.ticketId, {
-        senderType: 'bot',
-        senderId: 'system',
-        message: botReply
-      });
-    }
-    res.status(201).json({ message: msg, botReply: botMsg });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to add message' });
-  }
-});
-// ─── Custom Script ───────────────────────────────────────────────────────
-router.get('/script/plugins', authenticateToken, async (req, res) => {
-  try {
-    const plugins = await premium.getAvailablePlugins();
-    res.json({ plugins });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch plugins' });
-  }
-});
-router.get('/script/:siteId/config', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const config = await premium.getScriptConfig(req.params.siteId);
-    res.json({ config });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch script config' });
-  }
-});
-router.put('/script/:siteId/config', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { plugins, minified, ampCompatible, autoPatch, customCss, customJs } = req.body;
-    const config = await premium.updateScriptConfig(req.params.siteId, {
-      plugins, minified, ampCompatible, autoPatch, customCss, customJs
-    });
-    res.json({ config });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to update script config' });
-  }
-});
-router.post('/script/:siteId/build', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const result = await premium.buildScript(req.params.siteId);
-    res.json(result);
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to build script' });
-  }
-});
-// ─── Stealth ─────────────────────────────────────────────────────────────
-router.get('/stealth/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const profile = await premium.getStealthProfile(req.params.siteId);
-    res.json({ profile });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch stealth profile' });
-  }
-});
-router.put('/stealth/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const profile = await premium.upsertStealthProfile(req.params.siteId, req.body);
-    res.json({ profile });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to update stealth profile' });
-  }
-});
-router.get('/stealth/:siteId/script', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const script = await premium.generateStealthScript(req.params.siteId);
-    res.json({ script });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to generate stealth script' });
-  }
-});
-// ─── CDN ─────────────────────────────────────────────────────────────────
-router.get('/cdn/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const config = await premium.getCdnConfig(req.params.siteId);
-    res.json({ config });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch CDN config' });
-  }
-});
-router.put('/cdn/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const config = await premium.upsertCdnConfig(req.params.siteId, req.body);
-    res.json({ config });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to update CDN config' });
-  }
-});
-router.get('/cdn/:siteId/stats', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const days = req.query.days ? parseInt(req.query.days) : 30;
-    const cdnConfig = await premium.getCdnConfig(req.params.siteId);
-    if (!cdnConfig) return res.status(404).json({ error: 'CDN not configured' });
-    const stats = await premium.getCdnStats(cdnConfig.id, days);
-    res.json({ stats });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch CDN stats' });
-  }
-});
-// ─── Audit ───────────────────────────────────────────────────────────────
-router.get('/audit/:siteId/logs', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { limit, offset, action, since, until } = req.query;
-    const result = await premium.getAuditLogs(req.params.siteId, {
-      limit: limit ? parseInt(limit) : undefined,
-      offset: offset ? parseInt(offset) : undefined,
-      action,
-      since,
-      until
-    });
-    res.json(result);
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch audit logs' });
-  }
-});
-router.get('/audit/:siteId/compliance', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const settings = await premium.getComplianceSettings(req.params.siteId);
-    res.json({ settings });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch compliance settings' });
-  }
-});
-router.put('/audit/:siteId/compliance', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const settings = await premium.upsertComplianceSettings(req.params.siteId, req.body);
-    res.json({ settings });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to update compliance settings' });
-  }
-});
-router.get('/audit/:siteId/export', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { format, since, until } = req.query;
-    const result = await premium.exportAuditLogs(req.params.siteId, { format, since, until });
-    res.setHeader('Content-Disposition', `attachment; filename="${result.filename}"`);
-    res.setHeader('Content-Type', result.contentType);
-    res.send(result.data);
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to export audit logs' });
-  }
-});
-router.post('/audit/:siteId/purge', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const result = await premium.purgeOldLogs(req.params.siteId);
-    res.json(result);
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to purge old logs' });
-  }
-});
-// ─── Sandbox ─────────────────────────────────────────────────────────────
-router.get('/sandbox/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const sandboxes = await premium.getSandboxes(req.params.siteId);
-    res.json({ sandboxes });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch sandboxes' });
-  }
-});
-router.post('/sandbox/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { name } = req.body;
-    if (!name) return res.status(400).json({ error: 'name is required' });
-    const sandbox = await premium.createSandbox(req.params.siteId, { name });
-    res.status(201).json({ sandbox });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to create sandbox' });
-  }
-});
-router.delete('/sandbox/:siteId/:sandboxId', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const ok = await premium.deleteSandbox(req.params.sandboxId, req.params.siteId);
-    if (!ok) return res.status(404).json({ error: 'Sandbox not found' });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to delete sandbox' });
-  }
-});
-router.post('/sandbox/:siteId/:sandboxId/simulate', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { agentCount, duration, actionsPerAgent } = req.body;
-    if (!agentCount || !duration) return res.status(400).json({ error: 'agentCount and duration are required' });
-    const result = await premium.simulateTraffic(req.params.sandboxId, { agentCount, duration, actionsPerAgent });
-    res.json({ result });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to simulate traffic' });
-  }
-});
-router.post('/sandbox/:siteId/:sandboxId/benchmark', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const { benchmarkType } = req.body;
-    if (!benchmarkType) return res.status(400).json({ error: 'benchmarkType is required' });
-    const result = await premium.runBenchmark(req.params.sandboxId, { benchmarkType });
-    res.json({ result });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to run benchmark' });
-  }
-});
-router.get('/sandbox/:siteId/:sandboxId/benchmarks', authenticateToken, requireSiteOwnership, async (req, res) => {
-  try {
-    const benchmarks = await premium.getBenchmarks(req.params.sandboxId);
-    res.json({ benchmarks });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to fetch benchmarks' });
-  }
-});
-module.exports = router;
+const express = require('express');
+const router = express.Router();
+const { authenticateToken } = require('../middleware/auth');
+const premium = require('../services/premium');
+const { findSiteById, findSitesByUser } = require('../models/db');
+function requireSiteOwnership(req, res, next) {
+  const siteId = req.params.siteId || req.body.siteId;
+  if (!siteId) return res.status(400).json({ error: 'siteId required' });
+  const site = findSiteById.get(siteId);
+  if (!site || site.user_id !== req.user.id) return res.status(403).json({ error: 'Access denied' });
+  req.site = site;
+  next();
+}
+// ─── Traffic Intelligence ────────────────────────────────────────────────
+router.get('/traffic/:siteId/profiles', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { limit, offset, type } = req.query;
+    const profiles = await premium.getAgentProfiles(req.params.siteId, {
+      limit: limit ? parseInt(limit) : undefined,
+      offset: offset ? parseInt(offset) : undefined,
+      type
+    });
+    res.json({ profiles });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch agent profiles' });
+  }
+});
+router.get('/traffic/:siteId/stats', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const days = req.query.days ? parseInt(req.query.days) : 30;
+    const stats = await premium.getTrafficStats(req.params.siteId, days);
+    res.json({ stats });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch traffic stats' });
+  }
+});
+router.get('/traffic/:siteId/alerts', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { limit, acknowledged } = req.query;
+    const alerts = await premium.getAnomalyAlerts(req.params.siteId, {
+      limit: limit ? parseInt(limit) : undefined,
+      acknowledged: acknowledged !== undefined ? acknowledged === 'true' : undefined
+    });
+    res.json({ alerts });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch anomaly alerts' });
+  }
+});
+router.post('/traffic/:siteId/alerts/:alertId/acknowledge', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const ok = await premium.acknowledgeAlert(req.params.alertId, req.params.siteId);
+    if (!ok) return res.status(404).json({ error: 'Alert not found' });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to acknowledge alert' });
+  }
+});
+router.post('/traffic/:siteId/check-anomalies', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const alerts = await premium.checkForAnomalies(req.params.siteId);
+    res.json({ alerts });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to check for anomalies' });
+  }
+});
+// ─── Exploit Shield ──────────────────────────────────────────────────────
+router.get('/security/:siteId/events', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { limit, severity, since } = req.query;
+    const events = await premium.getSecurityEvents(req.params.siteId, {
+      limit: limit ? parseInt(limit) : undefined,
+      severity,
+      since
+    });
+    res.json({ events });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch security events' });
+  }
+});
+router.get('/security/:siteId/report', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const days = req.query.days ? parseInt(req.query.days) : 30;
+    const report = await premium.getSecurityReport(req.params.siteId, days);
+    res.json({ report });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to generate security report' });
+  }
+});
+router.get('/security/:siteId/blocked', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const blocked = await premium.getBlockedAgents(req.params.siteId);
+    res.json({ blocked });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch blocked agents' });
+  }
+});
+router.post('/security/:siteId/block', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { agentSignature, reason, expiresAt } = req.body;
+    if (!agentSignature) return res.status(400).json({ error: 'agentSignature is required' });
+    const record = await premium.blockAgent(req.params.siteId, { agentSignature, reason, expiresAt });
+    res.status(201).json({ blocked: record });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to block agent' });
+  }
+});
+router.delete('/security/:siteId/block/:blockId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const ok = await premium.unblockAgent(req.params.blockId, req.params.siteId);
+    if (!ok) return res.status(404).json({ error: 'Block record not found' });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to unblock agent' });
+  }
+});
+// ─── Actions Library ─────────────────────────────────────────────────────
+router.get('/actions/packs', authenticateToken, async (req, res) => {
+  try {
+    const { platform, tier } = req.query;
+    const packs = await premium.getActionPacks({
+      platform,
+      tierRequired: tier
+    });
+    res.json({ packs });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch action packs' });
+  }
+});
+router.get('/actions/packs/:packId', authenticateToken, async (req, res) => {
+  try {
+    const pack = await premium.getActionPack(req.params.packId);
+    if (!pack) return res.status(404).json({ error: 'Pack not found' });
+    res.json({ pack });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch action pack' });
+  }
+});
+router.get('/actions/packs/:packId/actions', authenticateToken, async (req, res) => {
+  try {
+    const actions = await premium.getPackActions(req.params.packId);
+    res.json({ actions });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch pack actions' });
+  }
+});
+router.get('/actions/:siteId/installed', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const installed = await premium.getInstalledPacks(req.params.siteId);
+    res.json({ installed });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch installed packs' });
+  }
+});
+router.post('/actions/:siteId/install', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { packId, config } = req.body;
+    if (!packId) return res.status(400).json({ error: 'packId is required' });
+    const installation = await premium.installPack(req.params.siteId, packId, config);
+    res.status(201).json({ installation });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to install pack' });
+  }
+});
+router.delete('/actions/:siteId/install/:installId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const ok = await premium.uninstallPack(req.params.installId, req.params.siteId);
+    if (!ok) return res.status(404).json({ error: 'Installation not found' });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to uninstall pack' });
+  }
+});
+// ─── Custom Agents ───────────────────────────────────────────────────────
+router.get('/agents/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const agents = await premium.getAgents(req.user.id, req.params.siteId);
+    res.json({ agents });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch agents' });
+  }
+});
+router.post('/agents/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { name, description, steps, schedule } = req.body;
+    if (!name || !steps) return res.status(400).json({ error: 'name and steps are required' });
+    const agent = await premium.createAgent(req.user.id, req.params.siteId, { name, description, steps, schedule });
+    res.status(201).json({ agent });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to create agent' });
+  }
+});
+router.get('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const agent = await premium.getAgent(req.params.agentId, req.user.id);
+    if (!agent) return res.status(404).json({ error: 'Agent not found' });
+    res.json({ agent });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch agent' });
+  }
+});
+router.put('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { name, description, steps, schedule } = req.body;
+    const ok = await premium.updateAgent(req.params.agentId, req.user.id, { name, description, steps, schedule });
+    if (!ok) return res.status(404).json({ error: 'Agent not found' });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to update agent' });
+  }
+});
+router.delete('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const ok = await premium.deleteAgent(req.params.agentId, req.user.id);
+    if (!ok) return res.status(404).json({ error: 'Agent not found' });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to delete agent' });
+  }
+});
+router.post('/agents/:siteId/:agentId/run', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const result = await premium.runAgent(req.params.agentId, req.user.id);
+    res.json({ result });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to run agent' });
+  }
+});
+router.get('/agents/:siteId/:agentId/runs', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { limit } = req.query;
+    const runs = await premium.getAgentRuns(req.params.agentId, {
+      limit: limit ? parseInt(limit) : undefined
+    });
+    res.json({ runs });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch agent runs' });
+  }
+});
+// ─── Webhooks & CRM ─────────────────────────────────────────────────────
+router.get('/webhooks/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const webhooks = await premium.getWebhooks(req.params.siteId);
+    res.json({ webhooks });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch webhooks' });
+  }
+});
+router.post('/webhooks/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { name, url, events, secret } = req.body;
+    if (!name || !url || !events) return res.status(400).json({ error: 'name, url, and events are required' });
+    const webhook = await premium.createWebhook(req.params.siteId, { name, url, events, secret });
+    res.status(201).json({ webhook });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to create webhook' });
+  }
+});
+router.put('/webhooks/:siteId/:webhookId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { name, url, events, secret, active } = req.body;
+    const ok = await premium.updateWebhook(req.params.webhookId, req.params.siteId, { name, url, events, secret, active });
+    if (!ok) return res.status(404).json({ error: 'Webhook not found' });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to update webhook' });
+  }
+});
+router.delete('/webhooks/:siteId/:webhookId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const ok = await premium.deleteWebhook(req.params.webhookId, req.params.siteId);
+    if (!ok) return res.status(404).json({ error: 'Webhook not found' });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to delete webhook' });
+  }
+});
+router.get('/webhooks/:siteId/:webhookId/logs', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { limit } = req.query;
+    const logs = await premium.getWebhookLogs(req.params.webhookId, {
+      limit: limit ? parseInt(limit) : undefined
+    });
+    res.json({ logs });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch webhook logs' });
+  }
+});
+router.post('/webhooks/:siteId/test', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { eventType, payload } = req.body;
+    if (!eventType) return res.status(400).json({ error: 'eventType is required' });
+    const results = await premium.triggerWebhooks(req.params.siteId, eventType, payload || {});
+    res.json({ results });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to trigger webhooks' });
+  }
+});
+router.get('/crm/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const integrations = await premium.getCrmIntegrations(req.params.siteId);
+    res.json({ integrations });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch CRM integrations' });
+  }
+});
+router.post('/crm/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { provider, config } = req.body;
+    if (!provider || !config) return res.status(400).json({ error: 'provider and config are required' });
+    const integration = await premium.addCrmIntegration(req.params.siteId, { provider, config });
+    res.status(201).json({ integration });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to add CRM integration' });
+  }
+});
+router.put('/crm/:siteId/:integrationId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { provider, config, active } = req.body;
+    const ok = await premium.updateCrmIntegration(req.params.integrationId, req.params.siteId, { provider, config, active });
+    if (!ok) return res.status(404).json({ error: 'Integration not found' });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to update CRM integration' });
+  }
+});
+router.delete('/crm/:siteId/:integrationId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const ok = await premium.deleteCrmIntegration(req.params.integrationId, req.params.siteId);
+    if (!ok) return res.status(404).json({ error: 'Integration not found' });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to delete CRM integration' });
+  }
+});
+// ─── Multi-Tenant ────────────────────────────────────────────────────────
+router.get('/team', authenticateToken, async (req, res) => {
+  try {
+    const subUsers = await premium.getSubUsers(req.user.id);
+    res.json({ subUsers });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch team members' });
+  }
+});
+router.post('/team', authenticateToken, async (req, res) => {
+  try {
+    const { email, name, password, role, siteAccess, quotaActionsMonth } = req.body;
+    if (!email || !name || !password) return res.status(400).json({ error: 'email, name, and password are required' });
+    const subUser = await premium.inviteSubUser(req.user.id, { email, name, password, role, siteAccess, quotaActionsMonth });
+    res.status(201).json({ subUser });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to invite team member' });
+  }
+});
+router.put('/team/:subUserId', authenticateToken, async (req, res) => {
+  try {
+    const { name, role, siteAccess, quotaActionsMonth, active } = req.body;
+    const ok = await premium.updateSubUser(req.params.subUserId, req.user.id, { name, role, siteAccess, quotaActionsMonth, active });
+    if (!ok) return res.status(404).json({ error: 'Team member not found' });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to update team member' });
+  }
+});
+router.delete('/team/:subUserId', authenticateToken, async (req, res) => {
+  try {
+    const ok = await premium.deleteSubUser(req.params.subUserId, req.user.id);
+    if (!ok) return res.status(404).json({ error: 'Team member not found' });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to delete team member' });
+  }
+});
+// ─── Support ─────────────────────────────────────────────────────────────
+router.get('/support/tickets', authenticateToken, async (req, res) => {
+  try {
+    const { status, limit } = req.query;
+    const tickets = await premium.getTickets(req.user.id, {
+      status,
+      limit: limit ? parseInt(limit) : undefined
+    });
+    res.json({ tickets });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch tickets' });
+  }
+});
+router.post('/support/tickets', authenticateToken, async (req, res) => {
+  try {
+    const { subject, priority, category } = req.body;
+    if (!subject) return res.status(400).json({ error: 'subject is required' });
+    const ticket = await premium.createTicket(req.user.id, { subject, priority, category });
+    res.status(201).json({ ticket });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to create ticket' });
+  }
+});
+router.get('/support/stats', authenticateToken, async (req, res) => {
+  try {
+    const stats = await premium.getTicketStats(req.user.id);
+    res.json({ stats });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch ticket stats' });
+  }
+});
+router.get('/support/tickets/:ticketId', authenticateToken, async (req, res) => {
+  try {
+    const ticket = await premium.getTicket(req.params.ticketId, req.user.id);
+    if (!ticket) return res.status(404).json({ error: 'Ticket not found' });
+    const messages = await premium.getTicketMessages(req.params.ticketId);
+    res.json({ ticket, messages });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch ticket' });
+  }
+});
+router.put('/support/tickets/:ticketId/status', authenticateToken, async (req, res) => {
+  try {
+    const { status } = req.body;
+    if (!status) return res.status(400).json({ error: 'status is required' });
+    const ok = await premium.updateTicketStatus(req.params.ticketId, req.user.id, status);
+    if (!ok) return res.status(404).json({ error: 'Ticket not found' });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to update ticket status' });
+  }
+});
+router.post('/support/tickets/:ticketId/messages', authenticateToken, async (req, res) => {
+  try {
+    const { message } = req.body;
+    if (!message) return res.status(400).json({ error: 'message is required' });
+    const msg = await premium.addTicketMessage(req.params.ticketId, {
+      senderType: 'user',
+      senderId: req.user.id,
+      message
+    });
+    const botReply = await premium.generateBotResponse(message);
+    let botMsg = null;
+    if (botReply) {
+      botMsg = await premium.addTicketMessage(req.params.ticketId, {
+        senderType: 'bot',
+        senderId: 'system',
+        message: botReply
+      });
+    }
+    res.status(201).json({ message: msg, botReply: botMsg });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to add message' });
+  }
+});
+// ─── Custom Script ───────────────────────────────────────────────────────
+router.get('/script/plugins', authenticateToken, async (req, res) => {
+  try {
+    const plugins = await premium.getAvailablePlugins();
+    res.json({ plugins });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch plugins' });
+  }
+});
+router.get('/script/:siteId/config', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const config = await premium.getScriptConfig(req.params.siteId);
+    res.json({ config });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch script config' });
+  }
+});
+router.put('/script/:siteId/config', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { plugins, minified, ampCompatible, autoPatch, customCss, customJs } = req.body;
+    const config = await premium.updateScriptConfig(req.params.siteId, {
+      plugins, minified, ampCompatible, autoPatch, customCss, customJs
+    });
+    res.json({ config });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to update script config' });
+  }
+});
+router.post('/script/:siteId/build', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const result = await premium.buildScript(req.params.siteId);
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to build script' });
+  }
+});
+// ─── Stealth ─────────────────────────────────────────────────────────────
+router.get('/stealth/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const profile = await premium.getStealthProfile(req.params.siteId);
+    res.json({ profile });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch stealth profile' });
+  }
+});
+router.put('/stealth/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const profile = await premium.upsertStealthProfile(req.params.siteId, req.body);
+    res.json({ profile });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to update stealth profile' });
+  }
+});
+router.get('/stealth/:siteId/script', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const script = await premium.generateStealthScript(req.params.siteId);
+    res.json({ script });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to generate stealth script' });
+  }
+});
+// ─── CDN ─────────────────────────────────────────────────────────────────
+router.get('/cdn/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const config = await premium.getCdnConfig(req.params.siteId);
+    res.json({ config });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch CDN config' });
+  }
+});
+router.put('/cdn/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const config = await premium.upsertCdnConfig(req.params.siteId, req.body);
+    res.json({ config });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to update CDN config' });
+  }
+});
+router.get('/cdn/:siteId/stats', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const days = req.query.days ? parseInt(req.query.days) : 30;
+    const cdnConfig = await premium.getCdnConfig(req.params.siteId);
+    if (!cdnConfig) return res.status(404).json({ error: 'CDN not configured' });
+    const stats = await premium.getCdnStats(cdnConfig.id, days);
+    res.json({ stats });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch CDN stats' });
+  }
+});
+// ─── Audit ───────────────────────────────────────────────────────────────
+router.get('/audit/:siteId/logs', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { limit, offset, action, since, until } = req.query;
+    const result = await premium.getAuditLogs(req.params.siteId, {
+      limit: limit ? parseInt(limit) : undefined,
+      offset: offset ? parseInt(offset) : undefined,
+      action,
+      since,
+      until
+    });
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch audit logs' });
+  }
+});
+router.get('/audit/:siteId/compliance', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const settings = await premium.getComplianceSettings(req.params.siteId);
+    res.json({ settings });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch compliance settings' });
+  }
+});
+router.put('/audit/:siteId/compliance', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const settings = await premium.upsertComplianceSettings(req.params.siteId, req.body);
+    res.json({ settings });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to update compliance settings' });
+  }
+});
+router.get('/audit/:siteId/export', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { format, since, until } = req.query;
+    const result = await premium.exportAuditLogs(req.params.siteId, { format, since, until });
+    res.setHeader('Content-Disposition', `attachment; filename="${result.filename}"`);
+    res.setHeader('Content-Type', result.contentType);
+    res.send(result.data);
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to export audit logs' });
+  }
+});
+router.post('/audit/:siteId/purge', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const result = await premium.purgeOldLogs(req.params.siteId);
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to purge old logs' });
+  }
+});
+// ─── Sandbox ─────────────────────────────────────────────────────────────
+router.get('/sandbox/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const sandboxes = await premium.getSandboxes(req.params.siteId);
+    res.json({ sandboxes });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch sandboxes' });
+  }
+});
+router.post('/sandbox/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { name } = req.body;
+    if (!name) return res.status(400).json({ error: 'name is required' });
+    const sandbox = await premium.createSandbox(req.params.siteId, { name });
+    res.status(201).json({ sandbox });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to create sandbox' });
+  }
+});
+router.delete('/sandbox/:siteId/:sandboxId', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const ok = await premium.deleteSandbox(req.params.sandboxId, req.params.siteId);
+    if (!ok) return res.status(404).json({ error: 'Sandbox not found' });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to delete sandbox' });
+  }
+});
+router.post('/sandbox/:siteId/:sandboxId/simulate', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { agentCount, duration, actionsPerAgent } = req.body;
+    if (!agentCount || !duration) return res.status(400).json({ error: 'agentCount and duration are required' });
+    const result = await premium.simulateTraffic(req.params.sandboxId, { agentCount, duration, actionsPerAgent });
+    res.json({ result });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to simulate traffic' });
+  }
+});
+router.post('/sandbox/:siteId/:sandboxId/benchmark', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const { benchmarkType } = req.body;
+    if (!benchmarkType) return res.status(400).json({ error: 'benchmarkType is required' });
+    const result = await premium.runBenchmark(req.params.sandboxId, { benchmarkType });
+    res.json({ result });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to run benchmark' });
+  }
+});
+router.get('/sandbox/:siteId/:sandboxId/benchmarks', authenticateToken, requireSiteOwnership, async (req, res) => {
+  try {
+    const benchmarks = await premium.getBenchmarks(req.params.sandboxId);
+    res.json({ benchmarks });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch benchmarks' });
+  }
+});
+module.exports = router;