npm - web-agent-bridge - Versions diffs - 3.4.0 → 3.9.0 - Mend

web-agent-bridge 3.4.0 → 3.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (315) hide show

package/LICENSE +84 -84
package/README.ar.md +1565 -1304
package/README.md +171 -298
package/bin/agent-runner.js +474 -474
package/bin/cli.js +237 -237
package/bin/wab-init.js +244 -223
package/bin/wab.js +80 -80
package/examples/azure-dns-wab.js +83 -83
package/examples/bidi-agent.js +119 -119
package/examples/cloudflare-wab-dns.js +121 -121
package/examples/cpanel-wab-dns.js +114 -114
package/examples/cross-site-agent.js +91 -91
package/examples/dns-discovery-agent.js +166 -166
package/examples/gcp-dns-wab.js +76 -76
package/examples/governance-agent.js +169 -169
package/examples/mcp-agent.js +94 -94
package/examples/next-app-router/README.md +44 -44
package/examples/plesk-wab-dns.js +103 -103
package/examples/puppeteer-agent.js +108 -108
package/examples/route53-wab-dns.js +144 -144
package/examples/saas-dashboard/README.md +55 -55
package/examples/safe-mode-agent.js +96 -96
package/examples/self-discovery.js +106 -0
package/examples/shopify-hydrogen/README.md +74 -74
package/examples/vision-agent.js +171 -171
package/examples/wab-sign.js +74 -74
package/examples/wab-verify.js +60 -60
package/examples/wordpress-elementor/README.md +77 -77
package/package.json +93 -93
package/public/.well-known/agent-tools.json +180 -180
package/public/.well-known/ai-assets.json +59 -59
package/public/.well-known/security.txt +8 -8
package/public/.well-known/wab.json +28 -28
package/public/activate.html +448 -368
package/public/adopt.html +236 -0
package/public/adoption-metrics.html +188 -188
package/public/agent-workspace.html +359 -349
package/public/ai.html +198 -198
package/public/api.html +397 -413
package/public/atp.html +171 -0
package/public/azure-dns-integration.html +289 -289
package/public/browser.html +486 -486
package/public/cloudflare-integration.html +380 -380
package/public/commander-dashboard.html +243 -243
package/public/cookies.html +210 -210
package/public/cpanel-integration.html +398 -398
package/public/css/agent-workspace.css +1713 -1713
package/public/css/premium.css +317 -317
package/public/css/styles.css +1401 -1263
package/public/dashboard-shieldlink.html +295 -0
package/public/dashboard.html +711 -707
package/public/dns.html +436 -436
package/public/docs.html +588 -588
package/public/enterprise-mesh.ar.html +80 -0
package/public/enterprise-mesh.html +81 -0
package/public/feed.xml +89 -89
package/public/gcp-dns-integration.html +318 -318
package/public/governance.ar.html +70 -0
package/public/governance.html +69 -0
package/public/growth.html +465 -465
package/public/index.html +1372 -1266
package/public/integrations.html +556 -556
package/public/js/activate.js +449 -145
package/public/js/agent-workspace.js +1740 -1740
package/public/js/auth-nav.js +117 -65
package/public/js/auth-redirect.js +12 -12
package/public/js/cookie-consent.js +56 -56
package/public/js/dns.js +438 -438
package/public/js/wab-demo-page.js +721 -721
package/public/js/ws-client.js +74 -74
package/public/l-preview.html +242 -0
package/public/llms-full.txt +360 -360
package/public/llms.txt +125 -125
package/public/login.html +85 -85
package/public/mesh-dashboard.html +328 -328
package/public/milestones.html +346 -0
package/public/one-click.html +779 -0
package/public/openapi.json +669 -669
package/public/partners.ar.html +145 -0
package/public/partners.html +143 -0
package/public/phone-shield.html +281 -281
package/public/plesk-integration.html +375 -375
package/public/premium-dashboard.html +2489 -2489
package/public/premium.html +793 -793
package/public/privacy.html +297 -297
package/public/provider-onboarding.html +172 -172
package/public/provider-sandbox.html +134 -134
package/public/providers.html +359 -359
package/public/refusals.html +172 -0
package/public/register.html +105 -105
package/public/registrar-integrations.html +141 -141
package/public/ring4.html +292 -0
package/public/robots.txt +99 -99
package/public/route53-integration.html +531 -531
package/public/score.html +263 -0
package/public/script/wab-consent.d.ts +36 -36
package/public/script/wab-consent.js +104 -104
package/public/script/wab-schema.js +131 -131
package/public/script/wab.d.ts +108 -108
package/public/script/wab.min.js +580 -580
package/public/security.txt +8 -8
package/public/shieldlink.html +244 -0
package/public/shieldqr.html +231 -231
package/public/sitemap.xml +13 -1
package/public/terms.html +256 -256
package/public/trust-graph-api.ar.html +92 -0
package/public/trust-graph-api.html +91 -0
package/public/wab-features.html +560 -0
package/public/wab-trust.html +200 -200
package/public/wab-truth.html +375 -0
package/public/wab-vs-protocols.html +210 -210
package/public/whitepaper.html +449 -449
package/script/ai-agent-bridge.js +1754 -1754
package/sdk/README.md +99 -99
package/sdk/agent-mesh.js +449 -449
package/sdk/atp.js +103 -0
package/sdk/auto-discovery.js +301 -288
package/sdk/commander.js +262 -262
package/sdk/governance.js +262 -262
package/sdk/index.d.ts +464 -464
package/sdk/index.js +653 -649
package/sdk/multi-agent.js +318 -318
package/sdk/safe-mode.js +221 -221
package/sdk/safety-shield.js +219 -219
package/sdk/schema-discovery.js +83 -83
package/server/adapters/index.js +520 -520
package/server/config/plans.js +412 -367
package/server/config/secrets.js +102 -102
package/server/control-plane/index.js +301 -301
package/server/data-plane/index.js +354 -354
package/server/index.js +793 -670
package/server/llm/index.js +404 -404
package/server/middleware/adminAuth.js +35 -35
package/server/middleware/api-tier.js +170 -0
package/server/middleware/auth.js +50 -50
package/server/middleware/featureGate.js +88 -88
package/server/middleware/rateLimits.js +100 -100
package/server/middleware/sensitiveAction.js +157 -157
package/server/middleware/wab-trust.js +141 -0
package/server/migrations/001_add_analytics_indexes.sql +7 -7
package/server/migrations/002_premium_features.sql +418 -418
package/server/migrations/003_ads_integer_cents.sql +33 -33
package/server/migrations/004_agent_os.sql +158 -158
package/server/migrations/005_marketplace_metering.sql +126 -126
package/server/migrations/006_growth_suite.sql +138 -0
package/server/migrations/007_governance.sql +106 -106
package/server/migrations/008_plans.sql +144 -144
package/server/migrations/009_shieldqr.sql +30 -30
package/server/migrations/010_extended_trust.sql +33 -33
package/server/migrations/011_outreach.sql +47 -0
package/server/migrations/012_shieldlink.sql +116 -0
package/server/migrations/013_ct_monitor.sql +13 -0
package/server/migrations/014_wab_advanced_features.sql +128 -0
package/server/migrations/015_wab_truth_layer.sql +101 -0
package/server/migrations/016_ring4_external_trust.sql +84 -0
package/server/migrations/017_ring4_extensions.sql +69 -0
package/server/migrations/018_commercial_foundations.sql +167 -0
package/server/migrations/019_unify_tier_constraints.sql +133 -0
package/server/migrations/020_agent_transaction_primitive.sql +119 -0
package/server/models/adapters/index.js +33 -33
package/server/models/adapters/mysql.js +183 -183
package/server/models/adapters/postgresql.js +172 -172
package/server/models/adapters/sqlite.js +7 -7
package/server/models/db.js +740 -740
package/server/observability/failure-analysis.js +337 -337
package/server/observability/index.js +394 -394
package/server/protocol/capabilities.js +223 -223
package/server/protocol/index.js +243 -243
package/server/protocol/schema.js +584 -584
package/server/registry/certification.js +271 -271
package/server/registry/index.js +326 -326
package/server/routes/activate.js +478 -0
package/server/routes/admin-outreach.js +239 -0
package/server/routes/admin-plans.js +76 -76
package/server/routes/admin-premium.js +674 -673
package/server/routes/admin-shieldlink.js +137 -0
package/server/routes/admin-shieldqr.js +90 -90
package/server/routes/admin-trust-monitor.js +139 -83
package/server/routes/admin.js +550 -549
package/server/routes/adopt.js +61 -0
package/server/routes/ads.js +130 -130
package/server/routes/agent-workspace.js +540 -540
package/server/routes/api-keys.js +127 -0
package/server/routes/api.js +150 -150
package/server/routes/auth.js +71 -71
package/server/routes/billing.js +57 -57
package/server/routes/commander.js +316 -316
package/server/routes/customer-shieldlink.js +133 -0
package/server/routes/demo-showcase.js +332 -332
package/server/routes/demo-store.js +154 -154
package/server/routes/diagnose.js +373 -0
package/server/routes/discovery.js +2348 -2348
package/server/routes/enterprise-mesh.js +170 -0
package/server/routes/gateway.js +173 -173
package/server/routes/governance-saas.js +203 -0
package/server/routes/governance.js +208 -208
package/server/routes/growth.js +1048 -0
package/server/routes/intent.js +328 -0
package/server/routes/license.js +251 -251
package/server/routes/mesh.js +469 -469
package/server/routes/noscript.js +543 -543
package/server/routes/partners.js +201 -0
package/server/routes/plans.js +33 -33
package/server/routes/premium-v2.js +686 -686
package/server/routes/premium.js +724 -724
package/server/routes/providers.js +650 -650
package/server/routes/reputation.js +411 -0
package/server/routes/ring4.js +885 -0
package/server/routes/runtime.js +2148 -2148
package/server/routes/shieldlink.js +70 -0
package/server/routes/shieldqr.js +88 -88
package/server/routes/sovereign.js +465 -465
package/server/routes/transactions.js +233 -0
package/server/routes/truth-layer.js +670 -0
package/server/routes/universal.js +200 -200
package/server/routes/unsubscribe.js +51 -0
package/server/routes/wab-api.js +850 -850
package/server/routes/wab-cache.js +282 -0
package/server/runtime/container-worker.js +111 -111
package/server/runtime/container.js +448 -448
package/server/runtime/distributed-worker.js +362 -362
package/server/runtime/event-bus.js +210 -210
package/server/runtime/index.js +253 -253
package/server/runtime/queue.js +599 -599
package/server/runtime/replay.js +666 -666
package/server/runtime/sandbox.js +266 -266
package/server/runtime/scheduler.js +534 -534
package/server/runtime/session-engine.js +293 -293
package/server/runtime/state-manager.js +188 -188
package/server/secrets/wab-signing-key.pem +3 -0
package/server/secrets/wab-signing-pub.pem +3 -0
package/server/security/cross-site-redactor.js +196 -196
package/server/security/dry-run.js +180 -180
package/server/security/human-gate-rate-limit.js +147 -147
package/server/security/human-gate-transports.js +178 -178
package/server/security/human-gate.js +281 -281
package/server/security/index.js +368 -368
package/server/security/intent-engine.js +245 -245
package/server/security/reward-guard.js +171 -171
package/server/security/rollback-store.js +239 -239
package/server/security/token-scope.js +404 -404
package/server/security/url-policy.js +139 -139
package/server/services/adoption-agent.js +182 -0
package/server/services/agent-chat.js +506 -506
package/server/services/agent-learning.js +601 -601
package/server/services/agent-memory.js +625 -625
package/server/services/agent-mesh.js +555 -555
package/server/services/agent-symphony.js +717 -717
package/server/services/agent-tasks.js +1807 -1807
package/server/services/api-key-engine.js +292 -292
package/server/services/cluster.js +894 -894
package/server/services/commander.js +738 -738
package/server/services/edge-compute.js +440 -440
package/server/services/email.js +233 -233
package/server/services/fairness-engine.js +409 -0
package/server/services/fairness.js +420 -0
package/server/services/governance.js +466 -466
package/server/services/hosted-runtime.js +205 -205
package/server/services/lfd.js +635 -635
package/server/services/local-ai.js +389 -389
package/server/services/marketplace.js +270 -270
package/server/services/metering.js +182 -182
package/server/services/modules/affiliate-intelligence.js +93 -93
package/server/services/modules/agent-firewall.js +90 -90
package/server/services/modules/bounty.js +89 -89
package/server/services/modules/collective-bargaining.js +92 -92
package/server/services/modules/dark-pattern.js +66 -66
package/server/services/modules/gov-intelligence.js +45 -45
package/server/services/modules/neural.js +55 -55
package/server/services/modules/notary.js +49 -49
package/server/services/modules/price-time-machine.js +86 -86
package/server/services/modules/protocol.js +104 -104
package/server/services/negotiation.js +439 -439
package/server/services/outreach-agent.js +312 -0
package/server/services/plans.js +214 -214
package/server/services/plugins.js +771 -771
package/server/services/price-intelligence.js +566 -566
package/server/services/price-shield.js +1137 -1137
package/server/services/provider-clients.js +740 -740
package/server/services/reputation.js +465 -465
package/server/services/search-engine.js +357 -357
package/server/services/security.js +513 -513
package/server/services/self-healing.js +843 -843
package/server/services/shieldlink.js +492 -0
package/server/services/shieldqr.js +322 -322
package/server/services/sovereign-shield.js +542 -542
package/server/services/ssl-ct-monitor.js +224 -0
package/server/services/ssl-inspector.js +42 -42
package/server/services/ssl-monitor.js +167 -167
package/server/services/stripe.js +206 -205
package/server/services/swarm.js +788 -788
package/server/services/transactions.js +525 -0
package/server/services/universal-scraper.js +662 -662
package/server/services/verification.js +481 -481
package/server/services/vision.js +1163 -1163
package/server/services/wab-crypto.js +178 -178
package/server/utils/cache.js +125 -125
package/server/utils/migrate.js +81 -81
package/server/utils/safe-fetch.js +228 -228
package/server/utils/secureFields.js +50 -50
package/server/ws.js +161 -161
package/templates/artisan-marketplace.yaml +104 -104
package/templates/book-price-scout.yaml +98 -98
package/templates/electronics-price-tracker.yaml +108 -108
package/templates/flight-deal-hunter.yaml +113 -113
package/templates/freelancer-direct.yaml +116 -116
package/templates/grocery-price-compare.yaml +93 -93
package/templates/hotel-direct-booking.yaml +113 -113
package/templates/local-services.yaml +98 -98
package/templates/olive-oil-tunisia.yaml +88 -88
package/templates/organic-farm-fresh.yaml +101 -101
package/templates/restaurant-direct.yaml +97 -97
package/templates/ring4/banking-sovereign.yaml +55 -0
package/templates/ring4/ecommerce-sovereign.yaml +58 -0
package/templates/ring4/healthcare-sovereign.yaml +60 -0

package/server/routes/reputation.js ADDED Viewed

@@ -0,0 +1,411 @@
+/**
+ * server/routes/reputation.js
+ * WAB Reputation Score + Collective Intelligence
+ *
+ * Mounted at /api/reputation and /api/collective
+ *
+ * Endpoints:
+ *   GET  /api/reputation/:domain              — Get score + full breakdown
+ *   POST /api/reputation/event                — System records a scored event (internal)
+ *   GET  /api/reputation/leaderboard          — Top domains by score
+ *   GET  /api/reputation/trend/:domain        — 30-day score history
+ *
+ *   POST /api/collective/report               — Agent submits anonymized insight
+ *   GET  /api/collective/insights/:domain     — Aggregated public insights
+ *   GET  /api/collective/graph                — Network graph (top 100 domains)
+ *   POST /api/collective/daily-aggregate      — Internal: compute daily summaries
+ */
+'use strict';
+const express = require('express');
+const crypto  = require('crypto');
+const router  = express.Router();
+const { db }  = require('../models/db');
+// ─── Schema bootstrap ────────────────────────────────────────────────────────
+db.exec(`
+  CREATE TABLE IF NOT EXISTS reputation_events (
+    id INTEGER PRIMARY KEY AUTOINCREMENT, domain TEXT NOT NULL,
+    event_type TEXT NOT NULL, outcome TEXT NOT NULL, score_delta REAL NOT NULL DEFAULT 0,
+    detail TEXT, source TEXT DEFAULT 'system', created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_rep_events_domain_time ON reputation_events(domain, created_at DESC);
+  CREATE TABLE IF NOT EXISTS wab_rep_scores (
+    domain TEXT PRIMARY KEY, score REAL NOT NULL DEFAULT 0, label TEXT NOT NULL DEFAULT 'unrated',
+    dns_score REAL DEFAULT 0, trust_score REAL DEFAULT 0, latency_score REAL DEFAULT 0,
+    reports_score REAL DEFAULT 0, consistency REAL DEFAULT 0, event_count INTEGER DEFAULT 0,
+    first_seen_at TEXT, last_computed_at TEXT DEFAULT (datetime('now')), trend TEXT DEFAULT 'stable'
+  );
+  CREATE TABLE IF NOT EXISTS collective_insights (
+    id INTEGER PRIMARY KEY AUTOINCREMENT, domain TEXT NOT NULL, insight_type TEXT NOT NULL,
+    outcome TEXT NOT NULL, metric_value REAL, tags TEXT, agent_hash TEXT,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_collective_domain ON collective_insights(domain, created_at DESC);
+  CREATE TABLE IF NOT EXISTS collective_daily (
+    id INTEGER PRIMARY KEY AUTOINCREMENT, domain TEXT NOT NULL, date TEXT NOT NULL,
+    insight_type TEXT NOT NULL, positive_count INTEGER DEFAULT 0,
+    neutral_count INTEGER DEFAULT 0, negative_count INTEGER DEFAULT 0,
+    avg_metric REAL, created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE UNIQUE INDEX IF NOT EXISTS idx_collective_daily_key ON collective_daily(domain, date, insight_type);
+`);
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+const DAILY_SALT = crypto.createHash('sha256').update(new Date().toISOString().slice(0, 10)).digest('hex');
+function normDomain(d) {
+  return String(d || '').toLowerCase().trim()
+    .replace(/^https?:\/\//, '').replace(/\/.*$/, '').replace(/^www\./, '');
+}
+function validDomain(d) {
+  return /^[a-z0-9.-]{3,253}$/.test(d) && d.includes('.');
+}
+function scoreLabel(s) {
+  if (s >= 90) return 'excellent';
+  if (s >= 75) return 'trusted';
+  if (s >= 55) return 'good';
+  if (s >= 35) return 'fair';
+  if (s >= 15) return 'poor';
+  return 'unrated';
+}
+function scoreLabelColor(label) {
+  return { excellent: '#10b981', trusted: '#22c55e', good: '#84cc16', fair: '#f59e0b', poor: '#ef4444', unrated: '#64748b' }[label] || '#64748b';
+}
+/**
+ * Compute reputation score from raw event log (last 90 days).
+ * Component weights:
+ *   DNS stability   40 pts — ratio of ok dns_check events in last 30 days
+ *   Trust history   25 pts — ratio of ok trust_verify events + consistency
+ *   Latency         15 pts — average latency_score delta normalised
+ *   Agent reports   20 pts — weighted positive/negative collective insight ratio
+ */
+function computeScore(domain) {
+  const cutoff90 = new Date(Date.now() - 90 * 86400e3).toISOString();
+  const cutoff30 = new Date(Date.now() - 30 * 86400e3).toISOString();
+  const rows = db.prepare(
+    `SELECT event_type, outcome, score_delta, created_at FROM reputation_events
+     WHERE domain = ? AND created_at > ? ORDER BY created_at DESC`
+  ).all(domain, cutoff90);
+  if (!rows.length) return null;
+  // DNS stability (40 pts)
+  const dns30 = rows.filter(r => r.event_type === 'dns_check' && r.created_at > cutoff30);
+  const dnsOk = dns30.filter(r => r.outcome === 'ok').length;
+  const dnsTotal = dns30.length;
+  const dnsScore = dnsTotal ? Math.round(40 * (dnsOk / dnsTotal)) : 0;
+  // Trust history (25 pts)
+  const trust = rows.filter(r => r.event_type === 'trust_verify');
+  const trustOk = trust.filter(r => r.outcome === 'ok').length;
+  const trustTotal = trust.length;
+  const trustScore = trustTotal ? Math.round(25 * (trustOk / trustTotal)) : 0;
+  // Latency (15 pts) — average score_delta from latency events (already 0-15 range)
+  const latRows = rows.filter(r => r.event_type === 'latency');
+  const latScore = latRows.length
+    ? Math.round(Math.min(15, latRows.reduce((s, r) => s + Math.max(0, r.score_delta), 0) / latRows.length))
+    : 7; // neutral default
+  // Agent reports (20 pts) from collective_insights
+  const insights = db.prepare(
+    `SELECT outcome FROM collective_insights WHERE domain = ? AND created_at > ?`
+  ).all(domain, cutoff30);
+  const iTotal = insights.length;
+  const iPos = insights.filter(r => r.outcome === 'positive').length;
+  const iNeg = insights.filter(r => r.outcome === 'negative').length;
+  const reportsScore = iTotal
+    ? Math.round(20 * Math.max(0, (iPos - iNeg) / iTotal + 0.5) )
+    : 10; // neutral default
+  // Consistency (bonus/penalty ±5): detect cert changes or repeated failures
+  const certChanges = rows.filter(r => r.event_type === 'cert_change').length;
+  const warnCount   = rows.filter(r => r.outcome === 'warn' || r.outcome === 'fail').length;
+  const consistency = Math.max(0, 5 - Math.min(5, certChanges + Math.floor(warnCount / 5)));
+  const score = Math.min(100, dnsScore + trustScore + latScore + reportsScore + consistency);
+  const firstSeen = rows[rows.length - 1]?.created_at;
+  // Trend: compare last-7-day avg score_delta vs prev-7-day
+  const now = Date.now();
+  const cut7a = new Date(now - 7 * 86400e3).toISOString();
+  const cut7b = new Date(now - 14 * 86400e3).toISOString();
+  const recent7 = rows.filter(r => r.created_at > cut7a).reduce((s, r) => s + r.score_delta, 0);
+  const prior7  = rows.filter(r => r.created_at > cut7b && r.created_at <= cut7a).reduce((s, r) => s + r.score_delta, 0);
+  const trend = recent7 > prior7 + 2 ? 'rising' : recent7 < prior7 - 2 ? 'falling' : 'stable';
+  return { score, label: scoreLabel(score), dnsScore, trustScore, latScore, reportsScore, consistency, trend, firstSeen, eventCount: rows.length };
+}
+function upsertScore(domain, computed) {
+  db.prepare(`
+    INSERT INTO wab_rep_scores (domain, score, label, dns_score, trust_score, latency_score,
+      reports_score, consistency, event_count, first_seen_at, last_computed_at, trend)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, datetime('now'), ?)
+    ON CONFLICT(domain) DO UPDATE SET
+      score=excluded.score, label=excluded.label, dns_score=excluded.dns_score,
+      trust_score=excluded.trust_score, latency_score=excluded.latency_score,
+      reports_score=excluded.reports_score, consistency=excluded.consistency,
+      event_count=excluded.event_count, first_seen_at=COALESCE(first_seen_at, excluded.first_seen_at),
+      last_computed_at=datetime('now'), trend=excluded.trend
+  `).run(domain, computed.score, computed.label, computed.dnsScore, computed.trustScore,
+    computed.latScore, computed.reportsScore, computed.consistency, computed.eventCount,
+    computed.firstSeen, computed.trend);
+}
+// Refresh if older than 5 minutes
+function getOrComputeScore(domain) {
+  const cached = db.prepare(`SELECT *, last_computed_at FROM wab_rep_scores WHERE domain = ?`).get(domain);
+  const stale = !cached || (Date.now() - new Date(cached.last_computed_at).getTime() > 5 * 60 * 1000);
+  if (stale) {
+    const computed = computeScore(domain);
+    if (computed) {
+      upsertScore(domain, computed);
+      return { ...computed, domain, generated_at: new Date().toISOString(), cached: false };
+    }
+    // No events: return zero score
+    return { domain, score: 0, label: 'unrated', trend: 'stable', eventCount: 0, generated_at: new Date().toISOString(), cached: false };
+  }
+  return { domain, ...cached, cached: true };
+}
+// GET /api/reputation/leaderboard  — must be BEFORE /:domain to avoid param capture
+router.get('/leaderboard', (req, res) => {
+  const limit = Math.min(50, parseInt(req.query.limit) || 20);
+  const rows = db.prepare(
+    `SELECT domain, score, label, trend, event_count, last_computed_at
+     FROM wab_rep_scores WHERE score > 0 ORDER BY score DESC LIMIT ?`
+  ).all(limit);
+  return res.json({ leaderboard: rows, generated_at: new Date().toISOString() });
+});
+// GET /api/reputation/:domain
+router.get('/:domain', (req, res) => {
+  const domain = normDomain(req.params.domain);
+  if (!validDomain(domain)) return res.status(400).json({ error: 'invalid_domain' });
+  const result = getOrComputeScore(domain);
+  // Recent events (last 10, no PII)
+  const events = db.prepare(
+    `SELECT event_type, outcome, score_delta, detail, source, created_at
+     FROM reputation_events WHERE domain = ? ORDER BY created_at DESC LIMIT 10`
+  ).all(domain);
+  // Collective insight summary
+  const insightSummary = db.prepare(
+    `SELECT insight_type, outcome, COUNT(*) as count, AVG(metric_value) as avg_metric
+     FROM collective_insights WHERE domain = ?
+     GROUP BY insight_type, outcome ORDER BY count DESC LIMIT 20`
+  ).all(domain);
+  return res.json({
+    domain,
+    score: result.score,
+    label: result.label,
+    color: scoreLabelColor(result.label),
+    trend: result.trend,
+    components: {
+      dns_stability: result.dnsScore ?? result.dns_score,
+      trust_history: result.trustScore ?? result.trust_score,
+      response_speed: result.latScore ?? result.latency_score,
+      agent_reports: result.reportsScore ?? result.reports_score,
+      consistency: result.consistency,
+    },
+    event_count: result.eventCount ?? result.event_count,
+    first_seen_at: result.firstSeen ?? result.first_seen_at,
+    generated_at: result.generated_at || result.last_computed_at,
+    cached: result.cached,
+    recent_events: events,
+    insights: insightSummary,
+  });
+});
+// POST /api/reputation/event — internal system call (no auth, rate-limited externally)
+router.post('/event', express.json({ limit: '8kb' }), (req, res) => {
+  const { domain, event_type, outcome, score_delta = 0, detail, source = 'system' } = req.body || {};
+  if (!domain || !event_type || !outcome) return res.status(400).json({ error: 'missing_fields' });
+  const d = normDomain(domain);
+  if (!validDomain(d)) return res.status(400).json({ error: 'invalid_domain' });
+  const VALID_TYPES = ['dns_check', 'agent_report', 'latency', 'cert_change', 'trust_verify'];
+  const VALID_OUTCOMES = ['ok', 'warn', 'fail'];
+  if (!VALID_TYPES.includes(event_type)) return res.status(400).json({ error: 'invalid_event_type' });
+  if (!VALID_OUTCOMES.includes(outcome)) return res.status(400).json({ error: 'invalid_outcome' });
+  const delta = Math.max(-20, Math.min(20, Number(score_delta) || 0));
+  db.prepare(
+    `INSERT INTO reputation_events (domain, event_type, outcome, score_delta, detail, source) VALUES (?, ?, ?, ?, ?, ?)`
+  ).run(d, event_type, outcome, delta, typeof detail === 'object' ? JSON.stringify(detail) : (detail || null), source);
+  return res.json({ ok: true, domain: d });
+});
+// GET /api/reputation/trend/:domain — 30-day daily summary
+router.get('/trend/:domain', (req, res) => {
+  const domain = normDomain(req.params.domain);
+  if (!validDomain(domain)) return res.status(400).json({ error: 'invalid_domain' });
+  const rows = db.prepare(
+    `SELECT DATE(created_at) as date,
+       SUM(CASE WHEN outcome='ok' THEN 1 ELSE 0 END) as ok_count,
+       SUM(CASE WHEN outcome='fail' THEN 1 ELSE 0 END) as fail_count,
+       AVG(score_delta) as avg_delta
+     FROM reputation_events
+     WHERE domain = ? AND created_at > datetime('now', '-30 days')
+     GROUP BY DATE(created_at) ORDER BY date`
+  ).all(domain);
+  return res.json({ domain, trend: rows });
+});
+// ─── Collective Intelligence endpoints ────────────────────────────────────────
+const collectiveRouter = express.Router();
+// POST /api/collective/report
+collectiveRouter.post('/report', express.json({ limit: '4kb' }), (req, res) => {
+  const { domain, insight_type, outcome, metric_value, tags, agent_id } = req.body || {};
+  if (!domain || !insight_type || !outcome) return res.status(400).json({ error: 'missing_fields' });
+  const d = normDomain(domain);
+  if (!validDomain(d)) return res.status(400).json({ error: 'invalid_domain' });
+  const VALID_INSIGHT_TYPES = ['latency', 'action_success', 'action_fail', 'capability', 'trust'];
+  const VALID_OUTCOMES = ['positive', 'neutral', 'negative'];
+  if (!VALID_INSIGHT_TYPES.includes(insight_type)) return res.status(400).json({ error: 'invalid_insight_type' });
+  if (!VALID_OUTCOMES.includes(outcome)) return res.status(400).json({ error: 'invalid_outcome' });
+  // Anonymize agent identity: sha256(agent_id + daily_salt) — not reversible after daily rotation
+  const agentHash = agent_id
+    ? crypto.createHash('sha256').update(String(agent_id) + DAILY_SALT).digest('hex').slice(0, 16)
+    : null;
+  const tagsJson = Array.isArray(tags) ? JSON.stringify(tags.slice(0, 10).map(t => String(t).slice(0, 32))) : null;
+  const metricVal = (typeof metric_value === 'number' && isFinite(metric_value)) ? metric_value : null;
+  db.prepare(
+    `INSERT INTO collective_insights (domain, insight_type, outcome, metric_value, tags, agent_hash) VALUES (?, ?, ?, ?, ?, ?)`
+  ).run(d, insight_type, outcome, metricVal, tagsJson, agentHash);
+  // Also feed into reputation
+  const delta = outcome === 'positive' ? 2 : outcome === 'negative' ? -2 : 0;
+  if (delta !== 0) {
+    db.prepare(`INSERT INTO reputation_events (domain, event_type, outcome, score_delta, source) VALUES (?, 'agent_report', ?, ?, 'agent')`).run(d, outcome === 'positive' ? 'ok' : 'fail', delta);
+  }
+  return res.json({ ok: true, message: 'Insight recorded anonymously.' });
+});
+// GET /api/collective/insights/:domain
+collectiveRouter.get('/insights/:domain', (req, res) => {
+  const domain = normDomain(req.params.domain);
+  if (!validDomain(domain)) return res.status(400).json({ error: 'invalid_domain' });
+  const summary = db.prepare(
+    `SELECT insight_type, outcome, COUNT(*) as count, AVG(metric_value) as avg_metric
+     FROM collective_insights WHERE domain = ? AND created_at > datetime('now', '-30 days')
+     GROUP BY insight_type, outcome ORDER BY insight_type, count DESC`
+  ).all(domain);
+  const total = db.prepare(`SELECT COUNT(*) as n FROM collective_insights WHERE domain = ?`).get(domain);
+  // Popular tags (unnormalized — done in JS to avoid JSON function dependency)
+  const recentRows = db.prepare(
+    `SELECT tags FROM collective_insights WHERE domain = ? AND tags IS NOT NULL ORDER BY created_at DESC LIMIT 200`
+  ).all(domain);
+  const tagCounts = {};
+  for (const row of recentRows) {
+    try { JSON.parse(row.tags).forEach(t => { tagCounts[t] = (tagCounts[t] || 0) + 1; }); } catch (_) {}
+  }
+  const topTags = Object.entries(tagCounts).sort((a, b) => b[1] - a[1]).slice(0, 10).map(([tag, count]) => ({ tag, count }));
+  return res.json({ domain, summary, total_reports: total?.n || 0, top_tags: topTags, window: '30d', generated_at: new Date().toISOString() });
+});
+// GET /api/collective/graph — top 100 domains + their scores for a network graph
+collectiveRouter.get('/graph', (req, res) => {
+  const nodes = db.prepare(
+    `SELECT r.domain, r.score, r.label, r.trend,
+       COUNT(c.id) as insight_count
+     FROM wab_rep_scores r
+     LEFT JOIN collective_insights c ON c.domain = r.domain AND c.created_at > datetime('now', '-7 days')
+     WHERE r.score > 0
+     GROUP BY r.domain ORDER BY r.score DESC LIMIT 100`
+  ).all();
+  // Edges: domains that share common capability tags in collective_insights
+  const edges = [];
+  // Lightweight: pairs where both domains appear in the same daily collective summary
+  const dailyDomains = db.prepare(
+    `SELECT domain, date FROM collective_daily WHERE date > date('now', '-7 days')`
+  ).all();
+  const byDate = {};
+  for (const r of dailyDomains) {
+    (byDate[r.date] = byDate[r.date] || []).push(r.domain);
+  }
+  const pairCounts = {};
+  for (const date of Object.keys(byDate)) {
+    const ds = byDate[date].slice(0, 20);
+    for (let i = 0; i < ds.length; i++) {
+      for (let j = i + 1; j < ds.length; j++) {
+        const key = [ds[i], ds[j]].sort().join('||');
+        pairCounts[key] = (pairCounts[key] || 0) + 1;
+      }
+    }
+  }
+  for (const [key, weight] of Object.entries(pairCounts)) {
+    if (weight >= 2) {
+      const [source, target] = key.split('||');
+      edges.push({ source, target, weight });
+    }
+  }
+  return res.json({ nodes, edges: edges.slice(0, 200), generated_at: new Date().toISOString() });
+});
+// POST /api/collective/daily-aggregate — internal cron-style endpoint
+collectiveRouter.post('/daily-aggregate', (req, res) => {
+  const today = new Date().toISOString().slice(0, 10);
+  const domains = db.prepare(`SELECT DISTINCT domain FROM collective_insights WHERE DATE(created_at) = ?`).all(today);
+  let processed = 0;
+  for (const { domain } of domains) {
+    const rows = db.prepare(
+      `SELECT insight_type, outcome, COUNT(*) as cnt, AVG(metric_value) as avg_m
+       FROM collective_insights WHERE domain = ? AND DATE(created_at) = ?
+       GROUP BY insight_type, outcome`
+    ).all(domain, today);
+    const byType = {};
+    for (const r of rows) {
+      if (!byType[r.insight_type]) byType[r.insight_type] = { pos: 0, neu: 0, neg: 0, metrics: [] };
+      if (r.outcome === 'positive') byType[r.insight_type].pos += r.cnt;
+      else if (r.outcome === 'neutral') byType[r.insight_type].neu += r.cnt;
+      else byType[r.insight_type].neg += r.cnt;
+      if (r.avg_m != null) byType[r.insight_type].metrics.push(r.avg_m);
+    }
+    for (const [type, data] of Object.entries(byType)) {
+      const avg = data.metrics.length ? data.metrics.reduce((a, b) => a + b, 0) / data.metrics.length : null;
+      db.prepare(`
+        INSERT INTO collective_daily (domain, date, insight_type, positive_count, neutral_count, negative_count, avg_metric)
+        VALUES (?, ?, ?, ?, ?, ?, ?)
+        ON CONFLICT(domain, date, insight_type) DO UPDATE SET
+          positive_count=excluded.positive_count, neutral_count=excluded.neutral_count,
+          negative_count=excluded.negative_count, avg_metric=excluded.avg_metric
+      `).run(domain, today, type, data.pos, data.neu, data.neg, avg);
+    }
+    processed++;
+  }
+  return res.json({ ok: true, processed, date: today });
+});
+module.exports = { reputationRouter: router, collectiveRouter };