npm - web-agent-bridge - Versions diffs - 3.4.0 → 3.9.0 - Mend

web-agent-bridge 3.4.0 → 3.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (315) hide show

package/LICENSE +84 -84
package/README.ar.md +1565 -1304
package/README.md +171 -298
package/bin/agent-runner.js +474 -474
package/bin/cli.js +237 -237
package/bin/wab-init.js +244 -223
package/bin/wab.js +80 -80
package/examples/azure-dns-wab.js +83 -83
package/examples/bidi-agent.js +119 -119
package/examples/cloudflare-wab-dns.js +121 -121
package/examples/cpanel-wab-dns.js +114 -114
package/examples/cross-site-agent.js +91 -91
package/examples/dns-discovery-agent.js +166 -166
package/examples/gcp-dns-wab.js +76 -76
package/examples/governance-agent.js +169 -169
package/examples/mcp-agent.js +94 -94
package/examples/next-app-router/README.md +44 -44
package/examples/plesk-wab-dns.js +103 -103
package/examples/puppeteer-agent.js +108 -108
package/examples/route53-wab-dns.js +144 -144
package/examples/saas-dashboard/README.md +55 -55
package/examples/safe-mode-agent.js +96 -96
package/examples/self-discovery.js +106 -0
package/examples/shopify-hydrogen/README.md +74 -74
package/examples/vision-agent.js +171 -171
package/examples/wab-sign.js +74 -74
package/examples/wab-verify.js +60 -60
package/examples/wordpress-elementor/README.md +77 -77
package/package.json +93 -93
package/public/.well-known/agent-tools.json +180 -180
package/public/.well-known/ai-assets.json +59 -59
package/public/.well-known/security.txt +8 -8
package/public/.well-known/wab.json +28 -28
package/public/activate.html +448 -368
package/public/adopt.html +236 -0
package/public/adoption-metrics.html +188 -188
package/public/agent-workspace.html +359 -349
package/public/ai.html +198 -198
package/public/api.html +397 -413
package/public/atp.html +171 -0
package/public/azure-dns-integration.html +289 -289
package/public/browser.html +486 -486
package/public/cloudflare-integration.html +380 -380
package/public/commander-dashboard.html +243 -243
package/public/cookies.html +210 -210
package/public/cpanel-integration.html +398 -398
package/public/css/agent-workspace.css +1713 -1713
package/public/css/premium.css +317 -317
package/public/css/styles.css +1401 -1263
package/public/dashboard-shieldlink.html +295 -0
package/public/dashboard.html +711 -707
package/public/dns.html +436 -436
package/public/docs.html +588 -588
package/public/enterprise-mesh.ar.html +80 -0
package/public/enterprise-mesh.html +81 -0
package/public/feed.xml +89 -89
package/public/gcp-dns-integration.html +318 -318
package/public/governance.ar.html +70 -0
package/public/governance.html +69 -0
package/public/growth.html +465 -465
package/public/index.html +1372 -1266
package/public/integrations.html +556 -556
package/public/js/activate.js +449 -145
package/public/js/agent-workspace.js +1740 -1740
package/public/js/auth-nav.js +117 -65
package/public/js/auth-redirect.js +12 -12
package/public/js/cookie-consent.js +56 -56
package/public/js/dns.js +438 -438
package/public/js/wab-demo-page.js +721 -721
package/public/js/ws-client.js +74 -74
package/public/l-preview.html +242 -0
package/public/llms-full.txt +360 -360
package/public/llms.txt +125 -125
package/public/login.html +85 -85
package/public/mesh-dashboard.html +328 -328
package/public/milestones.html +346 -0
package/public/one-click.html +779 -0
package/public/openapi.json +669 -669
package/public/partners.ar.html +145 -0
package/public/partners.html +143 -0
package/public/phone-shield.html +281 -281
package/public/plesk-integration.html +375 -375
package/public/premium-dashboard.html +2489 -2489
package/public/premium.html +793 -793
package/public/privacy.html +297 -297
package/public/provider-onboarding.html +172 -172
package/public/provider-sandbox.html +134 -134
package/public/providers.html +359 -359
package/public/refusals.html +172 -0
package/public/register.html +105 -105
package/public/registrar-integrations.html +141 -141
package/public/ring4.html +292 -0
package/public/robots.txt +99 -99
package/public/route53-integration.html +531 -531
package/public/score.html +263 -0
package/public/script/wab-consent.d.ts +36 -36
package/public/script/wab-consent.js +104 -104
package/public/script/wab-schema.js +131 -131
package/public/script/wab.d.ts +108 -108
package/public/script/wab.min.js +580 -580
package/public/security.txt +8 -8
package/public/shieldlink.html +244 -0
package/public/shieldqr.html +231 -231
package/public/sitemap.xml +13 -1
package/public/terms.html +256 -256
package/public/trust-graph-api.ar.html +92 -0
package/public/trust-graph-api.html +91 -0
package/public/wab-features.html +560 -0
package/public/wab-trust.html +200 -200
package/public/wab-truth.html +375 -0
package/public/wab-vs-protocols.html +210 -210
package/public/whitepaper.html +449 -449
package/script/ai-agent-bridge.js +1754 -1754
package/sdk/README.md +99 -99
package/sdk/agent-mesh.js +449 -449
package/sdk/atp.js +103 -0
package/sdk/auto-discovery.js +301 -288
package/sdk/commander.js +262 -262
package/sdk/governance.js +262 -262
package/sdk/index.d.ts +464 -464
package/sdk/index.js +653 -649
package/sdk/multi-agent.js +318 -318
package/sdk/safe-mode.js +221 -221
package/sdk/safety-shield.js +219 -219
package/sdk/schema-discovery.js +83 -83
package/server/adapters/index.js +520 -520
package/server/config/plans.js +412 -367
package/server/config/secrets.js +102 -102
package/server/control-plane/index.js +301 -301
package/server/data-plane/index.js +354 -354
package/server/index.js +793 -670
package/server/llm/index.js +404 -404
package/server/middleware/adminAuth.js +35 -35
package/server/middleware/api-tier.js +170 -0
package/server/middleware/auth.js +50 -50
package/server/middleware/featureGate.js +88 -88
package/server/middleware/rateLimits.js +100 -100
package/server/middleware/sensitiveAction.js +157 -157
package/server/middleware/wab-trust.js +141 -0
package/server/migrations/001_add_analytics_indexes.sql +7 -7
package/server/migrations/002_premium_features.sql +418 -418
package/server/migrations/003_ads_integer_cents.sql +33 -33
package/server/migrations/004_agent_os.sql +158 -158
package/server/migrations/005_marketplace_metering.sql +126 -126
package/server/migrations/006_growth_suite.sql +138 -0
package/server/migrations/007_governance.sql +106 -106
package/server/migrations/008_plans.sql +144 -144
package/server/migrations/009_shieldqr.sql +30 -30
package/server/migrations/010_extended_trust.sql +33 -33
package/server/migrations/011_outreach.sql +47 -0
package/server/migrations/012_shieldlink.sql +116 -0
package/server/migrations/013_ct_monitor.sql +13 -0
package/server/migrations/014_wab_advanced_features.sql +128 -0
package/server/migrations/015_wab_truth_layer.sql +101 -0
package/server/migrations/016_ring4_external_trust.sql +84 -0
package/server/migrations/017_ring4_extensions.sql +69 -0
package/server/migrations/018_commercial_foundations.sql +167 -0
package/server/migrations/019_unify_tier_constraints.sql +133 -0
package/server/migrations/020_agent_transaction_primitive.sql +119 -0
package/server/models/adapters/index.js +33 -33
package/server/models/adapters/mysql.js +183 -183
package/server/models/adapters/postgresql.js +172 -172
package/server/models/adapters/sqlite.js +7 -7
package/server/models/db.js +740 -740
package/server/observability/failure-analysis.js +337 -337
package/server/observability/index.js +394 -394
package/server/protocol/capabilities.js +223 -223
package/server/protocol/index.js +243 -243
package/server/protocol/schema.js +584 -584
package/server/registry/certification.js +271 -271
package/server/registry/index.js +326 -326
package/server/routes/activate.js +478 -0
package/server/routes/admin-outreach.js +239 -0
package/server/routes/admin-plans.js +76 -76
package/server/routes/admin-premium.js +674 -673
package/server/routes/admin-shieldlink.js +137 -0
package/server/routes/admin-shieldqr.js +90 -90
package/server/routes/admin-trust-monitor.js +139 -83
package/server/routes/admin.js +550 -549
package/server/routes/adopt.js +61 -0
package/server/routes/ads.js +130 -130
package/server/routes/agent-workspace.js +540 -540
package/server/routes/api-keys.js +127 -0
package/server/routes/api.js +150 -150
package/server/routes/auth.js +71 -71
package/server/routes/billing.js +57 -57
package/server/routes/commander.js +316 -316
package/server/routes/customer-shieldlink.js +133 -0
package/server/routes/demo-showcase.js +332 -332
package/server/routes/demo-store.js +154 -154
package/server/routes/diagnose.js +373 -0
package/server/routes/discovery.js +2348 -2348
package/server/routes/enterprise-mesh.js +170 -0
package/server/routes/gateway.js +173 -173
package/server/routes/governance-saas.js +203 -0
package/server/routes/governance.js +208 -208
package/server/routes/growth.js +1048 -0
package/server/routes/intent.js +328 -0
package/server/routes/license.js +251 -251
package/server/routes/mesh.js +469 -469
package/server/routes/noscript.js +543 -543
package/server/routes/partners.js +201 -0
package/server/routes/plans.js +33 -33
package/server/routes/premium-v2.js +686 -686
package/server/routes/premium.js +724 -724
package/server/routes/providers.js +650 -650
package/server/routes/reputation.js +411 -0
package/server/routes/ring4.js +885 -0
package/server/routes/runtime.js +2148 -2148
package/server/routes/shieldlink.js +70 -0
package/server/routes/shieldqr.js +88 -88
package/server/routes/sovereign.js +465 -465
package/server/routes/transactions.js +233 -0
package/server/routes/truth-layer.js +670 -0
package/server/routes/universal.js +200 -200
package/server/routes/unsubscribe.js +51 -0
package/server/routes/wab-api.js +850 -850
package/server/routes/wab-cache.js +282 -0
package/server/runtime/container-worker.js +111 -111
package/server/runtime/container.js +448 -448
package/server/runtime/distributed-worker.js +362 -362
package/server/runtime/event-bus.js +210 -210
package/server/runtime/index.js +253 -253
package/server/runtime/queue.js +599 -599
package/server/runtime/replay.js +666 -666
package/server/runtime/sandbox.js +266 -266
package/server/runtime/scheduler.js +534 -534
package/server/runtime/session-engine.js +293 -293
package/server/runtime/state-manager.js +188 -188
package/server/secrets/wab-signing-key.pem +3 -0
package/server/secrets/wab-signing-pub.pem +3 -0
package/server/security/cross-site-redactor.js +196 -196
package/server/security/dry-run.js +180 -180
package/server/security/human-gate-rate-limit.js +147 -147
package/server/security/human-gate-transports.js +178 -178
package/server/security/human-gate.js +281 -281
package/server/security/index.js +368 -368
package/server/security/intent-engine.js +245 -245
package/server/security/reward-guard.js +171 -171
package/server/security/rollback-store.js +239 -239
package/server/security/token-scope.js +404 -404
package/server/security/url-policy.js +139 -139
package/server/services/adoption-agent.js +182 -0
package/server/services/agent-chat.js +506 -506
package/server/services/agent-learning.js +601 -601
package/server/services/agent-memory.js +625 -625
package/server/services/agent-mesh.js +555 -555
package/server/services/agent-symphony.js +717 -717
package/server/services/agent-tasks.js +1807 -1807
package/server/services/api-key-engine.js +292 -292
package/server/services/cluster.js +894 -894
package/server/services/commander.js +738 -738
package/server/services/edge-compute.js +440 -440
package/server/services/email.js +233 -233
package/server/services/fairness-engine.js +409 -0
package/server/services/fairness.js +420 -0
package/server/services/governance.js +466 -466
package/server/services/hosted-runtime.js +205 -205
package/server/services/lfd.js +635 -635
package/server/services/local-ai.js +389 -389
package/server/services/marketplace.js +270 -270
package/server/services/metering.js +182 -182
package/server/services/modules/affiliate-intelligence.js +93 -93
package/server/services/modules/agent-firewall.js +90 -90
package/server/services/modules/bounty.js +89 -89
package/server/services/modules/collective-bargaining.js +92 -92
package/server/services/modules/dark-pattern.js +66 -66
package/server/services/modules/gov-intelligence.js +45 -45
package/server/services/modules/neural.js +55 -55
package/server/services/modules/notary.js +49 -49
package/server/services/modules/price-time-machine.js +86 -86
package/server/services/modules/protocol.js +104 -104
package/server/services/negotiation.js +439 -439
package/server/services/outreach-agent.js +312 -0
package/server/services/plans.js +214 -214
package/server/services/plugins.js +771 -771
package/server/services/price-intelligence.js +566 -566
package/server/services/price-shield.js +1137 -1137
package/server/services/provider-clients.js +740 -740
package/server/services/reputation.js +465 -465
package/server/services/search-engine.js +357 -357
package/server/services/security.js +513 -513
package/server/services/self-healing.js +843 -843
package/server/services/shieldlink.js +492 -0
package/server/services/shieldqr.js +322 -322
package/server/services/sovereign-shield.js +542 -542
package/server/services/ssl-ct-monitor.js +224 -0
package/server/services/ssl-inspector.js +42 -42
package/server/services/ssl-monitor.js +167 -167
package/server/services/stripe.js +206 -205
package/server/services/swarm.js +788 -788
package/server/services/transactions.js +525 -0
package/server/services/universal-scraper.js +662 -662
package/server/services/verification.js +481 -481
package/server/services/vision.js +1163 -1163
package/server/services/wab-crypto.js +178 -178
package/server/utils/cache.js +125 -125
package/server/utils/migrate.js +81 -81
package/server/utils/safe-fetch.js +228 -228
package/server/utils/secureFields.js +50 -50
package/server/ws.js +161 -161
package/templates/artisan-marketplace.yaml +104 -104
package/templates/book-price-scout.yaml +98 -98
package/templates/electronics-price-tracker.yaml +108 -108
package/templates/flight-deal-hunter.yaml +113 -113
package/templates/freelancer-direct.yaml +116 -116
package/templates/grocery-price-compare.yaml +93 -93
package/templates/hotel-direct-booking.yaml +113 -113
package/templates/local-services.yaml +98 -98
package/templates/olive-oil-tunisia.yaml +88 -88
package/templates/organic-farm-fresh.yaml +101 -101
package/templates/restaurant-direct.yaml +97 -97
package/templates/ring4/banking-sovereign.yaml +55 -0
package/templates/ring4/ecommerce-sovereign.yaml +58 -0
package/templates/ring4/healthcare-sovereign.yaml +60 -0

package/server/services/shieldqr.js CHANGED Viewed

@@ -1,322 +1,322 @@
-/**
- * WAB ShieldQR — verification service
- * --------------------------------------------------------------
- * Given a URL extracted from a QR code (or any short link), verify whether
- * it's safe to open.  Layered checks:
- *
- *   1. Heuristic risk score (shorteners, brand-new TLDs, IP literals, etc.)
- *   2. DNS Discovery — TXT lookup on  _wab.{domain}  and  _wab-trust.{domain}
- *   3. Cryptographic Trust  — fetch /.well-known/wab.json and verify
- *      Ed25519 signature against the public key advertised in the TXT record.
- *   4. SSL/TLS health — fetch the cert, compare thumbprint, check expiry.
- *
- * The result is a *level* (green / yellow / red) plus a structured
- * `signals[]` array so a UI can show a human-readable explanation.
- *
- * No third-party deps — only Node built-ins (`dns/promises`, `tls`,
- * `crypto`, `https`).
- */
-'use strict';
-const dns = require('node:dns').promises;
-const tls = require('node:tls');
-const crypto = require('node:crypto');
-const https = require('node:https');
-const http = require('node:http');
-const SHORTENER_HOSTS = new Set([
-  'bit.ly', 't.co', 'tinyurl.com', 'goo.gl', 'ow.ly', 'is.gd', 'buff.ly',
-  'cutt.ly', 'rebrand.ly', 'shorturl.at', 'tiny.cc', 'rb.gy', 'lnkd.in',
-]);
-const FETCH_TIMEOUT_MS = 4000;
-const MAX_BODY_BYTES = 64 * 1024;
-// ─── Public API ───────────────────────────────────────────────────────
-/**
- * Inspect a single URL.  Always resolves; never throws.
- * @param {string} input  raw URL or string from a QR scan
- * @returns {Promise<{level:'green'|'yellow'|'red', score:number, url:string|null,
- *   host:string|null, signals:Array, dns:any, trust:any, ssl:any, generated_at:string}>}
- */
-async function scan(input) {
-  const t0 = Date.now();
-  const out = {
-    level: 'yellow',
-    score: 50,
-    url: null,
-    host: null,
-    signals: [],
-    dns: null,
-    trust: null,
-    ssl: null,
-    generated_at: new Date().toISOString(),
-    elapsed_ms: 0,
-  };
-  const parsed = parseUrl(input);
-  if (!parsed) {
-    out.level = 'red';
-    out.score = 0;
-    out.signals.push({ id: 'invalid_url', severity: 'high', message: 'Cannot parse a URL from input' });
-    out.elapsed_ms = Date.now() - t0;
-    return out;
-  }
-  out.url = parsed.href;
-  out.host = parsed.hostname;
-  // 1. Static heuristics
-  applyHeuristics(parsed, out);
-  // 2. DNS Discovery (parallel TXT lookups)
-  const [discovery, trust] = await Promise.all([
-    safeTxt(`_wab.${parsed.hostname}`),
-    safeTxt(`_wab-trust.${parsed.hostname}`),
-  ]);
-  out.dns = { discovery, trust };
-  if (discovery.records.length) {
-    out.signals.push({ id: 'wab_dns', severity: 'good', message: `_wab TXT record found at ${parsed.hostname}` });
-  }
-  if (trust.records.length) {
-    out.signals.push({ id: 'wab_trust_dns', severity: 'good', message: `_wab-trust TXT record found` });
-  }
-  // 3. Cryptographic trust  (only if DNS announced a key)
-  const wabFields = parseWabTxt(discovery.records.concat(trust.records));
-  if (wabFields.pk || wabFields.endpoint) {
-    out.trust = await verifyTrust(parsed, wabFields).catch((e) => ({ ok: false, error: String(e?.message || e) }));
-    if (out.trust.ok) {
-      out.signals.push({ id: 'signature_ok', severity: 'good', message: 'Ed25519 signature verified against DNS public key' });
-    } else if (out.trust && out.trust.error) {
-      out.signals.push({ id: 'signature_fail', severity: 'high', message: `Trust check failed: ${out.trust.error}` });
-    }
-  }
-  // 4. SSL/TLS — only over HTTPS hosts
-  if (parsed.protocol === 'https:') {
-    out.ssl = await inspectSsl(parsed.hostname, parsed.port ? Number(parsed.port) : 443).catch((e) => ({ ok: false, error: String(e?.message || e) }));
-    if (out.ssl.ok) {
-      const daysLeft = out.ssl.days_until_expiry;
-      if (daysLeft != null && daysLeft < 0) {
-        out.signals.push({ id: 'ssl_expired', severity: 'high', message: `SSL certificate expired ${-daysLeft}d ago` });
-      } else if (daysLeft != null && daysLeft < 7) {
-        out.signals.push({ id: 'ssl_expiring', severity: 'medium', message: `SSL certificate expires in ${daysLeft} days` });
-      }
-      if (wabFields.ssl_thumbprint && out.ssl.fingerprint_sha256 &&
-          wabFields.ssl_thumbprint.toLowerCase() !== out.ssl.fingerprint_sha256.toLowerCase()) {
-        out.signals.push({ id: 'ssl_thumbprint_mismatch', severity: 'high',
-          message: 'SSL fingerprint does not match the value advertised via _wab DNS' });
-      }
-    }
-  }
-  // 4b. Extended Trust — Fallback mode.
-  // If SSL is degraded (expired / expiring / mismatch) BUT we have a
-  // cryptographically verified Ed25519 signature, surface a "partial trust"
-  // signal so the verdict stays yellow instead of crashing to red.
-  const sslDegraded = out.signals.some((s) =>
-    ['ssl_expired', 'ssl_expiring', 'ssl_thumbprint_mismatch'].includes(s.id));
-  if (sslDegraded && out.trust && out.trust.ok) {
-    out.signals.push({ id: 'fallback_trust', severity: 'good',
-      message: 'Partial trust — SSL is degraded but the WAB Ed25519 signature is valid' });
-    out.fallback_trust = true;
-  }
-  // 5. Final level — combine signals
-  const verdict = computeLevel(out.signals, !!out.trust?.ok);
-  out.level = verdict.level;
-  out.score = verdict.score;
-  out.elapsed_ms = Date.now() - t0;
-  return out;
-}
-// ─── Helpers ──────────────────────────────────────────────────────────
-function parseUrl(input) {
-  if (!input || typeof input !== 'string') { return null; }
-  let s = input.trim();
-  if (!/^[a-z][a-z0-9+.-]*:\/\//i.test(s)) { s = 'https://' + s; }
-  try { return new URL(s); } catch { return null; }
-}
-function applyHeuristics(parsed, out) {
-  const host = parsed.hostname.toLowerCase();
-  // IP-literal hosts are suspicious
-  if (/^\d+\.\d+\.\d+\.\d+$/.test(host) || host.includes(':')) {
-    out.signals.push({ id: 'ip_literal_host', severity: 'high', message: 'URL points to a raw IP address' });
-  }
-  if (SHORTENER_HOSTS.has(host)) {
-    out.signals.push({ id: 'shortener', severity: 'medium', message: `URL uses a shortener domain (${host})` });
-  }
-  if (parsed.protocol === 'http:') {
-    out.signals.push({ id: 'plain_http', severity: 'medium', message: 'URL uses plain HTTP (no TLS)' });
-  }
-  // Punycode / homoglyph hint
-  if (host.includes('xn--')) {
-    out.signals.push({ id: 'punycode', severity: 'medium', message: 'Hostname uses Punycode (possible homoglyph attack)' });
-  }
-  // Excessive subdomains
-  if (host.split('.').length > 5) {
-    out.signals.push({ id: 'deep_subdomain', severity: 'low', message: 'Hostname has unusually many subdomain levels' });
-  }
-}
-async function safeTxt(name) {
-  try {
-    const records = await dns.resolveTxt(name);
-    return { name, records: records.map((parts) => parts.join('')), error: null };
-  } catch (err) {
-    return { name, records: [], error: err.code || String(err.message || err) };
-  }
-}
-/**
- * Parse `key=value;` style fields out of TXT records that begin with `v=wab1`.
- * Returns merged object with at least:
- *   v, endpoint, pk, ssl_thumbprint, ssl_expires, shieldqr
- */
-function parseWabTxt(rawRecords) {
-  const out = {};
-  for (const rec of rawRecords) {
-    if (!/v\s*=\s*wab1/i.test(rec)) { continue; }
-    const parts = rec.split(';').map((p) => p.trim()).filter(Boolean);
-    for (const p of parts) {
-      const eq = p.indexOf('=');
-      if (eq < 0) { continue; }
-      const k = p.slice(0, eq).trim().toLowerCase();
-      const v = p.slice(eq + 1).trim();
-      if (k && v && !out[k]) { out[k] = v; }
-    }
-  }
-  return out;
-}
-async function verifyTrust(parsed, wabFields) {
-  const base = wabFields.endpoint && /^https?:\/\//i.test(wabFields.endpoint)
-    ? wabFields.endpoint
-    : `${parsed.origin}/.well-known/wab.json`;
-  const wabJsonUrl = wabFields.endpoint && wabFields.endpoint.endsWith('.json')
-    ? wabFields.endpoint
-    : (base.endsWith('/') ? base + '.well-known/wab.json' : base + '/.well-known/wab.json');
-  const fetched = await fetchSmall(wabJsonUrl);
-  if (!fetched.ok) { return { ok: false, error: `cannot fetch wab.json (${fetched.error || fetched.status})` }; }
-  let doc;
-  try { doc = JSON.parse(fetched.body); } catch { return { ok: false, error: 'wab.json is not valid JSON' }; }
-  // signature is over the canonical JSON of `doc.payload`
-  const sig = doc.signature;
-  const pkRaw = wabFields.pk || (doc.trust && doc.trust.pk);
-  if (!sig || !pkRaw || !doc.payload) {
-    return { ok: false, error: 'wab.json missing payload/signature/pk' };
-  }
-  const pk = pkRaw.replace(/^ed25519:/i, '');
-  let pkBytes;
-  try { pkBytes = Buffer.from(pk, 'base64'); } catch { return { ok: false, error: 'invalid base64 pk' }; }
-  if (pkBytes.length !== 32) { return { ok: false, error: `pk has wrong length (${pkBytes.length} bytes, want 32)` }; }
-  let sigBytes;
-  try { sigBytes = Buffer.from(sig.replace(/^ed25519:/i, ''), 'base64'); } catch { return { ok: false, error: 'invalid base64 signature' }; }
-  // Wrap raw 32-byte Ed25519 public key in DER (SubjectPublicKeyInfo)
-  const der = Buffer.concat([
-    Buffer.from('302a300506032b6570032100', 'hex'),
-    pkBytes,
-  ]);
-  let pubKey;
-  try { pubKey = crypto.createPublicKey({ key: der, format: 'der', type: 'spki' }); }
-  catch (e) { return { ok: false, error: 'cannot import Ed25519 pk: ' + e.message }; }
-  const message = Buffer.from(canonicalJson(doc.payload), 'utf8');
-  const ok = crypto.verify(null, message, pubKey, sigBytes);
-  return { ok, payload: doc.payload, signed_with: pk };
-}
-function canonicalJson(obj) {
-  if (obj === null || typeof obj !== 'object') { return JSON.stringify(obj); }
-  if (Array.isArray(obj)) { return '[' + obj.map(canonicalJson).join(',') + ']'; }
-  const keys = Object.keys(obj).sort();
-  return '{' + keys.map((k) => JSON.stringify(k) + ':' + canonicalJson(obj[k])).join(',') + '}';
-}
-function fetchSmall(url) {
-  return new Promise((resolve) => {
-    let mod;
-    try { mod = url.startsWith('https:') ? https : http; } catch { return resolve({ ok: false, error: 'bad url' }); }
-    const req = mod.get(url, { timeout: FETCH_TIMEOUT_MS, headers: { 'User-Agent': 'WAB-ShieldQR/1.0' } }, (res) => {
-      if (res.statusCode && res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
-        res.resume();
-        return resolve({ ok: false, status: res.statusCode, error: 'redirect_not_followed' });
-      }
-      let bytes = 0;
-      const chunks = [];
-      res.on('data', (c) => {
-        bytes += c.length;
-        if (bytes > MAX_BODY_BYTES) { req.destroy(); return; }
-        chunks.push(c);
-      });
-      res.on('end', () => resolve({
-        ok: (res.statusCode || 0) >= 200 && (res.statusCode || 0) < 300,
-        status: res.statusCode,
-        body: Buffer.concat(chunks).toString('utf8'),
-      }));
-    });
-    req.on('timeout', () => { req.destroy(); resolve({ ok: false, error: 'timeout' }); });
-    req.on('error', (e) => resolve({ ok: false, error: e.message }));
-  });
-}
-function inspectSsl(host, port) {
-  return new Promise((resolve) => {
-    const socket = tls.connect({ host, port, servername: host, timeout: FETCH_TIMEOUT_MS, rejectUnauthorized: false }, () => {
-      const cert = socket.getPeerCertificate(true);
-      socket.end();
-      if (!cert || !cert.valid_to) { return resolve({ ok: false, error: 'no certificate returned' }); }
-      const expiry = new Date(cert.valid_to);
-      const days = Math.floor((expiry.getTime() - Date.now()) / 86400000);
-      const fp = (cert.fingerprint256 || '').replace(/:/g, '').toLowerCase();
-      resolve({
-        ok: true,
-        issuer: cert.issuer && (cert.issuer.O || cert.issuer.CN) || null,
-        subject: cert.subject && cert.subject.CN || null,
-        valid_to: cert.valid_to,
-        valid_from: cert.valid_from,
-        days_until_expiry: days,
-        fingerprint_sha256: fp,
-        authorized: socket.authorized,
-        protocol: socket.getProtocol && socket.getProtocol(),
-      });
-    });
-    socket.on('error', (e) => resolve({ ok: false, error: e.message }));
-    socket.on('timeout', () => { socket.destroy(); resolve({ ok: false, error: 'timeout' }); });
-  });
-}
-function computeLevel(signals, signedOk) {
-  let score = 60; // neutral start
-  for (const s of signals) {
-    if (s.severity === 'good')   { score += 20; }
-    else if (s.severity === 'low')    { score -= 5; }
-    else if (s.severity === 'medium') { score -= 18; }
-    else if (s.severity === 'high')   { score -= 40; }
-  }
-  if (signedOk) { score = Math.max(score, 90); }
-  score = Math.max(0, Math.min(100, score));
-  const fallback = signals.some((s) => s.id === 'fallback_trust');
-  let level = 'yellow';
-  if (score >= 75 && signedOk && !fallback) { level = 'green'; }
-  else if (score >= 65)        { level = 'yellow'; }
-  else if (score < 35)         { level = 'red'; }
-  else                          { level = 'yellow'; }
-  // Hard-fail on any high-severity signal unless we have a verified signature
-  // (Extended Trust Layer: signature acts as fallback authority when SSL fails).
-  if (signals.some((s) => s.severity === 'high') && !signedOk) { level = 'red'; }
-  // With signed fallback, never drop below yellow.
-  if (fallback && level === 'red') { level = 'yellow'; }
-  return { level, score };
-}
-module.exports = { scan, parseWabTxt, canonicalJson };
+/**
+ * WAB ShieldQR — verification service
+ * --------------------------------------------------------------
+ * Given a URL extracted from a QR code (or any short link), verify whether
+ * it's safe to open.  Layered checks:
+ *
+ *   1. Heuristic risk score (shorteners, brand-new TLDs, IP literals, etc.)
+ *   2. DNS Discovery — TXT lookup on  _wab.{domain}  and  _wab-trust.{domain}
+ *   3. Cryptographic Trust  — fetch /.well-known/wab.json and verify
+ *      Ed25519 signature against the public key advertised in the TXT record.
+ *   4. SSL/TLS health — fetch the cert, compare thumbprint, check expiry.
+ *
+ * The result is a *level* (green / yellow / red) plus a structured
+ * `signals[]` array so a UI can show a human-readable explanation.
+ *
+ * No third-party deps — only Node built-ins (`dns/promises`, `tls`,
+ * `crypto`, `https`).
+ */
+'use strict';
+const dns = require('node:dns').promises;
+const tls = require('node:tls');
+const crypto = require('node:crypto');
+const https = require('node:https');
+const http = require('node:http');
+const SHORTENER_HOSTS = new Set([
+  'bit.ly', 't.co', 'tinyurl.com', 'goo.gl', 'ow.ly', 'is.gd', 'buff.ly',
+  'cutt.ly', 'rebrand.ly', 'shorturl.at', 'tiny.cc', 'rb.gy', 'lnkd.in',
+]);
+const FETCH_TIMEOUT_MS = 4000;
+const MAX_BODY_BYTES = 64 * 1024;
+// ─── Public API ───────────────────────────────────────────────────────
+/**
+ * Inspect a single URL.  Always resolves; never throws.
+ * @param {string} input  raw URL or string from a QR scan
+ * @returns {Promise<{level:'green'|'yellow'|'red', score:number, url:string|null,
+ *   host:string|null, signals:Array, dns:any, trust:any, ssl:any, generated_at:string}>}
+ */
+async function scan(input) {
+  const t0 = Date.now();
+  const out = {
+    level: 'yellow',
+    score: 50,
+    url: null,
+    host: null,
+    signals: [],
+    dns: null,
+    trust: null,
+    ssl: null,
+    generated_at: new Date().toISOString(),
+    elapsed_ms: 0,
+  };
+  const parsed = parseUrl(input);
+  if (!parsed) {
+    out.level = 'red';
+    out.score = 0;
+    out.signals.push({ id: 'invalid_url', severity: 'high', message: 'Cannot parse a URL from input' });
+    out.elapsed_ms = Date.now() - t0;
+    return out;
+  }
+  out.url = parsed.href;
+  out.host = parsed.hostname;
+  // 1. Static heuristics
+  applyHeuristics(parsed, out);
+  // 2. DNS Discovery (parallel TXT lookups)
+  const [discovery, trust] = await Promise.all([
+    safeTxt(`_wab.${parsed.hostname}`),
+    safeTxt(`_wab-trust.${parsed.hostname}`),
+  ]);
+  out.dns = { discovery, trust };
+  if (discovery.records.length) {
+    out.signals.push({ id: 'wab_dns', severity: 'good', message: `_wab TXT record found at ${parsed.hostname}` });
+  }
+  if (trust.records.length) {
+    out.signals.push({ id: 'wab_trust_dns', severity: 'good', message: `_wab-trust TXT record found` });
+  }
+  // 3. Cryptographic trust  (only if DNS announced a key)
+  const wabFields = parseWabTxt(discovery.records.concat(trust.records));
+  if (wabFields.pk || wabFields.endpoint) {
+    out.trust = await verifyTrust(parsed, wabFields).catch((e) => ({ ok: false, error: String(e?.message || e) }));
+    if (out.trust.ok) {
+      out.signals.push({ id: 'signature_ok', severity: 'good', message: 'Ed25519 signature verified against DNS public key' });
+    } else if (out.trust && out.trust.error) {
+      out.signals.push({ id: 'signature_fail', severity: 'high', message: `Trust check failed: ${out.trust.error}` });
+    }
+  }
+  // 4. SSL/TLS — only over HTTPS hosts
+  if (parsed.protocol === 'https:') {
+    out.ssl = await inspectSsl(parsed.hostname, parsed.port ? Number(parsed.port) : 443).catch((e) => ({ ok: false, error: String(e?.message || e) }));
+    if (out.ssl.ok) {
+      const daysLeft = out.ssl.days_until_expiry;
+      if (daysLeft != null && daysLeft < 0) {
+        out.signals.push({ id: 'ssl_expired', severity: 'high', message: `SSL certificate expired ${-daysLeft}d ago` });
+      } else if (daysLeft != null && daysLeft < 7) {
+        out.signals.push({ id: 'ssl_expiring', severity: 'medium', message: `SSL certificate expires in ${daysLeft} days` });
+      }
+      if (wabFields.ssl_thumbprint && out.ssl.fingerprint_sha256 &&
+          wabFields.ssl_thumbprint.toLowerCase() !== out.ssl.fingerprint_sha256.toLowerCase()) {
+        out.signals.push({ id: 'ssl_thumbprint_mismatch', severity: 'high',
+          message: 'SSL fingerprint does not match the value advertised via _wab DNS' });
+      }
+    }
+  }
+  // 4b. Extended Trust — Fallback mode.
+  // If SSL is degraded (expired / expiring / mismatch) BUT we have a
+  // cryptographically verified Ed25519 signature, surface a "partial trust"
+  // signal so the verdict stays yellow instead of crashing to red.
+  const sslDegraded = out.signals.some((s) =>
+    ['ssl_expired', 'ssl_expiring', 'ssl_thumbprint_mismatch'].includes(s.id));
+  if (sslDegraded && out.trust && out.trust.ok) {
+    out.signals.push({ id: 'fallback_trust', severity: 'good',
+      message: 'Partial trust — SSL is degraded but the WAB Ed25519 signature is valid' });
+    out.fallback_trust = true;
+  }
+  // 5. Final level — combine signals
+  const verdict = computeLevel(out.signals, !!out.trust?.ok);
+  out.level = verdict.level;
+  out.score = verdict.score;
+  out.elapsed_ms = Date.now() - t0;
+  return out;
+}
+// ─── Helpers ──────────────────────────────────────────────────────────
+function parseUrl(input) {
+  if (!input || typeof input !== 'string') { return null; }
+  let s = input.trim();
+  if (!/^[a-z][a-z0-9+.-]*:\/\//i.test(s)) { s = 'https://' + s; }
+  try { return new URL(s); } catch { return null; }
+}
+function applyHeuristics(parsed, out) {
+  const host = parsed.hostname.toLowerCase();
+  // IP-literal hosts are suspicious
+  if (/^\d+\.\d+\.\d+\.\d+$/.test(host) || host.includes(':')) {
+    out.signals.push({ id: 'ip_literal_host', severity: 'high', message: 'URL points to a raw IP address' });
+  }
+  if (SHORTENER_HOSTS.has(host)) {
+    out.signals.push({ id: 'shortener', severity: 'medium', message: `URL uses a shortener domain (${host})` });
+  }
+  if (parsed.protocol === 'http:') {
+    out.signals.push({ id: 'plain_http', severity: 'medium', message: 'URL uses plain HTTP (no TLS)' });
+  }
+  // Punycode / homoglyph hint
+  if (host.includes('xn--')) {
+    out.signals.push({ id: 'punycode', severity: 'medium', message: 'Hostname uses Punycode (possible homoglyph attack)' });
+  }
+  // Excessive subdomains
+  if (host.split('.').length > 5) {
+    out.signals.push({ id: 'deep_subdomain', severity: 'low', message: 'Hostname has unusually many subdomain levels' });
+  }
+}
+async function safeTxt(name) {
+  try {
+    const records = await dns.resolveTxt(name);
+    return { name, records: records.map((parts) => parts.join('')), error: null };
+  } catch (err) {
+    return { name, records: [], error: err.code || String(err.message || err) };
+  }
+}
+/**
+ * Parse `key=value;` style fields out of TXT records that begin with `v=wab1`.
+ * Returns merged object with at least:
+ *   v, endpoint, pk, ssl_thumbprint, ssl_expires, shieldqr
+ */
+function parseWabTxt(rawRecords) {
+  const out = {};
+  for (const rec of rawRecords) {
+    if (!/v\s*=\s*wab1/i.test(rec)) { continue; }
+    const parts = rec.split(';').map((p) => p.trim()).filter(Boolean);
+    for (const p of parts) {
+      const eq = p.indexOf('=');
+      if (eq < 0) { continue; }
+      const k = p.slice(0, eq).trim().toLowerCase();
+      const v = p.slice(eq + 1).trim();
+      if (k && v && !out[k]) { out[k] = v; }
+    }
+  }
+  return out;
+}
+async function verifyTrust(parsed, wabFields) {
+  const base = wabFields.endpoint && /^https?:\/\//i.test(wabFields.endpoint)
+    ? wabFields.endpoint
+    : `${parsed.origin}/.well-known/wab.json`;
+  const wabJsonUrl = wabFields.endpoint && wabFields.endpoint.endsWith('.json')
+    ? wabFields.endpoint
+    : (base.endsWith('/') ? base + '.well-known/wab.json' : base + '/.well-known/wab.json');
+  const fetched = await fetchSmall(wabJsonUrl);
+  if (!fetched.ok) { return { ok: false, error: `cannot fetch wab.json (${fetched.error || fetched.status})` }; }
+  let doc;
+  try { doc = JSON.parse(fetched.body); } catch { return { ok: false, error: 'wab.json is not valid JSON' }; }
+  // signature is over the canonical JSON of `doc.payload`
+  const sig = doc.signature;
+  const pkRaw = wabFields.pk || (doc.trust && doc.trust.pk);
+  if (!sig || !pkRaw || !doc.payload) {
+    return { ok: false, error: 'wab.json missing payload/signature/pk' };
+  }
+  const pk = pkRaw.replace(/^ed25519:/i, '');
+  let pkBytes;
+  try { pkBytes = Buffer.from(pk, 'base64'); } catch { return { ok: false, error: 'invalid base64 pk' }; }
+  if (pkBytes.length !== 32) { return { ok: false, error: `pk has wrong length (${pkBytes.length} bytes, want 32)` }; }
+  let sigBytes;
+  try { sigBytes = Buffer.from(sig.replace(/^ed25519:/i, ''), 'base64'); } catch { return { ok: false, error: 'invalid base64 signature' }; }
+  // Wrap raw 32-byte Ed25519 public key in DER (SubjectPublicKeyInfo)
+  const der = Buffer.concat([
+    Buffer.from('302a300506032b6570032100', 'hex'),
+    pkBytes,
+  ]);
+  let pubKey;
+  try { pubKey = crypto.createPublicKey({ key: der, format: 'der', type: 'spki' }); }
+  catch (e) { return { ok: false, error: 'cannot import Ed25519 pk: ' + e.message }; }
+  const message = Buffer.from(canonicalJson(doc.payload), 'utf8');
+  const ok = crypto.verify(null, message, pubKey, sigBytes);
+  return { ok, payload: doc.payload, signed_with: pk };
+}
+function canonicalJson(obj) {
+  if (obj === null || typeof obj !== 'object') { return JSON.stringify(obj); }
+  if (Array.isArray(obj)) { return '[' + obj.map(canonicalJson).join(',') + ']'; }
+  const keys = Object.keys(obj).sort();
+  return '{' + keys.map((k) => JSON.stringify(k) + ':' + canonicalJson(obj[k])).join(',') + '}';
+}
+function fetchSmall(url) {
+  return new Promise((resolve) => {
+    let mod;
+    try { mod = url.startsWith('https:') ? https : http; } catch { return resolve({ ok: false, error: 'bad url' }); }
+    const req = mod.get(url, { timeout: FETCH_TIMEOUT_MS, headers: { 'User-Agent': 'WAB-ShieldQR/1.0' } }, (res) => {
+      if (res.statusCode && res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+        res.resume();
+        return resolve({ ok: false, status: res.statusCode, error: 'redirect_not_followed' });
+      }
+      let bytes = 0;
+      const chunks = [];
+      res.on('data', (c) => {
+        bytes += c.length;
+        if (bytes > MAX_BODY_BYTES) { req.destroy(); return; }
+        chunks.push(c);
+      });
+      res.on('end', () => resolve({
+        ok: (res.statusCode || 0) >= 200 && (res.statusCode || 0) < 300,
+        status: res.statusCode,
+        body: Buffer.concat(chunks).toString('utf8'),
+      }));
+    });
+    req.on('timeout', () => { req.destroy(); resolve({ ok: false, error: 'timeout' }); });
+    req.on('error', (e) => resolve({ ok: false, error: e.message }));
+  });
+}
+function inspectSsl(host, port) {
+  return new Promise((resolve) => {
+    const socket = tls.connect({ host, port, servername: host, timeout: FETCH_TIMEOUT_MS, rejectUnauthorized: false }, () => {
+      const cert = socket.getPeerCertificate(true);
+      socket.end();
+      if (!cert || !cert.valid_to) { return resolve({ ok: false, error: 'no certificate returned' }); }
+      const expiry = new Date(cert.valid_to);
+      const days = Math.floor((expiry.getTime() - Date.now()) / 86400000);
+      const fp = (cert.fingerprint256 || '').replace(/:/g, '').toLowerCase();
+      resolve({
+        ok: true,
+        issuer: cert.issuer && (cert.issuer.O || cert.issuer.CN) || null,
+        subject: cert.subject && cert.subject.CN || null,
+        valid_to: cert.valid_to,
+        valid_from: cert.valid_from,
+        days_until_expiry: days,
+        fingerprint_sha256: fp,
+        authorized: socket.authorized,
+        protocol: socket.getProtocol && socket.getProtocol(),
+      });
+    });
+    socket.on('error', (e) => resolve({ ok: false, error: e.message }));
+    socket.on('timeout', () => { socket.destroy(); resolve({ ok: false, error: 'timeout' }); });
+  });
+}
+function computeLevel(signals, signedOk) {
+  let score = 60; // neutral start
+  for (const s of signals) {
+    if (s.severity === 'good')   { score += 20; }
+    else if (s.severity === 'low')    { score -= 5; }
+    else if (s.severity === 'medium') { score -= 18; }
+    else if (s.severity === 'high')   { score -= 40; }
+  }
+  if (signedOk) { score = Math.max(score, 90); }
+  score = Math.max(0, Math.min(100, score));
+  const fallback = signals.some((s) => s.id === 'fallback_trust');
+  let level = 'yellow';
+  if (score >= 75 && signedOk && !fallback) { level = 'green'; }
+  else if (score >= 65)        { level = 'yellow'; }
+  else if (score < 35)         { level = 'red'; }
+  else                          { level = 'yellow'; }
+  // Hard-fail on any high-severity signal unless we have a verified signature
+  // (Extended Trust Layer: signature acts as fallback authority when SSL fails).
+  if (signals.some((s) => s.severity === 'high') && !signedOk) { level = 'red'; }
+  // With signed fallback, never drop below yellow.
+  if (fallback && level === 'red') { level = 'yellow'; }
+  return { level, score };
+}
+module.exports = { scan, parseWabTxt, canonicalJson };