web-agent-bridge 3.9.1 → 3.10.0

package/server/models/db.js

@@ -674,6 +674,74 @@ function getAdStats() {
   return { total, pending, approved, totalImpressions, totalClicks, totalRevenueCents };
 }
 
+// ─── Password Reset & Email Verification ──────────────────────────────
+// Prepared statements are lazy because the tables are created by migration 022.
+
+let _stmts = null;
+function _authStmts() {
+  if (_stmts) return _stmts;
+  _stmts = {
+    insertPRT: db.prepare(`INSERT INTO password_reset_tokens (token_hash, user_id, expires_at) VALUES (?, ?, ?)`),
+    findPRT:   db.prepare(`SELECT * FROM password_reset_tokens WHERE token_hash = ?`),
+    usePRT:    db.prepare(`UPDATE password_reset_tokens SET used_at = datetime('now') WHERE token_hash = ? AND used_at IS NULL`),
+    delPRTForUser: db.prepare(`DELETE FROM password_reset_tokens WHERE user_id = ?`),
+    updateUserPassword: db.prepare(`UPDATE users SET password = ?, updated_at = datetime('now') WHERE id = ?`),
+
+    insertEVT: db.prepare(`INSERT INTO email_verification_tokens (token_hash, user_id, expires_at) VALUES (?, ?, ?)`),
+    findEVT:   db.prepare(`SELECT * FROM email_verification_tokens WHERE token_hash = ?`),
+    useEVT:    db.prepare(`UPDATE email_verification_tokens SET used_at = datetime('now') WHERE token_hash = ? AND used_at IS NULL`),
+    delEVTForUser: db.prepare(`DELETE FROM email_verification_tokens WHERE user_id = ?`),
+    markVerified: db.prepare(`UPDATE users SET email_verified = 1, email_verified_at = datetime('now') WHERE id = ?`),
+    isVerified: db.prepare(`SELECT email_verified FROM users WHERE id = ?`)
+  };
+  return _stmts;
+}
+
+function createPasswordResetToken({ userId, tokenHash, ttlMinutes = 60 }) {
+  const expires = new Date(Date.now() + ttlMinutes * 60 * 1000).toISOString();
+  _authStmts().delPRTForUser.run(userId); // invalidate previous
+  _authStmts().insertPRT.run(tokenHash, userId, expires);
+  return expires;
+}
+
+function consumePasswordResetToken(tokenHash) {
+  const row = _authStmts().findPRT.get(tokenHash);
+  if (!row) return null;
+  if (row.used_at) return null;
+  if (new Date(row.expires_at).getTime() < Date.now()) return null;
+  const r = _authStmts().usePRT.run(tokenHash);
+  if (r.changes === 0) return null;
+  return row.user_id;
+}
+
+function updateUserPassword(userId, plainPassword) {
+  const hashed = bcrypt.hashSync(plainPassword, 12);
+  _authStmts().updateUserPassword.run(hashed, userId);
+}
+
+function createEmailVerificationToken({ userId, tokenHash, ttlMinutes = 60 * 24 * 7 }) {
+  const expires = new Date(Date.now() + ttlMinutes * 60 * 1000).toISOString();
+  _authStmts().delEVTForUser.run(userId);
+  _authStmts().insertEVT.run(tokenHash, userId, expires);
+  return expires;
+}
+
+function consumeEmailVerificationToken(tokenHash) {
+  const row = _authStmts().findEVT.get(tokenHash);
+  if (!row) return null;
+  if (row.used_at) return null;
+  if (new Date(row.expires_at).getTime() < Date.now()) return null;
+  const r = _authStmts().useEVT.run(tokenHash);
+  if (r.changes === 0) return null;
+  _authStmts().markVerified.run(row.user_id);
+  return row.user_id;
+}
+
+function isEmailVerified(userId) {
+  const row = _authStmts().isVerified.get(userId);
+  return !!(row && row.email_verified);
+}
+
 module.exports = {
   db,
   registerUser,
@@ -736,5 +804,12 @@ module.exports = {
   updateAdStatus,
   deleteAd,
   recordAdEvent,
-  getAdStats
+  getAdStats,
+  // Auth recovery & verification
+  createPasswordResetToken,
+  consumePasswordResetToken,
+  updateUserPassword,
+  createEmailVerificationToken,
+  consumeEmailVerificationToken,
+  isEmailVerified
 };

package/server/routes/admin.js

@@ -23,6 +23,7 @@ const {
 } = require('../models/db');
 const { sendEmail } = require('../services/email');
 const { createCheckoutSession, createPortalSession, isStripeConfigured, getStripePrices } = require('../services/stripe');
+const visitorTracker = require('../services/visitor-tracker');
 
 // ─── Auth ──────────────────────────────────────────────────────────────
 
@@ -60,6 +61,35 @@ router.get('/me', authenticateAdmin, (req, res) => {
 router.get('/stats', authenticateAdmin, (req, res) => {
   const stats = getAdminStats();
   stats.stripeConfigured = isStripeConfigured();
+
+  // Expose normalized keys that the overview dashboard expects, while keeping
+  // the legacy keys for any older clients still reading them.
+  stats.users  = stats.totalUsers;
+  stats.sites  = stats.totalSites;
+  stats.analytics_total = stats.totalAnalytics;
+  stats.analytics_today = stats.todayAnalytics;
+  stats.revenue30d = (() => {
+    try {
+      const r = db.prepare(
+        `SELECT COALESCE(SUM(amount),0) AS t FROM payments WHERE status='succeeded' AND created_at >= datetime('now','-30 days')`
+      ).get();
+      return r ? r.t : 0;
+    } catch { return 0; }
+  })();
+  stats.active_subscriptions = (() => {
+    try {
+      const r = db.prepare(
+        `SELECT COUNT(*) AS c FROM stripe_subscriptions WHERE status='active'`
+      ).get();
+      return r ? r.c : 0;
+    } catch { return 0; }
+  })();
+
+  // Visitor counts (registered + anonymous).
+  try {
+    Object.assign(stats, visitorTracker.getQuickCounts());
+  } catch { /* table may not exist on first boot before migration */ }
+
   res.json(stats);
 });
 
@@ -69,6 +99,26 @@ router.get('/analytics', authenticateAdmin, (req, res) => {
   res.json(data);
 });
 
+// ─── Visitor analytics (page hits, registered + anonymous) ────────────
+
+router.get('/analytics/visits', authenticateAdmin, (req, res) => {
+  try {
+    const data = visitorTracker.getVisitorAnalytics(req.query.days);
+    res.json({ ok: true, ...data });
+  } catch (e) {
+    res.status(500).json({ ok: false, error: e.message });
+  }
+});
+
+router.get('/analytics/visits/recent', authenticateAdmin, (req, res) => {
+  try {
+    const visits = visitorTracker.getRecentVisits(req.query.limit);
+    res.json({ ok: true, visits });
+  } catch (e) {
+    res.status(500).json({ ok: false, error: e.message });
+  }
+});
+
 // ─── Users Management ─────────────────────────────────────────────────
 
 router.get('/users', authenticateAdmin, (req, res) => {
@@ -547,4 +597,65 @@ router.post('/governance/approvals/:rid/decide', authenticateAdmin, (req, res) =
   res.json(out);
 });
 
+// ─── ATP Merchant Commission (platform-wide view) ──────────────────────
+const _commissions = require('../services/commissions');
+
+router.get('/commissions/stats', authenticateAdmin, (req, res) => {
+  try {
+    res.json({ ok: true, data: _commissions.getPlatformCommissionStats() });
+  } catch (e) {
+    res.status(500).json({ ok: false, error: e.message });
+  }
+});
+
+router.get('/commissions', authenticateAdmin, (req, res) => {
+  const limit  = Math.min(500, Math.max(1, parseInt(req.query.limit, 10) || 100));
+  const offset = Math.max(0, parseInt(req.query.offset, 10) || 0);
+  const status = req.query.status || null;
+  try {
+    let rows;
+    if (status) {
+      rows = db.prepare(`
+        SELECT c.*, u.email AS merchant_email, s.domain AS merchant_domain
+          FROM atp_commissions c
+          LEFT JOIN users u ON u.id = c.merchant_user_id
+          LEFT JOIN sites s ON s.id = c.merchant_site_id
+         WHERE c.status = ?
+         ORDER BY c.created_at DESC LIMIT ? OFFSET ?
+      `).all(status, limit, offset);
+    } else {
+      rows = db.prepare(`
+        SELECT c.*, u.email AS merchant_email, s.domain AS merchant_domain
+          FROM atp_commissions c
+          LEFT JOIN users u ON u.id = c.merchant_user_id
+          LEFT JOIN sites s ON s.id = c.merchant_site_id
+         ORDER BY c.created_at DESC LIMIT ? OFFSET ?
+      `).all(limit, offset);
+    }
+    res.json({ ok: true, data: rows, limit, offset });
+  } catch (e) {
+    res.status(500).json({ ok: false, error: e.message });
+  }
+});
+
+router.post('/commissions/:id/status', authenticateAdmin, (req, res) => {
+  const next = String(req.body?.status || '').toLowerCase();
+  const allowed = ['pending', 'invoiced', 'collected', 'refunded', 'waived'];
+  if (!allowed.includes(next)) {
+    return res.status(400).json({ ok: false, error: `status must be one of ${allowed.join(',')}` });
+  }
+  try {
+    const r = db.prepare(`
+      UPDATE atp_commissions
+         SET status=?, notes = COALESCE(notes || ' | ', '') || ?, updated_at = datetime('now')
+       WHERE id=?
+    `).run(next, `admin:${req.admin.id} → ${next}`, req.params.id);
+    if (r.changes === 0) return res.status(404).json({ ok: false, error: 'not_found' });
+    auditLog({ actorType: 'admin', actorId: String(req.admin.id), action: 'commission_status_update', details: { id: req.params.id, status: next } });
+    res.json({ ok: true });
+  } catch (e) {
+    res.status(500).json({ ok: false, error: e.message });
+  }
+});
+
 module.exports = router;

package/server/routes/auth.js

@@ -1,9 +1,27 @@
 const express = require('express');
+const crypto = require('crypto');
 const router = express.Router();
-const { registerUser, loginUser, findUserById } = require('../models/db');
+const {
+  registerUser, loginUser, findUserById, findUserByEmail,
+  createPasswordResetToken, consumePasswordResetToken, updateUserPassword,
+  createEmailVerificationToken, consumeEmailVerificationToken, isEmailVerified
+} = require('../models/db');
 const { generateToken, authenticateToken } = require('../middleware/auth');
 const { authLimiter, registerLimiter } = require('../middleware/rateLimits');
 const { validateEmail, sanitizeInput, auditLog, revokeJWT } = require('../services/security');
+const { sendEmail } = require('../services/email');
+
+const BASE_URL = process.env.BASE_URL || 'https://webagentbridge.com';
+
+function hashToken(token) {
+  return crypto.createHash('sha256').update(token).digest('hex');
+}
+
+function fireAndForget(promise, label) {
+  Promise.resolve(promise).catch((e) => {
+    console.error(`[email] ${label} failed (non-fatal):`, e && e.message);
+  });
+}
 
 router.post('/register', registerLimiter, (req, res) => {
   const { email, password, name, company } = req.body;
@@ -27,7 +45,25 @@ router.post('/register', registerLimiter, (req, res) => {
     const user = registerUser({ email: email.toLowerCase().trim(), password, name: cleanName, company: cleanCompany });
     const token = generateToken(user);
     auditLog({ actorType: 'user', actorId: String(user.id), action: 'register', ip: req.ip });
-    res.status(201).json({ user, token });
+
+    // Generate email-verification token and send it (best-effort, non-blocking)
+    try {
+      const verifyToken = crypto.randomBytes(32).toString('hex');
+      createEmailVerificationToken({ userId: user.id, tokenHash: hashToken(verifyToken) });
+      const verifyUrl = `${BASE_URL}/verify-email.html?token=${verifyToken}`;
+      fireAndForget(
+        sendEmail({ to: user.email, template: 'email_verification', data: { name: user.name, verifyUrl }, userId: user.id }),
+        'verification email'
+      );
+      fireAndForget(
+        sendEmail({ to: user.email, template: 'welcome', data: { name: user.name, dashboardUrl: `${BASE_URL}/dashboard` }, userId: user.id }),
+        'welcome email'
+      );
+    } catch (e) {
+      console.error('[register] verification setup failed:', e.message);
+    }
+
+    res.status(201).json({ user: { ...user, email_verified: 0 }, token });
   } catch (err) {
     if (err.message.includes('UNIQUE constraint')) {
       return res.status(409).json({ error: 'Email already registered' });
@@ -65,7 +101,74 @@ router.post('/logout', authenticateToken, (req, res) => {
 router.get('/me', authenticateToken, (req, res) => {
   const user = findUserById.get(req.user.id);
   if (!user) return res.status(404).json({ error: 'User not found' });
-  res.json({ user });
+  res.json({ user: { ...user, email_verified: isEmailVerified(req.user.id) ? 1 : 0 } });
+});
+
+// ─── Password Reset ────────────────────────────────────────────────────
+// Always returns success to avoid leaking which emails exist.
+router.post('/forgot-password', authLimiter, (req, res) => {
+  const { email } = req.body || {};
+  if (!email || !validateEmail(email)) {
+    return res.status(400).json({ error: 'Valid email required' });
+  }
+  try {
+    const user = findUserByEmail.get(email.toLowerCase().trim());
+    if (user) {
+      const token = crypto.randomBytes(32).toString('hex');
+      createPasswordResetToken({ userId: user.id, tokenHash: hashToken(token), ttlMinutes: 60 });
+      const resetUrl = `${BASE_URL}/reset-password.html?token=${token}`;
+      fireAndForget(
+        sendEmail({ to: user.email, template: 'password_reset', data: { name: user.name, resetUrl }, userId: user.id }),
+        'password_reset email'
+      );
+      auditLog({ actorType: 'user', actorId: String(user.id), action: 'password_reset_requested', ip: req.ip });
+    }
+  } catch (e) {
+    console.error('[forgot-password]', e.message);
+  }
+  res.json({ success: true, message: 'If that email is registered, a reset link has been sent.' });
+});
+
+router.post('/reset-password', authLimiter, (req, res) => {
+  const { token, password } = req.body || {};
+  if (!token || typeof token !== 'string') return res.status(400).json({ error: 'Token required' });
+  if (!password || password.length < 8 || password.length > 128) {
+    return res.status(400).json({ error: 'Password must be between 8 and 128 characters' });
+  }
+  const userId = consumePasswordResetToken(hashToken(token));
+  if (!userId) {
+    return res.status(400).json({ error: 'Invalid or expired token' });
+  }
+  updateUserPassword(userId, password);
+  auditLog({ actorType: 'user', actorId: String(userId), action: 'password_reset_completed', ip: req.ip });
+  res.json({ success: true });
+});
+
+// ─── Email Verification ────────────────────────────────────────────────
+router.post('/verify-email', (req, res) => {
+  const { token } = req.body || {};
+  if (!token || typeof token !== 'string') return res.status(400).json({ error: 'Token required' });
+  const userId = consumeEmailVerificationToken(hashToken(token));
+  if (!userId) return res.status(400).json({ error: 'Invalid or expired token' });
+  auditLog({ actorType: 'user', actorId: String(userId), action: 'email_verified', ip: req.ip });
+  res.json({ success: true });
+});
+
+router.post('/resend-verification', authenticateToken, (req, res) => {
+  const user = findUserById.get(req.user.id);
+  if (!user) return res.status(404).json({ error: 'User not found' });
+  if (isEmailVerified(req.user.id)) {
+    return res.json({ success: true, alreadyVerified: true });
+  }
+  const token = crypto.randomBytes(32).toString('hex');
+  createEmailVerificationToken({ userId: user.id, tokenHash: hashToken(token) });
+  const verifyUrl = `${BASE_URL}/verify-email.html?token=${token}`;
+  fireAndForget(
+    sendEmail({ to: user.email, template: 'email_verification', data: { name: user.name, verifyUrl }, userId: user.id }),
+    'resend verification'
+  );
+  auditLog({ actorType: 'user', actorId: String(req.user.id), action: 'verification_resent', ip: req.ip });
+  res.json({ success: true });
 });
 
 module.exports = router;

package/server/routes/premium.js

@@ -1,6 +1,6 @@
 const express = require('express');
 const router = express.Router();
-const { authenticateToken } = require('../middleware/auth');
+const { authenticateToken, requireTier } = require('../middleware/auth');
 const premium = require('../services/premium');
 const { findSiteById, findSitesByUser } = require('../models/db');
 
@@ -15,7 +15,7 @@ function requireSiteOwnership(req, res, next) {
 
 // ─── Traffic Intelligence ────────────────────────────────────────────────
 
-router.get('/traffic/:siteId/profiles', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/traffic/:siteId/profiles', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const { limit, offset, type } = req.query;
     const profiles = await premium.getAgentProfiles(req.params.siteId, {
@@ -29,7 +29,7 @@ router.get('/traffic/:siteId/profiles', authenticateToken, requireSiteOwnership,
   }
 });
 
-router.get('/traffic/:siteId/stats', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/traffic/:siteId/stats', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const days = req.query.days ? parseInt(req.query.days) : 30;
     const stats = await premium.getTrafficStats(req.params.siteId, days);
@@ -39,7 +39,7 @@ router.get('/traffic/:siteId/stats', authenticateToken, requireSiteOwnership, as
   }
 });
 
-router.get('/traffic/:siteId/alerts', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/traffic/:siteId/alerts', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const { limit, acknowledged } = req.query;
     const alerts = await premium.getAnomalyAlerts(req.params.siteId, {
@@ -52,7 +52,7 @@ router.get('/traffic/:siteId/alerts', authenticateToken, requireSiteOwnership, a
   }
 });
 
-router.post('/traffic/:siteId/alerts/:alertId/acknowledge', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.post('/traffic/:siteId/alerts/:alertId/acknowledge', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const ok = await premium.acknowledgeAlert(req.params.alertId, req.params.siteId);
     if (!ok) return res.status(404).json({ error: 'Alert not found' });
@@ -62,7 +62,7 @@ router.post('/traffic/:siteId/alerts/:alertId/acknowledge', authenticateToken, r
   }
 });
 
-router.post('/traffic/:siteId/check-anomalies', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.post('/traffic/:siteId/check-anomalies', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const alerts = await premium.checkForAnomalies(req.params.siteId);
     res.json({ alerts });
@@ -73,7 +73,7 @@ router.post('/traffic/:siteId/check-anomalies', authenticateToken, requireSiteOw
 
 // ─── Exploit Shield ──────────────────────────────────────────────────────
 
-router.get('/security/:siteId/events', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/security/:siteId/events', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const { limit, severity, since } = req.query;
     const events = await premium.getSecurityEvents(req.params.siteId, {
@@ -87,7 +87,7 @@ router.get('/security/:siteId/events', authenticateToken, requireSiteOwnership,
   }
 });
 
-router.get('/security/:siteId/report', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/security/:siteId/report', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const days = req.query.days ? parseInt(req.query.days) : 30;
     const report = await premium.getSecurityReport(req.params.siteId, days);
@@ -97,7 +97,7 @@ router.get('/security/:siteId/report', authenticateToken, requireSiteOwnership,
   }
 });
 
-router.get('/security/:siteId/blocked', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/security/:siteId/blocked', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const blocked = await premium.getBlockedAgents(req.params.siteId);
     res.json({ blocked });
@@ -106,7 +106,7 @@ router.get('/security/:siteId/blocked', authenticateToken, requireSiteOwnership,
   }
 });
 
-router.post('/security/:siteId/block', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.post('/security/:siteId/block', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const { agentSignature, reason, expiresAt } = req.body;
     if (!agentSignature) return res.status(400).json({ error: 'agentSignature is required' });
@@ -117,7 +117,7 @@ router.post('/security/:siteId/block', authenticateToken, requireSiteOwnership,
   }
 });
 
-router.delete('/security/:siteId/block/:blockId', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.delete('/security/:siteId/block/:blockId', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const ok = await premium.unblockAgent(req.params.blockId, req.params.siteId);
     if (!ok) return res.status(404).json({ error: 'Block record not found' });
@@ -193,7 +193,7 @@ router.delete('/actions/:siteId/install/:installId', authenticateToken, requireS
 
 // ─── Custom Agents ───────────────────────────────────────────────────────
 
-router.get('/agents/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/agents/:siteId', authenticateToken, requireSiteOwnership, requireTier('pro'), async (req, res) => {
   try {
     const agents = await premium.getAgents(req.user.id, req.params.siteId);
     res.json({ agents });
@@ -202,7 +202,7 @@ router.get('/agents/:siteId', authenticateToken, requireSiteOwnership, async (re
   }
 });
 
-router.post('/agents/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.post('/agents/:siteId', authenticateToken, requireSiteOwnership, requireTier('pro'), async (req, res) => {
   try {
     const { name, description, steps, schedule } = req.body;
     if (!name || !steps) return res.status(400).json({ error: 'name and steps are required' });
@@ -213,7 +213,7 @@ router.post('/agents/:siteId', authenticateToken, requireSiteOwnership, async (r
   }
 });
 
-router.get('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, requireTier('pro'), async (req, res) => {
   try {
     const agent = await premium.getAgent(req.params.agentId, req.user.id);
     if (!agent) return res.status(404).json({ error: 'Agent not found' });
@@ -223,7 +223,7 @@ router.get('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership,
   }
 });
 
-router.put('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.put('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, requireTier('pro'), async (req, res) => {
   try {
     const { name, description, steps, schedule } = req.body;
     const ok = await premium.updateAgent(req.params.agentId, req.user.id, { name, description, steps, schedule });
@@ -234,7 +234,7 @@ router.put('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership,
   }
 });
 
-router.delete('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.delete('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, requireTier('pro'), async (req, res) => {
   try {
     const ok = await premium.deleteAgent(req.params.agentId, req.user.id);
     if (!ok) return res.status(404).json({ error: 'Agent not found' });
@@ -244,7 +244,7 @@ router.delete('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnershi
   }
 });
 
-router.post('/agents/:siteId/:agentId/run', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.post('/agents/:siteId/:agentId/run', authenticateToken, requireSiteOwnership, requireTier('pro'), async (req, res) => {
   try {
     const result = await premium.runAgent(req.params.agentId, req.user.id);
     res.json({ result });
@@ -253,7 +253,7 @@ router.post('/agents/:siteId/:agentId/run', authenticateToken, requireSiteOwners
   }
 });
 
-router.get('/agents/:siteId/:agentId/runs', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/agents/:siteId/:agentId/runs', authenticateToken, requireSiteOwnership, requireTier('pro'), async (req, res) => {
   try {
     const { limit } = req.query;
     const runs = await premium.getAgentRuns(req.params.agentId, {

package/server/routes/transactions.js

@@ -245,4 +245,36 @@ router.get('/platform/stats', publicReceiptLimiter, (req, res) => {
   res.json({ ok: true, data: stats });
 });
 
+// ─── Merchant commission endpoints ────────────────────────────────────────
+// Every merchant tx settled through ATP on a paid plan accrues a small
+// platform commission (default 0.10%). Merchants can inspect their own
+// accrual via these endpoints. Public commission rate is exposed for
+// transparency.
+const commissions = require('../services/commissions');
+
+router.get('/commissions/rate', (req, res) => {
+  res.json({
+    ok: true,
+    data: {
+      rate_bps: commissions.getCommissionBps(),
+      rate_percent: commissions.getCommissionBps() / 100,
+      min_tier: commissions.getMinTier(),
+      applies_to: 'Successful merchant transactions settled through ATP on a paid plan.',
+    },
+  });
+});
+
+router.get('/commissions', authenticateToken, (req, res) => {
+  const limit  = Math.min(200, Math.max(1, parseInt(req.query.limit, 10) || 50));
+  const offset = Math.max(0, parseInt(req.query.offset, 10) || 0);
+  const status = req.query.status || null;
+  const items = commissions.listCommissionsForMerchant(req.user.id, { limit, offset, status });
+  res.json({ ok: true, data: items, limit, offset });
+});
+
+router.get('/commissions/stats', authenticateToken, (req, res) => {
+  const stats = commissions.getMerchantCommissionStats(req.user.id);
+  res.json({ ok: true, data: stats });
+});
+
 module.exports = router;