web-agent-bridge 3.9.1 → 3.10.0

package/server/services/commissions.js

@@ -0,0 +1,209 @@
+'use strict';
+
+/**
+ * ATP Merchant Commission — v3.10.0
+ *
+ * WAB charges a small platform commission on every successful merchant
+ * transaction settled through ATP, when the merchant is on a paid plan
+ * and the transaction is real (not a platform self-payment).
+ *
+ * Defaults:
+ *   - Rate: 10 bps (0.10%), overridable via env WAB_COMMISSION_BPS or
+ *     platform_settings('commission_bps').
+ *   - Minimum tier: 'starter' (free sites exempt), overridable via env
+ *     WAB_COMMISSION_MIN_TIER.
+ *   - Platform self-payments (intent.metadata.platform = 1) always exempt.
+ *
+ * Idempotency: atp_commissions.transaction_id is UNIQUE, so duplicate
+ * settle events become a no-op.
+ */
+
+const crypto = require('crypto');
+const { db, getPlatformSetting, findSiteById } = require('../models/db');
+
+const TIER_RANK = { free: 0, starter: 1, pro: 2, business: 3, enterprise: 4 };
+
+function ulid(prefix) {
+  const t = Date.now().toString(36).padStart(8, '0');
+  const r = crypto.randomBytes(10).toString('hex');
+  return `${prefix}_${t}${r}`;
+}
+
+function getCommissionBps() {
+  // Priority: env > platform_setting > default
+  const envBps = parseInt(process.env.WAB_COMMISSION_BPS, 10);
+  if (Number.isFinite(envBps) && envBps >= 0 && envBps <= 10000) return envBps;
+  try {
+    const setting = getPlatformSetting('commission_bps');
+    if (setting != null) {
+      const n = parseInt(setting, 10);
+      if (Number.isFinite(n) && n >= 0 && n <= 10000) return n;
+    }
+  } catch { /* table may not exist in some tests */ }
+  return 10; // default 0.10%
+}
+
+function getMinTier() {
+  const env = (process.env.WAB_COMMISSION_MIN_TIER || '').toLowerCase().trim();
+  if (env && TIER_RANK[env] != null) return env;
+  return 'starter';
+}
+
+function calcCommissionCents(amountCents, bps) {
+  if (!Number.isFinite(amountCents) || amountCents <= 0) return 0;
+  // round half-up to nearest cent
+  return Math.floor((amountCents * bps + 5000) / 10000);
+}
+
+function safeJson(s, fallback) {
+  if (s == null) return fallback;
+  if (typeof s === 'object') return s;
+  try { return JSON.parse(s); } catch { return fallback; }
+}
+
+/**
+ * Record a commission row for a settled merchant transaction.
+ * Idempotent: safe to call multiple times for the same tx.
+ * Returns the commission row (or null when not applicable).
+ */
+function recordCommissionForTransaction(tx) {
+  if (!tx || !tx.id || !tx.intent_id) return null;
+  if (!Number.isFinite(tx.amount_cents) || tx.amount_cents <= 0) return null;
+
+  // Already recorded?
+  const existing = db.prepare('SELECT * FROM atp_commissions WHERE transaction_id=?').get(tx.id);
+  if (existing) return existing;
+
+  const intent = db.prepare('SELECT user_id, site_id, metadata FROM atp_intents WHERE id=?').get(tx.intent_id);
+  if (!intent) return null;
+
+  // Platform self-payment? Skip.
+  const meta = safeJson(intent.metadata, {});
+  if (meta && meta.platform) return null;
+
+  // Need a merchant site to bill against.
+  if (!intent.site_id) return null;
+
+  let site;
+  try { site = findSiteById.get(intent.site_id); } catch { site = null; }
+  if (!site) return null;
+
+  const tier = (site.tier || 'free').toLowerCase();
+  const minTier = getMinTier();
+  if ((TIER_RANK[tier] ?? 0) < (TIER_RANK[minTier] ?? 1)) return null;
+
+  const bps = getCommissionBps();
+  if (bps <= 0) return null;
+
+  const commissionCents = calcCommissionCents(tx.amount_cents, bps);
+  if (commissionCents <= 0) return null;
+
+  const id = ulid('atp_com');
+  const externalRef =
+    (tx.metadata && safeJson(tx.metadata, {}).external_ref) ||
+    tx.idempotency_key || null;
+
+  db.prepare(`
+    INSERT INTO atp_commissions
+      (id, transaction_id, intent_id, merchant_user_id, merchant_site_id,
+       merchant_tier, gross_amount_cents, currency, commission_bps, commission_cents,
+       status, external_ref)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 'pending', ?)
+  `).run(
+    id, tx.id, tx.intent_id, site.user_id, site.id,
+    tier, tx.amount_cents, tx.currency || 'EUR', bps, commissionCents,
+    externalRef
+  );
+
+  return db.prepare('SELECT * FROM atp_commissions WHERE id=?').get(id);
+}
+
+/**
+ * Flip a commission to 'refunded' when the underlying tx is compensated.
+ */
+function markCommissionRefunded(txId, reason = null) {
+  const row = db.prepare('SELECT * FROM atp_commissions WHERE transaction_id=?').get(txId);
+  if (!row) return null;
+  if (row.status === 'refunded' || row.status === 'waived') return row;
+  db.prepare(`
+    UPDATE atp_commissions
+       SET status='refunded',
+           notes = COALESCE(notes || ' | ', '') || ?,
+           updated_at = datetime('now')
+     WHERE transaction_id=?
+  `).run(`refund: ${reason || 'tx_compensated'}`, txId);
+  return db.prepare('SELECT * FROM atp_commissions WHERE transaction_id=?').get(txId);
+}
+
+function listCommissionsForMerchant(userId, { limit = 50, offset = 0, status = null } = {}) {
+  const lim = Math.max(1, Math.min(200, Number(limit) || 50));
+  const off = Math.max(0, Number(offset) || 0);
+  if (status) {
+    return db.prepare(`
+      SELECT * FROM atp_commissions
+       WHERE merchant_user_id=? AND status=?
+       ORDER BY created_at DESC LIMIT ? OFFSET ?
+    `).all(userId, status, lim, off);
+  }
+  return db.prepare(`
+    SELECT * FROM atp_commissions
+     WHERE merchant_user_id=?
+     ORDER BY created_at DESC LIMIT ? OFFSET ?
+  `).all(userId, lim, off);
+}
+
+function getMerchantCommissionStats(userId) {
+  const overall = db.prepare(`
+    SELECT COUNT(*)                                AS count_total,
+           COALESCE(SUM(commission_cents), 0)      AS commission_total_cents,
+           COALESCE(SUM(gross_amount_cents), 0)    AS gross_total_cents
+      FROM atp_commissions
+     WHERE merchant_user_id = ?
+       AND status IN ('pending','invoiced','collected')
+  `).get(userId);
+  const byStatus = db.prepare(`
+    SELECT status,
+           COUNT(*) AS n,
+           COALESCE(SUM(commission_cents), 0) AS commission_cents
+      FROM atp_commissions
+     WHERE merchant_user_id = ?
+     GROUP BY status
+  `).all(userId);
+  return { ...overall, by_status: byStatus, rate_bps: getCommissionBps() };
+}
+
+function getPlatformCommissionStats() {
+  const row = db.prepare(`
+    SELECT COUNT(*)                                AS count_total,
+           COALESCE(SUM(commission_cents), 0)      AS commission_total_cents,
+           COALESCE(SUM(gross_amount_cents), 0)    AS gross_total_cents,
+           MIN(created_at)                         AS first_at,
+           MAX(created_at)                         AS last_at
+      FROM atp_commissions
+     WHERE status IN ('pending','invoiced','collected')
+  `).get();
+  const byStatus = db.prepare(`
+    SELECT status, COUNT(*) AS n, COALESCE(SUM(commission_cents),0) AS commission_cents
+      FROM atp_commissions GROUP BY status
+  `).all();
+  const byTier = db.prepare(`
+    SELECT merchant_tier AS tier, COUNT(*) AS n,
+           COALESCE(SUM(commission_cents),0) AS commission_cents
+      FROM atp_commissions
+     WHERE status IN ('pending','invoiced','collected')
+     GROUP BY merchant_tier
+     ORDER BY commission_cents DESC
+  `).all();
+  return { ...row, by_status: byStatus, by_tier: byTier, rate_bps: getCommissionBps() };
+}
+
+module.exports = {
+  recordCommissionForTransaction,
+  markCommissionRefunded,
+  listCommissionsForMerchant,
+  getMerchantCommissionStats,
+  getPlatformCommissionStats,
+  getCommissionBps,
+  getMinTier,
+  _calcCommissionCents: calcCommissionCents,
+};

package/server/services/email.js

@@ -123,6 +123,59 @@ const templates = {
     `
   }),
 
+  email_verification: (data) => ({
+    subject: 'Verify your email — Web Agent Bridge',
+    html: `
+      <div style="font-family:Arial,sans-serif;max-width:600px;margin:0 auto;background:#0a0e1a;color:#f0f4ff;padding:40px;border-radius:12px;">
+        <div style="text-align:center;margin-bottom:30px;">
+          <div style="font-size:40px;">✉️</div>
+          <h1 style="color:#3b82f6;margin:10px 0;">Verify your email</h1>
+        </div>
+        <p style="color:#94a3b8;">Hello ${escapeHtml(data.name)},</p>
+        <p style="color:#94a3b8;line-height:1.8;">
+          Thanks for signing up for Web Agent Bridge. Please confirm your email by clicking the button below.
+        </p>
+        <div style="text-align:center;margin:30px 0;">
+          <a href="${data.verifyUrl}" style="background:linear-gradient(135deg,#3b82f6,#8b5cf6);color:#fff;padding:14px 32px;border-radius:8px;text-decoration:none;font-weight:600;">Verify Email</a>
+        </div>
+        <p style="color:#64748b;font-size:13px;">
+          This link expires in 7 days. If you didn't create an account, ignore this email.
+        </p>
+        <p style="color:#64748b;font-size:12px;text-align:center;margin-top:30px;">
+          &copy; ${new Date().getFullYear()} Web Agent Bridge
+        </p>
+      </div>
+    `
+  }),
+
+  license_delivery: (data) => ({
+    subject: `Your ${sanitizeSubjectPart(data.tier || 'WAB')} license is active — Web Agent Bridge`,
+    html: `
+      <div style="font-family:Arial,sans-serif;max-width:600px;margin:0 auto;background:#0a0e1a;color:#f0f4ff;padding:40px;border-radius:12px;">
+        <div style="text-align:center;margin-bottom:30px;">
+          <div style="font-size:40px;">🎟️</div>
+          <h1 style="color:#10b981;margin:10px 0;">Payment received</h1>
+        </div>
+        <p style="color:#94a3b8;">Hello ${escapeHtml(data.name || '')},</p>
+        <p style="color:#94a3b8;line-height:1.8;">
+          Your subscription to <strong style="color:#10b981;">${escapeHtml(String(data.tier || '').toUpperCase())}</strong> is now active.
+          Below are your license details — keep them safe.
+        </p>
+        <div style="background:#1a2236;border-radius:8px;padding:20px;margin:20px 0;">
+          ${data.siteDomain ? `<p style="color:#94a3b8;"><strong style="color:#f0f4ff;">Site:</strong> ${escapeHtml(data.siteDomain)}</p>` : ''}
+          ${data.licenseKey ? `<p style="color:#94a3b8;"><strong style="color:#f0f4ff;">License key:</strong> <code style="color:#f0f4ff;">${escapeHtml(data.licenseKey)}</code></p>` : ''}
+          ${data.amount ? `<p style="color:#94a3b8;"><strong style="color:#f0f4ff;">Amount:</strong> ${escapeHtml(data.amount)}</p>` : ''}
+        </div>
+        <div style="text-align:center;margin-top:30px;">
+          <a href="${data.dashboardUrl || 'https://webagentbridge.com/dashboard'}" style="background:linear-gradient(135deg,#10b981,#3b82f6);color:#fff;padding:14px 32px;border-radius:8px;text-decoration:none;font-weight:600;">Open Dashboard</a>
+        </div>
+        <p style="color:#64748b;font-size:12px;text-align:center;margin-top:30px;">
+          &copy; ${new Date().getFullYear()} Web Agent Bridge
+        </p>
+      </div>
+    `
+  }),
+
   contact: (data) => ({
     subject: `New Contact Message: ${sanitizeSubjectPart(data.subject || 'No Subject')}`,
     html: `

package/server/services/stripe.js

@@ -116,6 +116,35 @@ function handleWebhookEvent(event) {
           periodEnd: null
         });
         updateSiteTier.run(tier || 'starter', wab_site_id, wab_user_id);
+
+        // ── License delivery email (best-effort, non-blocking) ──
+        try {
+          const { findUserById, findSiteById: getSite } = require('../models/db');
+          const user = findUserById.get(wab_user_id);
+          const site = getSite.get(wab_site_id);
+          if (user && site) {
+            const { sendEmail } = require('./email');
+            const baseUrl = process.env.BASE_URL || 'https://webagentbridge.com';
+            const amount = session.amount_total != null
+              ? `${(session.amount_total / 100).toFixed(2)} ${(session.currency || 'usd').toUpperCase()}`
+              : null;
+            Promise.resolve(sendEmail({
+              to: user.email,
+              template: 'license_delivery',
+              data: {
+                name: user.name,
+                tier: tier || 'starter',
+                siteDomain: site.domain,
+                licenseKey: site.license_key,
+                amount,
+                dashboardUrl: `${baseUrl}/dashboard`
+              },
+              userId: user.id
+            })).catch((e) => console.error('[stripe] license_delivery email failed:', e.message));
+          }
+        } catch (e) {
+          console.error('[stripe] license_delivery setup failed:', e.message);
+        }
       }
       break;
     }
@@ -187,6 +216,85 @@ function handleWebhookEvent(event) {
       }
       break;
     }
+
+    case 'charge.refunded': {
+      const charge = event.data.object;
+      try {
+        const userId =
+          (charge.metadata && charge.metadata.wab_user_id) ||
+          (charge.invoice && (() => {
+            // best-effort: look up subscription via the invoice's subscription id
+            try {
+              const inv = charge.invoice;
+              if (typeof inv === 'string') return null;
+              if (inv && inv.subscription) {
+                const sub = getStripeSubscriptionBySubId(inv.subscription);
+                return sub ? sub.user_id : null;
+              }
+            } catch { return null; }
+            return null;
+          })()) || null;
+
+        if (userId) {
+          savePayment({
+            userId,
+            stripePaymentId: `refund_${charge.id}`,
+            amount: -(charge.amount_refunded || charge.amount || 0),
+            currency: charge.currency || 'usd',
+            status: 'refunded',
+            description: `Refund: ${charge.id}`
+          });
+        }
+
+        // Downgrade any subscription tied to this charge (best-effort)
+        if (charge.invoice) {
+          try {
+            const invId = typeof charge.invoice === 'string' ? null : charge.invoice;
+            // Subscription id can be on the expanded invoice; we mark the
+            // user's subscriptions as refunded so admin tools can review.
+            if (invId && invId.subscription) {
+              updateStripeSubscription(invId.subscription, { status: 'cancelled' });
+              const sub = getStripeSubscriptionBySubId(invId.subscription);
+              if (sub) updateSiteTier.run('free', sub.site_id, sub.user_id);
+            }
+          } catch (e) {
+            console.error('[stripe] charge.refunded subscription update failed:', e.message);
+          }
+        }
+        console.warn(`[stripe] charge.refunded processed: charge=${charge.id} amount=${charge.amount_refunded}`);
+      } catch (e) {
+        console.error('[stripe] charge.refunded handler error:', e.message);
+      }
+      break;
+    }
+
+    case 'charge.dispute.created': {
+      const dispute = event.data.object;
+      try {
+        const userId = (dispute.metadata && dispute.metadata.wab_user_id) || null;
+        if (userId) {
+          savePayment({
+            userId,
+            stripePaymentId: `dispute_${dispute.id}`,
+            amount: -(dispute.amount || 0),
+            currency: dispute.currency || 'usd',
+            status: 'disputed',
+            description: `Chargeback/dispute: ${dispute.id} reason=${dispute.reason || 'unknown'}`
+          });
+        }
+        // Suspend any subscription on the disputed charge
+        try {
+          if (dispute.charge) {
+            // Without expanding the charge we cannot reliably find the sub,
+            // but admins are alerted via the audit log + payments row above.
+          }
+        } catch { /* noop */ }
+        console.warn(`[stripe] charge.dispute.created: dispute=${dispute.id} reason=${dispute.reason}`);
+      } catch (e) {
+        console.error('[stripe] charge.dispute.created handler error:', e.message);
+      }
+      break;
+    }
   }
 }
 

package/server/services/transactions.js

@@ -292,6 +292,14 @@ function transitionTransaction(txId, toStatus, patch = {}) {
       db.prepare("UPDATE atp_intents SET status='consumed', updated_at=? WHERE id=? AND status='authorized'")
         .run(nowIso(), tx.intent_id);
     }
+
+    // Platform commission (best-effort, never blocks the tx).
+    try {
+      const commissions = require('./commissions');
+      commissions.recordCommissionForTransaction(getTransaction(txId));
+    } catch (e) {
+      console.error('[atp] commission record failed (non-fatal):', e.message);
+    }
   }
   if (toStatus === 'compensated' && tx.status === 'settled') {
     db.prepare(`
@@ -300,6 +308,13 @@ function transitionTransaction(txId, toStatus, patch = {}) {
              updated_at = ?
        WHERE id = ?
     `).run(tx.amount_cents, nowIso(), tx.intent_id);
+
+    try {
+      const commissions = require('./commissions');
+      commissions.markCommissionRefunded(txId, 'tx_compensated');
+    } catch (e) {
+      console.error('[atp] commission refund mark failed (non-fatal):', e.message);
+    }
   }
 
   return getTransaction(txId);

package/server/services/visitor-tracker.js

@@ -0,0 +1,250 @@
+/**
+ * Visitor tracking — records every public HTML page hit into `page_visits`.
+ * Anonymous-friendly: IPs are hashed (sha256 + IP_HASH_SALT) so we never store raw IPs.
+ *
+ * Exposes:
+ *   - middleware()                — Express middleware to mount before express.static
+ *   - getVisitorAnalytics(days)   — totals + timeline + breakdowns for /api/admin/analytics/visits
+ *   - getRecentVisits(limit)      — latest individual page hits for the admin live feed
+ *   - getQuickCounts()            — visits_24h / visitors_24h / visits_30d for /api/admin/stats
+ */
+
+const crypto = require('crypto');
+const { db } = require('../models/db');
+
+const IP_SALT = process.env.IP_HASH_SALT || process.env.JWT_SECRET || 'wab-visitor-salt-v1';
+
+// ── Bot detection ────────────────────────────────────────────────────
+const BOT_RE = /(bot|crawler|spider|crawl|slurp|bingpreview|facebookexternalhit|preview|monitor|uptime|curl|wget|axios|node-fetch|python-requests|java\/|ahrefs|semrush|petalbot|yandex|baiduspider|duckduckbot|googlebot|applebot|gpt|claude|anthropic|openai|perplexity)/i;
+
+// ── Path filter ──────────────────────────────────────────────────────
+// We track real page requests, not asset/API noise.
+const SKIP_PREFIX = ['/api/', '/css/', '/js/', '/assets/', '/script/', '/v3/', '/v2/', '/v1/', '/latest/', '/.well-known/', '/admin/', '/socket.io', '/favicon', '/sitemap', '/robots.txt', '/feed.xml', '/downloads/'];
+const SKIP_EXT = /\.(?:js|mjs|css|map|png|jpe?g|gif|svg|webp|ico|woff2?|ttf|otf|eot|mp4|webm|mp3|pdf|xml|txt|wasm)$/i;
+
+function shouldTrack(req) {
+  if (req.method !== 'GET' && req.method !== 'HEAD') return false;
+  const p = req.path || '/';
+  if (SKIP_EXT.test(p)) return false;
+  for (const pre of SKIP_PREFIX) if (p.startsWith(pre)) return false;
+  return true;
+}
+
+function hashIp(ip) {
+  if (!ip) return null;
+  return crypto.createHash('sha256').update(IP_SALT + ':' + ip).digest('hex').slice(0, 32);
+}
+
+function detectDevice(ua) {
+  if (!ua) return 'unknown';
+  if (BOT_RE.test(ua)) return 'bot';
+  if (/iPad|Tablet|PlayBook|Silk/i.test(ua)) return 'tablet';
+  if (/Mobi|Android|iPhone|iPod|Opera Mini|IEMobile/i.test(ua)) return 'mobile';
+  return 'desktop';
+}
+
+function extractUserId(req) {
+  // Best-effort: req.user (set by upstream auth middleware) wins; otherwise null.
+  if (req.user && req.user.id) return String(req.user.id);
+  if (req.session && req.session.userId) return String(req.session.userId);
+  return null;
+}
+
+// Lazily prepared so the require() of this module can run before migrations
+// have created the page_visits table (e.g. in tests or during cold boot).
+let _insertVisit = null;
+function getInsertStmt() {
+  if (_insertVisit) return _insertVisit;
+  _insertVisit = db.prepare(`
+    INSERT INTO page_visits
+      (path, query_string, referrer, host, user_agent, ip_hash, country, device, is_bot, session_id, user_id, status_code, duration_ms)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `);
+  return _insertVisit;
+}
+
+function middleware() {
+  return function visitTracker(req, res, next) {
+    if (!shouldTrack(req)) return next();
+    const start = Date.now();
+    res.on('finish', () => {
+      try {
+        const ua      = req.get('user-agent') || null;
+        const ref     = req.get('referer') || req.get('referrer') || null;
+        const ipHash  = hashIp(req.ip);
+        const device  = detectDevice(ua);
+        const isBot   = device === 'bot' ? 1 : 0;
+        const country = req.get('cf-ipcountry') || req.get('x-vercel-ip-country') || null;
+        const session = ipHash && ua
+          ? crypto.createHash('sha256').update(ipHash + ':' + ua).digest('hex').slice(0, 24)
+          : null;
+        const qs = req.url.includes('?') ? req.url.slice(req.url.indexOf('?') + 1, req.url.indexOf('?') + 257) : null;
+        getInsertStmt().run(
+          req.path.slice(0, 512),
+          qs,
+          ref ? ref.slice(0, 512) : null,
+          (req.get('host') || '').slice(0, 255),
+          ua ? ua.slice(0, 512) : null,
+          ipHash,
+          country ? country.slice(0, 4) : null,
+          device,
+          isBot,
+          session,
+          extractUserId(req),
+          res.statusCode,
+          Date.now() - start
+        );
+      } catch (e) {
+        if (process.env.NODE_ENV !== 'production') {
+          console.warn('[visit-tracker] insert failed:', e.message);
+        }
+      }
+    });
+    next();
+  };
+}
+
+// ── Read queries ────────────────────────────────────────────────────
+function getVisitorAnalytics(days) {
+  const n = Math.max(1, Math.min(365, parseInt(days, 10) || 30));
+  const since = new Date(Date.now() - n * 86400000).toISOString();
+
+  const totalsRow = db.prepare(`
+    SELECT
+      COUNT(*) AS pageviews,
+      COUNT(DISTINCT session_id) AS visitors,
+      COALESCE(SUM(CASE WHEN is_bot=1 THEN 1 ELSE 0 END), 0) AS bot_hits,
+      COALESCE(SUM(CASE WHEN user_id IS NOT NULL THEN 1 ELSE 0 END), 0) AS authenticated_hits,
+      COUNT(DISTINCT user_id) AS authenticated_users
+    FROM page_visits WHERE created_at >= ?
+  `).get(since);
+
+  const last24Row = db.prepare(`
+    SELECT COUNT(*) AS pageviews, COUNT(DISTINCT session_id) AS visitors
+    FROM page_visits WHERE created_at >= datetime('now','-1 day')
+  `).get();
+
+  const todayRow = db.prepare(`
+    SELECT COUNT(*) AS pageviews, COUNT(DISTINCT session_id) AS visitors
+    FROM page_visits WHERE date(created_at) = date('now')
+  `).get();
+
+  const timeline = db.prepare(`
+    SELECT date(created_at) AS day,
+           COUNT(*) AS pageviews,
+           COUNT(DISTINCT session_id) AS visitors,
+           SUM(CASE WHEN is_bot=1 THEN 1 ELSE 0 END) AS bots
+    FROM page_visits WHERE created_at >= ?
+    GROUP BY day ORDER BY day
+  `).all(since);
+
+  const topPaths = db.prepare(`
+    SELECT path, COUNT(*) AS pageviews, COUNT(DISTINCT session_id) AS visitors
+    FROM page_visits WHERE created_at >= ? AND is_bot = 0
+    GROUP BY path ORDER BY pageviews DESC LIMIT 25
+  `).all(since);
+
+  const topReferrers = db.prepare(`
+    SELECT
+      COALESCE(NULLIF(substr(referrer, 1, instr(substr(referrer, 9), '/') + 7), ''), 'Direct') AS source,
+      COUNT(*) AS hits
+    FROM page_visits WHERE created_at >= ? AND is_bot = 0
+    GROUP BY source ORDER BY hits DESC LIMIT 15
+  `).all(since);
+
+  const devices = db.prepare(`
+    SELECT device, COUNT(*) AS hits
+    FROM page_visits WHERE created_at >= ?
+    GROUP BY device ORDER BY hits DESC
+  `).all(since);
+
+  const countries = db.prepare(`
+    SELECT COALESCE(country, 'Unknown') AS country, COUNT(*) AS hits
+    FROM page_visits WHERE created_at >= ? AND is_bot = 0
+    GROUP BY country ORDER BY hits DESC LIMIT 20
+  `).all(since);
+
+  const topBots = db.prepare(`
+    SELECT
+      CASE
+        WHEN user_agent LIKE '%Googlebot%' THEN 'Googlebot'
+        WHEN user_agent LIKE '%bingbot%' OR user_agent LIKE '%Bingbot%' THEN 'Bingbot'
+        WHEN user_agent LIKE '%DuckDuckBot%' THEN 'DuckDuckBot'
+        WHEN user_agent LIKE '%AhrefsBot%' THEN 'AhrefsBot'
+        WHEN user_agent LIKE '%SemrushBot%' THEN 'SemrushBot'
+        WHEN user_agent LIKE '%YandexBot%' THEN 'YandexBot'
+        WHEN user_agent LIKE '%Baiduspider%' THEN 'Baiduspider'
+        WHEN user_agent LIKE '%facebookexternalhit%' THEN 'Facebook'
+        WHEN user_agent LIKE '%GPTBot%' OR user_agent LIKE '%ChatGPT%' THEN 'GPTBot'
+        WHEN user_agent LIKE '%anthropic%' OR user_agent LIKE '%Claude%' THEN 'Claude / Anthropic'
+        WHEN user_agent LIKE '%PerplexityBot%' THEN 'Perplexity'
+        WHEN user_agent LIKE '%Applebot%' THEN 'Applebot'
+        ELSE 'Other bot'
+      END AS bot,
+      COUNT(*) AS hits
+    FROM page_visits WHERE created_at >= ? AND is_bot = 1
+    GROUP BY bot ORDER BY hits DESC LIMIT 15
+  `).all(since);
+
+  const signups = db.prepare(`
+    SELECT date(created_at) AS day, COUNT(*) AS count
+    FROM users WHERE created_at >= ? GROUP BY day ORDER BY day
+  `).all(since);
+
+  return {
+    period_days: n,
+    totals: {
+      pageviews: totalsRow.pageviews || 0,
+      visitors:  totalsRow.visitors  || 0,
+      bot_hits:  totalsRow.bot_hits  || 0,
+      human_hits: (totalsRow.pageviews || 0) - (totalsRow.bot_hits || 0),
+      authenticated_hits: totalsRow.authenticated_hits || 0,
+      authenticated_users: totalsRow.authenticated_users || 0,
+      pageviews_24h: last24Row.pageviews || 0,
+      visitors_24h:  last24Row.visitors  || 0,
+      pageviews_today: todayRow.pageviews || 0,
+      visitors_today:  todayRow.visitors  || 0,
+    },
+    timeline,
+    topPaths,
+    topReferrers,
+    devices,
+    countries,
+    topBots,
+    signups,
+  };
+}
+
+function getRecentVisits(limit) {
+  const n = Math.max(1, Math.min(500, parseInt(limit, 10) || 50));
+  return db.prepare(`
+    SELECT id, path, referrer, host, user_agent, country, device, is_bot, session_id, user_id, status_code, duration_ms, created_at
+    FROM page_visits ORDER BY id DESC LIMIT ?
+  `).all(n);
+}
+
+function getQuickCounts() {
+  const row24 = db.prepare(`
+    SELECT COUNT(*) AS pageviews, COUNT(DISTINCT session_id) AS visitors
+    FROM page_visits WHERE created_at >= datetime('now','-1 day')
+  `).get();
+  const row30 = db.prepare(`
+    SELECT COUNT(*) AS pageviews, COUNT(DISTINCT session_id) AS visitors
+    FROM page_visits WHERE created_at >= datetime('now','-30 days')
+  `).get();
+  const total = db.prepare(`SELECT COUNT(*) AS c FROM page_visits`).get();
+  return {
+    pageviews_24h: row24.pageviews || 0,
+    visitors_24h:  row24.visitors  || 0,
+    pageviews_30d: row30.pageviews || 0,
+    visitors_30d:  row30.visitors  || 0,
+    pageviews_total: total.c || 0,
+  };
+}
+
+module.exports = {
+  middleware,
+  getVisitorAnalytics,
+  getRecentVisits,
+  getQuickCounts,
+};