web-agent-bridge 3.9.2 → 3.10.0

package/server/routes/auth.js

@@ -1,9 +1,27 @@
 const express = require('express');
+const crypto = require('crypto');
 const router = express.Router();
-const { registerUser, loginUser, findUserById } = require('../models/db');
+const {
+  registerUser, loginUser, findUserById, findUserByEmail,
+  createPasswordResetToken, consumePasswordResetToken, updateUserPassword,
+  createEmailVerificationToken, consumeEmailVerificationToken, isEmailVerified
+} = require('../models/db');
 const { generateToken, authenticateToken } = require('../middleware/auth');
 const { authLimiter, registerLimiter } = require('../middleware/rateLimits');
 const { validateEmail, sanitizeInput, auditLog, revokeJWT } = require('../services/security');
+const { sendEmail } = require('../services/email');
+
+const BASE_URL = process.env.BASE_URL || 'https://webagentbridge.com';
+
+function hashToken(token) {
+  return crypto.createHash('sha256').update(token).digest('hex');
+}
+
+function fireAndForget(promise, label) {
+  Promise.resolve(promise).catch((e) => {
+    console.error(`[email] ${label} failed (non-fatal):`, e && e.message);
+  });
+}
 
 router.post('/register', registerLimiter, (req, res) => {
   const { email, password, name, company } = req.body;
@@ -27,7 +45,25 @@ router.post('/register', registerLimiter, (req, res) => {
     const user = registerUser({ email: email.toLowerCase().trim(), password, name: cleanName, company: cleanCompany });
     const token = generateToken(user);
     auditLog({ actorType: 'user', actorId: String(user.id), action: 'register', ip: req.ip });
-    res.status(201).json({ user, token });
+
+    // Generate email-verification token and send it (best-effort, non-blocking)
+    try {
+      const verifyToken = crypto.randomBytes(32).toString('hex');
+      createEmailVerificationToken({ userId: user.id, tokenHash: hashToken(verifyToken) });
+      const verifyUrl = `${BASE_URL}/verify-email.html?token=${verifyToken}`;
+      fireAndForget(
+        sendEmail({ to: user.email, template: 'email_verification', data: { name: user.name, verifyUrl }, userId: user.id }),
+        'verification email'
+      );
+      fireAndForget(
+        sendEmail({ to: user.email, template: 'welcome', data: { name: user.name, dashboardUrl: `${BASE_URL}/dashboard` }, userId: user.id }),
+        'welcome email'
+      );
+    } catch (e) {
+      console.error('[register] verification setup failed:', e.message);
+    }
+
+    res.status(201).json({ user: { ...user, email_verified: 0 }, token });
   } catch (err) {
     if (err.message.includes('UNIQUE constraint')) {
       return res.status(409).json({ error: 'Email already registered' });
@@ -65,7 +101,74 @@ router.post('/logout', authenticateToken, (req, res) => {
 router.get('/me', authenticateToken, (req, res) => {
   const user = findUserById.get(req.user.id);
   if (!user) return res.status(404).json({ error: 'User not found' });
-  res.json({ user });
+  res.json({ user: { ...user, email_verified: isEmailVerified(req.user.id) ? 1 : 0 } });
+});
+
+// ─── Password Reset ────────────────────────────────────────────────────
+// Always returns success to avoid leaking which emails exist.
+router.post('/forgot-password', authLimiter, (req, res) => {
+  const { email } = req.body || {};
+  if (!email || !validateEmail(email)) {
+    return res.status(400).json({ error: 'Valid email required' });
+  }
+  try {
+    const user = findUserByEmail.get(email.toLowerCase().trim());
+    if (user) {
+      const token = crypto.randomBytes(32).toString('hex');
+      createPasswordResetToken({ userId: user.id, tokenHash: hashToken(token), ttlMinutes: 60 });
+      const resetUrl = `${BASE_URL}/reset-password.html?token=${token}`;
+      fireAndForget(
+        sendEmail({ to: user.email, template: 'password_reset', data: { name: user.name, resetUrl }, userId: user.id }),
+        'password_reset email'
+      );
+      auditLog({ actorType: 'user', actorId: String(user.id), action: 'password_reset_requested', ip: req.ip });
+    }
+  } catch (e) {
+    console.error('[forgot-password]', e.message);
+  }
+  res.json({ success: true, message: 'If that email is registered, a reset link has been sent.' });
+});
+
+router.post('/reset-password', authLimiter, (req, res) => {
+  const { token, password } = req.body || {};
+  if (!token || typeof token !== 'string') return res.status(400).json({ error: 'Token required' });
+  if (!password || password.length < 8 || password.length > 128) {
+    return res.status(400).json({ error: 'Password must be between 8 and 128 characters' });
+  }
+  const userId = consumePasswordResetToken(hashToken(token));
+  if (!userId) {
+    return res.status(400).json({ error: 'Invalid or expired token' });
+  }
+  updateUserPassword(userId, password);
+  auditLog({ actorType: 'user', actorId: String(userId), action: 'password_reset_completed', ip: req.ip });
+  res.json({ success: true });
+});
+
+// ─── Email Verification ────────────────────────────────────────────────
+router.post('/verify-email', (req, res) => {
+  const { token } = req.body || {};
+  if (!token || typeof token !== 'string') return res.status(400).json({ error: 'Token required' });
+  const userId = consumeEmailVerificationToken(hashToken(token));
+  if (!userId) return res.status(400).json({ error: 'Invalid or expired token' });
+  auditLog({ actorType: 'user', actorId: String(userId), action: 'email_verified', ip: req.ip });
+  res.json({ success: true });
+});
+
+router.post('/resend-verification', authenticateToken, (req, res) => {
+  const user = findUserById.get(req.user.id);
+  if (!user) return res.status(404).json({ error: 'User not found' });
+  if (isEmailVerified(req.user.id)) {
+    return res.json({ success: true, alreadyVerified: true });
+  }
+  const token = crypto.randomBytes(32).toString('hex');
+  createEmailVerificationToken({ userId: user.id, tokenHash: hashToken(token) });
+  const verifyUrl = `${BASE_URL}/verify-email.html?token=${token}`;
+  fireAndForget(
+    sendEmail({ to: user.email, template: 'email_verification', data: { name: user.name, verifyUrl }, userId: user.id }),
+    'resend verification'
+  );
+  auditLog({ actorType: 'user', actorId: String(req.user.id), action: 'verification_resent', ip: req.ip });
+  res.json({ success: true });
 });
 
 module.exports = router;

package/server/routes/premium.js

@@ -1,6 +1,6 @@
 const express = require('express');
 const router = express.Router();
-const { authenticateToken } = require('../middleware/auth');
+const { authenticateToken, requireTier } = require('../middleware/auth');
 const premium = require('../services/premium');
 const { findSiteById, findSitesByUser } = require('../models/db');
 
@@ -15,7 +15,7 @@ function requireSiteOwnership(req, res, next) {
 
 // ─── Traffic Intelligence ────────────────────────────────────────────────
 
-router.get('/traffic/:siteId/profiles', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/traffic/:siteId/profiles', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const { limit, offset, type } = req.query;
     const profiles = await premium.getAgentProfiles(req.params.siteId, {
@@ -29,7 +29,7 @@ router.get('/traffic/:siteId/profiles', authenticateToken, requireSiteOwnership,
   }
 });
 
-router.get('/traffic/:siteId/stats', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/traffic/:siteId/stats', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const days = req.query.days ? parseInt(req.query.days) : 30;
     const stats = await premium.getTrafficStats(req.params.siteId, days);
@@ -39,7 +39,7 @@ router.get('/traffic/:siteId/stats', authenticateToken, requireSiteOwnership, as
   }
 });
 
-router.get('/traffic/:siteId/alerts', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/traffic/:siteId/alerts', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const { limit, acknowledged } = req.query;
     const alerts = await premium.getAnomalyAlerts(req.params.siteId, {
@@ -52,7 +52,7 @@ router.get('/traffic/:siteId/alerts', authenticateToken, requireSiteOwnership, a
   }
 });
 
-router.post('/traffic/:siteId/alerts/:alertId/acknowledge', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.post('/traffic/:siteId/alerts/:alertId/acknowledge', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const ok = await premium.acknowledgeAlert(req.params.alertId, req.params.siteId);
     if (!ok) return res.status(404).json({ error: 'Alert not found' });
@@ -62,7 +62,7 @@ router.post('/traffic/:siteId/alerts/:alertId/acknowledge', authenticateToken, r
   }
 });
 
-router.post('/traffic/:siteId/check-anomalies', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.post('/traffic/:siteId/check-anomalies', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const alerts = await premium.checkForAnomalies(req.params.siteId);
     res.json({ alerts });
@@ -73,7 +73,7 @@ router.post('/traffic/:siteId/check-anomalies', authenticateToken, requireSiteOw
 
 // ─── Exploit Shield ──────────────────────────────────────────────────────
 
-router.get('/security/:siteId/events', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/security/:siteId/events', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const { limit, severity, since } = req.query;
     const events = await premium.getSecurityEvents(req.params.siteId, {
@@ -87,7 +87,7 @@ router.get('/security/:siteId/events', authenticateToken, requireSiteOwnership,
   }
 });
 
-router.get('/security/:siteId/report', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/security/:siteId/report', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const days = req.query.days ? parseInt(req.query.days) : 30;
     const report = await premium.getSecurityReport(req.params.siteId, days);
@@ -97,7 +97,7 @@ router.get('/security/:siteId/report', authenticateToken, requireSiteOwnership,
   }
 });
 
-router.get('/security/:siteId/blocked', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/security/:siteId/blocked', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const blocked = await premium.getBlockedAgents(req.params.siteId);
     res.json({ blocked });
@@ -106,7 +106,7 @@ router.get('/security/:siteId/blocked', authenticateToken, requireSiteOwnership,
   }
 });
 
-router.post('/security/:siteId/block', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.post('/security/:siteId/block', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const { agentSignature, reason, expiresAt } = req.body;
     if (!agentSignature) return res.status(400).json({ error: 'agentSignature is required' });
@@ -117,7 +117,7 @@ router.post('/security/:siteId/block', authenticateToken, requireSiteOwnership,
   }
 });
 
-router.delete('/security/:siteId/block/:blockId', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.delete('/security/:siteId/block/:blockId', authenticateToken, requireSiteOwnership, requireTier('business'), async (req, res) => {
   try {
     const ok = await premium.unblockAgent(req.params.blockId, req.params.siteId);
     if (!ok) return res.status(404).json({ error: 'Block record not found' });
@@ -193,7 +193,7 @@ router.delete('/actions/:siteId/install/:installId', authenticateToken, requireS
 
 // ─── Custom Agents ───────────────────────────────────────────────────────
 
-router.get('/agents/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/agents/:siteId', authenticateToken, requireSiteOwnership, requireTier('pro'), async (req, res) => {
   try {
     const agents = await premium.getAgents(req.user.id, req.params.siteId);
     res.json({ agents });
@@ -202,7 +202,7 @@ router.get('/agents/:siteId', authenticateToken, requireSiteOwnership, async (re
   }
 });
 
-router.post('/agents/:siteId', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.post('/agents/:siteId', authenticateToken, requireSiteOwnership, requireTier('pro'), async (req, res) => {
   try {
     const { name, description, steps, schedule } = req.body;
     if (!name || !steps) return res.status(400).json({ error: 'name and steps are required' });
@@ -213,7 +213,7 @@ router.post('/agents/:siteId', authenticateToken, requireSiteOwnership, async (r
   }
 });
 
-router.get('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, requireTier('pro'), async (req, res) => {
   try {
     const agent = await premium.getAgent(req.params.agentId, req.user.id);
     if (!agent) return res.status(404).json({ error: 'Agent not found' });
@@ -223,7 +223,7 @@ router.get('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership,
   }
 });
 
-router.put('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.put('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, requireTier('pro'), async (req, res) => {
   try {
     const { name, description, steps, schedule } = req.body;
     const ok = await premium.updateAgent(req.params.agentId, req.user.id, { name, description, steps, schedule });
@@ -234,7 +234,7 @@ router.put('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership,
   }
 });
 
-router.delete('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.delete('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnership, requireTier('pro'), async (req, res) => {
   try {
     const ok = await premium.deleteAgent(req.params.agentId, req.user.id);
     if (!ok) return res.status(404).json({ error: 'Agent not found' });
@@ -244,7 +244,7 @@ router.delete('/agents/:siteId/:agentId', authenticateToken, requireSiteOwnershi
   }
 });
 
-router.post('/agents/:siteId/:agentId/run', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.post('/agents/:siteId/:agentId/run', authenticateToken, requireSiteOwnership, requireTier('pro'), async (req, res) => {
   try {
     const result = await premium.runAgent(req.params.agentId, req.user.id);
     res.json({ result });
@@ -253,7 +253,7 @@ router.post('/agents/:siteId/:agentId/run', authenticateToken, requireSiteOwners
   }
 });
 
-router.get('/agents/:siteId/:agentId/runs', authenticateToken, requireSiteOwnership, async (req, res) => {
+router.get('/agents/:siteId/:agentId/runs', authenticateToken, requireSiteOwnership, requireTier('pro'), async (req, res) => {
   try {
     const { limit } = req.query;
     const runs = await premium.getAgentRuns(req.params.agentId, {

package/server/routes/transactions.js

@@ -245,4 +245,36 @@ router.get('/platform/stats', publicReceiptLimiter, (req, res) => {
   res.json({ ok: true, data: stats });
 });
 
+// ─── Merchant commission endpoints ────────────────────────────────────────
+// Every merchant tx settled through ATP on a paid plan accrues a small
+// platform commission (default 0.10%). Merchants can inspect their own
+// accrual via these endpoints. Public commission rate is exposed for
+// transparency.
+const commissions = require('../services/commissions');
+
+router.get('/commissions/rate', (req, res) => {
+  res.json({
+    ok: true,
+    data: {
+      rate_bps: commissions.getCommissionBps(),
+      rate_percent: commissions.getCommissionBps() / 100,
+      min_tier: commissions.getMinTier(),
+      applies_to: 'Successful merchant transactions settled through ATP on a paid plan.',
+    },
+  });
+});
+
+router.get('/commissions', authenticateToken, (req, res) => {
+  const limit  = Math.min(200, Math.max(1, parseInt(req.query.limit, 10) || 50));
+  const offset = Math.max(0, parseInt(req.query.offset, 10) || 0);
+  const status = req.query.status || null;
+  const items = commissions.listCommissionsForMerchant(req.user.id, { limit, offset, status });
+  res.json({ ok: true, data: items, limit, offset });
+});
+
+router.get('/commissions/stats', authenticateToken, (req, res) => {
+  const stats = commissions.getMerchantCommissionStats(req.user.id);
+  res.json({ ok: true, data: stats });
+});
+
 module.exports = router;

package/server/services/commissions.js

@@ -0,0 +1,209 @@
+'use strict';
+
+/**
+ * ATP Merchant Commission — v3.10.0
+ *
+ * WAB charges a small platform commission on every successful merchant
+ * transaction settled through ATP, when the merchant is on a paid plan
+ * and the transaction is real (not a platform self-payment).
+ *
+ * Defaults:
+ *   - Rate: 10 bps (0.10%), overridable via env WAB_COMMISSION_BPS or
+ *     platform_settings('commission_bps').
+ *   - Minimum tier: 'starter' (free sites exempt), overridable via env
+ *     WAB_COMMISSION_MIN_TIER.
+ *   - Platform self-payments (intent.metadata.platform = 1) always exempt.
+ *
+ * Idempotency: atp_commissions.transaction_id is UNIQUE, so duplicate
+ * settle events become a no-op.
+ */
+
+const crypto = require('crypto');
+const { db, getPlatformSetting, findSiteById } = require('../models/db');
+
+const TIER_RANK = { free: 0, starter: 1, pro: 2, business: 3, enterprise: 4 };
+
+function ulid(prefix) {
+  const t = Date.now().toString(36).padStart(8, '0');
+  const r = crypto.randomBytes(10).toString('hex');
+  return `${prefix}_${t}${r}`;
+}
+
+function getCommissionBps() {
+  // Priority: env > platform_setting > default
+  const envBps = parseInt(process.env.WAB_COMMISSION_BPS, 10);
+  if (Number.isFinite(envBps) && envBps >= 0 && envBps <= 10000) return envBps;
+  try {
+    const setting = getPlatformSetting('commission_bps');
+    if (setting != null) {
+      const n = parseInt(setting, 10);
+      if (Number.isFinite(n) && n >= 0 && n <= 10000) return n;
+    }
+  } catch { /* table may not exist in some tests */ }
+  return 10; // default 0.10%
+}
+
+function getMinTier() {
+  const env = (process.env.WAB_COMMISSION_MIN_TIER || '').toLowerCase().trim();
+  if (env && TIER_RANK[env] != null) return env;
+  return 'starter';
+}
+
+function calcCommissionCents(amountCents, bps) {
+  if (!Number.isFinite(amountCents) || amountCents <= 0) return 0;
+  // round half-up to nearest cent
+  return Math.floor((amountCents * bps + 5000) / 10000);
+}
+
+function safeJson(s, fallback) {
+  if (s == null) return fallback;
+  if (typeof s === 'object') return s;
+  try { return JSON.parse(s); } catch { return fallback; }
+}
+
+/**
+ * Record a commission row for a settled merchant transaction.
+ * Idempotent: safe to call multiple times for the same tx.
+ * Returns the commission row (or null when not applicable).
+ */
+function recordCommissionForTransaction(tx) {
+  if (!tx || !tx.id || !tx.intent_id) return null;
+  if (!Number.isFinite(tx.amount_cents) || tx.amount_cents <= 0) return null;
+
+  // Already recorded?
+  const existing = db.prepare('SELECT * FROM atp_commissions WHERE transaction_id=?').get(tx.id);
+  if (existing) return existing;
+
+  const intent = db.prepare('SELECT user_id, site_id, metadata FROM atp_intents WHERE id=?').get(tx.intent_id);
+  if (!intent) return null;
+
+  // Platform self-payment? Skip.
+  const meta = safeJson(intent.metadata, {});
+  if (meta && meta.platform) return null;
+
+  // Need a merchant site to bill against.
+  if (!intent.site_id) return null;
+
+  let site;
+  try { site = findSiteById.get(intent.site_id); } catch { site = null; }
+  if (!site) return null;
+
+  const tier = (site.tier || 'free').toLowerCase();
+  const minTier = getMinTier();
+  if ((TIER_RANK[tier] ?? 0) < (TIER_RANK[minTier] ?? 1)) return null;
+
+  const bps = getCommissionBps();
+  if (bps <= 0) return null;
+
+  const commissionCents = calcCommissionCents(tx.amount_cents, bps);
+  if (commissionCents <= 0) return null;
+
+  const id = ulid('atp_com');
+  const externalRef =
+    (tx.metadata && safeJson(tx.metadata, {}).external_ref) ||
+    tx.idempotency_key || null;
+
+  db.prepare(`
+    INSERT INTO atp_commissions
+      (id, transaction_id, intent_id, merchant_user_id, merchant_site_id,
+       merchant_tier, gross_amount_cents, currency, commission_bps, commission_cents,
+       status, external_ref)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 'pending', ?)
+  `).run(
+    id, tx.id, tx.intent_id, site.user_id, site.id,
+    tier, tx.amount_cents, tx.currency || 'EUR', bps, commissionCents,
+    externalRef
+  );
+
+  return db.prepare('SELECT * FROM atp_commissions WHERE id=?').get(id);
+}
+
+/**
+ * Flip a commission to 'refunded' when the underlying tx is compensated.
+ */
+function markCommissionRefunded(txId, reason = null) {
+  const row = db.prepare('SELECT * FROM atp_commissions WHERE transaction_id=?').get(txId);
+  if (!row) return null;
+  if (row.status === 'refunded' || row.status === 'waived') return row;
+  db.prepare(`
+    UPDATE atp_commissions
+       SET status='refunded',
+           notes = COALESCE(notes || ' | ', '') || ?,
+           updated_at = datetime('now')
+     WHERE transaction_id=?
+  `).run(`refund: ${reason || 'tx_compensated'}`, txId);
+  return db.prepare('SELECT * FROM atp_commissions WHERE transaction_id=?').get(txId);
+}
+
+function listCommissionsForMerchant(userId, { limit = 50, offset = 0, status = null } = {}) {
+  const lim = Math.max(1, Math.min(200, Number(limit) || 50));
+  const off = Math.max(0, Number(offset) || 0);
+  if (status) {
+    return db.prepare(`
+      SELECT * FROM atp_commissions
+       WHERE merchant_user_id=? AND status=?
+       ORDER BY created_at DESC LIMIT ? OFFSET ?
+    `).all(userId, status, lim, off);
+  }
+  return db.prepare(`
+    SELECT * FROM atp_commissions
+     WHERE merchant_user_id=?
+     ORDER BY created_at DESC LIMIT ? OFFSET ?
+  `).all(userId, lim, off);
+}
+
+function getMerchantCommissionStats(userId) {
+  const overall = db.prepare(`
+    SELECT COUNT(*)                                AS count_total,
+           COALESCE(SUM(commission_cents), 0)      AS commission_total_cents,
+           COALESCE(SUM(gross_amount_cents), 0)    AS gross_total_cents
+      FROM atp_commissions
+     WHERE merchant_user_id = ?
+       AND status IN ('pending','invoiced','collected')
+  `).get(userId);
+  const byStatus = db.prepare(`
+    SELECT status,
+           COUNT(*) AS n,
+           COALESCE(SUM(commission_cents), 0) AS commission_cents
+      FROM atp_commissions
+     WHERE merchant_user_id = ?
+     GROUP BY status
+  `).all(userId);
+  return { ...overall, by_status: byStatus, rate_bps: getCommissionBps() };
+}
+
+function getPlatformCommissionStats() {
+  const row = db.prepare(`
+    SELECT COUNT(*)                                AS count_total,
+           COALESCE(SUM(commission_cents), 0)      AS commission_total_cents,
+           COALESCE(SUM(gross_amount_cents), 0)    AS gross_total_cents,
+           MIN(created_at)                         AS first_at,
+           MAX(created_at)                         AS last_at
+      FROM atp_commissions
+     WHERE status IN ('pending','invoiced','collected')
+  `).get();
+  const byStatus = db.prepare(`
+    SELECT status, COUNT(*) AS n, COALESCE(SUM(commission_cents),0) AS commission_cents
+      FROM atp_commissions GROUP BY status
+  `).all();
+  const byTier = db.prepare(`
+    SELECT merchant_tier AS tier, COUNT(*) AS n,
+           COALESCE(SUM(commission_cents),0) AS commission_cents
+      FROM atp_commissions
+     WHERE status IN ('pending','invoiced','collected')
+     GROUP BY merchant_tier
+     ORDER BY commission_cents DESC
+  `).all();
+  return { ...row, by_status: byStatus, by_tier: byTier, rate_bps: getCommissionBps() };
+}
+
+module.exports = {
+  recordCommissionForTransaction,
+  markCommissionRefunded,
+  listCommissionsForMerchant,
+  getMerchantCommissionStats,
+  getPlatformCommissionStats,
+  getCommissionBps,
+  getMinTier,
+  _calcCommissionCents: calcCommissionCents,
+};

package/server/services/email.js

@@ -123,6 +123,59 @@ const templates = {
     `
   }),
 
+  email_verification: (data) => ({
+    subject: 'Verify your email — Web Agent Bridge',
+    html: `
+      <div style="font-family:Arial,sans-serif;max-width:600px;margin:0 auto;background:#0a0e1a;color:#f0f4ff;padding:40px;border-radius:12px;">
+        <div style="text-align:center;margin-bottom:30px;">
+          <div style="font-size:40px;">✉️</div>
+          <h1 style="color:#3b82f6;margin:10px 0;">Verify your email</h1>
+        </div>
+        <p style="color:#94a3b8;">Hello ${escapeHtml(data.name)},</p>
+        <p style="color:#94a3b8;line-height:1.8;">
+          Thanks for signing up for Web Agent Bridge. Please confirm your email by clicking the button below.
+        </p>
+        <div style="text-align:center;margin:30px 0;">
+          <a href="${data.verifyUrl}" style="background:linear-gradient(135deg,#3b82f6,#8b5cf6);color:#fff;padding:14px 32px;border-radius:8px;text-decoration:none;font-weight:600;">Verify Email</a>
+        </div>
+        <p style="color:#64748b;font-size:13px;">
+          This link expires in 7 days. If you didn't create an account, ignore this email.
+        </p>
+        <p style="color:#64748b;font-size:12px;text-align:center;margin-top:30px;">
+          &copy; ${new Date().getFullYear()} Web Agent Bridge
+        </p>
+      </div>
+    `
+  }),
+
+  license_delivery: (data) => ({
+    subject: `Your ${sanitizeSubjectPart(data.tier || 'WAB')} license is active — Web Agent Bridge`,
+    html: `
+      <div style="font-family:Arial,sans-serif;max-width:600px;margin:0 auto;background:#0a0e1a;color:#f0f4ff;padding:40px;border-radius:12px;">
+        <div style="text-align:center;margin-bottom:30px;">
+          <div style="font-size:40px;">🎟️</div>
+          <h1 style="color:#10b981;margin:10px 0;">Payment received</h1>
+        </div>
+        <p style="color:#94a3b8;">Hello ${escapeHtml(data.name || '')},</p>
+        <p style="color:#94a3b8;line-height:1.8;">
+          Your subscription to <strong style="color:#10b981;">${escapeHtml(String(data.tier || '').toUpperCase())}</strong> is now active.
+          Below are your license details — keep them safe.
+        </p>
+        <div style="background:#1a2236;border-radius:8px;padding:20px;margin:20px 0;">
+          ${data.siteDomain ? `<p style="color:#94a3b8;"><strong style="color:#f0f4ff;">Site:</strong> ${escapeHtml(data.siteDomain)}</p>` : ''}
+          ${data.licenseKey ? `<p style="color:#94a3b8;"><strong style="color:#f0f4ff;">License key:</strong> <code style="color:#f0f4ff;">${escapeHtml(data.licenseKey)}</code></p>` : ''}
+          ${data.amount ? `<p style="color:#94a3b8;"><strong style="color:#f0f4ff;">Amount:</strong> ${escapeHtml(data.amount)}</p>` : ''}
+        </div>
+        <div style="text-align:center;margin-top:30px;">
+          <a href="${data.dashboardUrl || 'https://webagentbridge.com/dashboard'}" style="background:linear-gradient(135deg,#10b981,#3b82f6);color:#fff;padding:14px 32px;border-radius:8px;text-decoration:none;font-weight:600;">Open Dashboard</a>
+        </div>
+        <p style="color:#64748b;font-size:12px;text-align:center;margin-top:30px;">
+          &copy; ${new Date().getFullYear()} Web Agent Bridge
+        </p>
+      </div>
+    `
+  }),
+
   contact: (data) => ({
     subject: `New Contact Message: ${sanitizeSubjectPart(data.subject || 'No Subject')}`,
     html: `