web-agent-bridge 3.9.2 → 3.10.1

package/server/services/commissions.js

@@ -0,0 +1,209 @@
+'use strict';
+
+/**
+ * ATP Merchant Commission — v3.10.0
+ *
+ * WAB charges a small platform commission on every successful merchant
+ * transaction settled through ATP, when the merchant is on a paid plan
+ * and the transaction is real (not a platform self-payment).
+ *
+ * Defaults:
+ *   - Rate: 10 bps (0.10%), overridable via env WAB_COMMISSION_BPS or
+ *     platform_settings('commission_bps').
+ *   - Minimum tier: 'starter' (free sites exempt), overridable via env
+ *     WAB_COMMISSION_MIN_TIER.
+ *   - Platform self-payments (intent.metadata.platform = 1) always exempt.
+ *
+ * Idempotency: atp_commissions.transaction_id is UNIQUE, so duplicate
+ * settle events become a no-op.
+ */
+
+const crypto = require('crypto');
+const { db, getPlatformSetting, findSiteById } = require('../models/db');
+
+const TIER_RANK = { free: 0, starter: 1, pro: 2, business: 3, enterprise: 4 };
+
+function ulid(prefix) {
+  const t = Date.now().toString(36).padStart(8, '0');
+  const r = crypto.randomBytes(10).toString('hex');
+  return `${prefix}_${t}${r}`;
+}
+
+function getCommissionBps() {
+  // Priority: env > platform_setting > default
+  const envBps = parseInt(process.env.WAB_COMMISSION_BPS, 10);
+  if (Number.isFinite(envBps) && envBps >= 0 && envBps <= 10000) return envBps;
+  try {
+    const setting = getPlatformSetting('commission_bps');
+    if (setting != null) {
+      const n = parseInt(setting, 10);
+      if (Number.isFinite(n) && n >= 0 && n <= 10000) return n;
+    }
+  } catch { /* table may not exist in some tests */ }
+  return 10; // default 0.10%
+}
+
+function getMinTier() {
+  const env = (process.env.WAB_COMMISSION_MIN_TIER || '').toLowerCase().trim();
+  if (env && TIER_RANK[env] != null) return env;
+  return 'starter';
+}
+
+function calcCommissionCents(amountCents, bps) {
+  if (!Number.isFinite(amountCents) || amountCents <= 0) return 0;
+  // round half-up to nearest cent
+  return Math.floor((amountCents * bps + 5000) / 10000);
+}
+
+function safeJson(s, fallback) {
+  if (s == null) return fallback;
+  if (typeof s === 'object') return s;
+  try { return JSON.parse(s); } catch { return fallback; }
+}
+
+/**
+ * Record a commission row for a settled merchant transaction.
+ * Idempotent: safe to call multiple times for the same tx.
+ * Returns the commission row (or null when not applicable).
+ */
+function recordCommissionForTransaction(tx) {
+  if (!tx || !tx.id || !tx.intent_id) return null;
+  if (!Number.isFinite(tx.amount_cents) || tx.amount_cents <= 0) return null;
+
+  // Already recorded?
+  const existing = db.prepare('SELECT * FROM atp_commissions WHERE transaction_id=?').get(tx.id);
+  if (existing) return existing;
+
+  const intent = db.prepare('SELECT user_id, site_id, metadata FROM atp_intents WHERE id=?').get(tx.intent_id);
+  if (!intent) return null;
+
+  // Platform self-payment? Skip.
+  const meta = safeJson(intent.metadata, {});
+  if (meta && meta.platform) return null;
+
+  // Need a merchant site to bill against.
+  if (!intent.site_id) return null;
+
+  let site;
+  try { site = findSiteById.get(intent.site_id); } catch { site = null; }
+  if (!site) return null;
+
+  const tier = (site.tier || 'free').toLowerCase();
+  const minTier = getMinTier();
+  if ((TIER_RANK[tier] ?? 0) < (TIER_RANK[minTier] ?? 1)) return null;
+
+  const bps = getCommissionBps();
+  if (bps <= 0) return null;
+
+  const commissionCents = calcCommissionCents(tx.amount_cents, bps);
+  if (commissionCents <= 0) return null;
+
+  const id = ulid('atp_com');
+  const externalRef =
+    (tx.metadata && safeJson(tx.metadata, {}).external_ref) ||
+    tx.idempotency_key || null;
+
+  db.prepare(`
+    INSERT INTO atp_commissions
+      (id, transaction_id, intent_id, merchant_user_id, merchant_site_id,
+       merchant_tier, gross_amount_cents, currency, commission_bps, commission_cents,
+       status, external_ref)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 'pending', ?)
+  `).run(
+    id, tx.id, tx.intent_id, site.user_id, site.id,
+    tier, tx.amount_cents, tx.currency || 'EUR', bps, commissionCents,
+    externalRef
+  );
+
+  return db.prepare('SELECT * FROM atp_commissions WHERE id=?').get(id);
+}
+
+/**
+ * Flip a commission to 'refunded' when the underlying tx is compensated.
+ */
+function markCommissionRefunded(txId, reason = null) {
+  const row = db.prepare('SELECT * FROM atp_commissions WHERE transaction_id=?').get(txId);
+  if (!row) return null;
+  if (row.status === 'refunded' || row.status === 'waived') return row;
+  db.prepare(`
+    UPDATE atp_commissions
+       SET status='refunded',
+           notes = COALESCE(notes || ' | ', '') || ?,
+           updated_at = datetime('now')
+     WHERE transaction_id=?
+  `).run(`refund: ${reason || 'tx_compensated'}`, txId);
+  return db.prepare('SELECT * FROM atp_commissions WHERE transaction_id=?').get(txId);
+}
+
+function listCommissionsForMerchant(userId, { limit = 50, offset = 0, status = null } = {}) {
+  const lim = Math.max(1, Math.min(200, Number(limit) || 50));
+  const off = Math.max(0, Number(offset) || 0);
+  if (status) {
+    return db.prepare(`
+      SELECT * FROM atp_commissions
+       WHERE merchant_user_id=? AND status=?
+       ORDER BY created_at DESC LIMIT ? OFFSET ?
+    `).all(userId, status, lim, off);
+  }
+  return db.prepare(`
+    SELECT * FROM atp_commissions
+     WHERE merchant_user_id=?
+     ORDER BY created_at DESC LIMIT ? OFFSET ?
+  `).all(userId, lim, off);
+}
+
+function getMerchantCommissionStats(userId) {
+  const overall = db.prepare(`
+    SELECT COUNT(*)                                AS count_total,
+           COALESCE(SUM(commission_cents), 0)      AS commission_total_cents,
+           COALESCE(SUM(gross_amount_cents), 0)    AS gross_total_cents
+      FROM atp_commissions
+     WHERE merchant_user_id = ?
+       AND status IN ('pending','invoiced','collected')
+  `).get(userId);
+  const byStatus = db.prepare(`
+    SELECT status,
+           COUNT(*) AS n,
+           COALESCE(SUM(commission_cents), 0) AS commission_cents
+      FROM atp_commissions
+     WHERE merchant_user_id = ?
+     GROUP BY status
+  `).all(userId);
+  return { ...overall, by_status: byStatus, rate_bps: getCommissionBps() };
+}
+
+function getPlatformCommissionStats() {
+  const row = db.prepare(`
+    SELECT COUNT(*)                                AS count_total,
+           COALESCE(SUM(commission_cents), 0)      AS commission_total_cents,
+           COALESCE(SUM(gross_amount_cents), 0)    AS gross_total_cents,
+           MIN(created_at)                         AS first_at,
+           MAX(created_at)                         AS last_at
+      FROM atp_commissions
+     WHERE status IN ('pending','invoiced','collected')
+  `).get();
+  const byStatus = db.prepare(`
+    SELECT status, COUNT(*) AS n, COALESCE(SUM(commission_cents),0) AS commission_cents
+      FROM atp_commissions GROUP BY status
+  `).all();
+  const byTier = db.prepare(`
+    SELECT merchant_tier AS tier, COUNT(*) AS n,
+           COALESCE(SUM(commission_cents),0) AS commission_cents
+      FROM atp_commissions
+     WHERE status IN ('pending','invoiced','collected')
+     GROUP BY merchant_tier
+     ORDER BY commission_cents DESC
+  `).all();
+  return { ...row, by_status: byStatus, by_tier: byTier, rate_bps: getCommissionBps() };
+}
+
+module.exports = {
+  recordCommissionForTransaction,
+  markCommissionRefunded,
+  listCommissionsForMerchant,
+  getMerchantCommissionStats,
+  getPlatformCommissionStats,
+  getCommissionBps,
+  getMinTier,
+  _calcCommissionCents: calcCommissionCents,
+};

package/server/services/email.js

@@ -123,6 +123,59 @@ const templates = {
     `
   }),
 
+  email_verification: (data) => ({
+    subject: 'Verify your email — Web Agent Bridge',
+    html: `
+      <div style="font-family:Arial,sans-serif;max-width:600px;margin:0 auto;background:#0a0e1a;color:#f0f4ff;padding:40px;border-radius:12px;">
+        <div style="text-align:center;margin-bottom:30px;">
+          <div style="font-size:40px;">✉️</div>
+          <h1 style="color:#3b82f6;margin:10px 0;">Verify your email</h1>
+        </div>
+        <p style="color:#94a3b8;">Hello ${escapeHtml(data.name)},</p>
+        <p style="color:#94a3b8;line-height:1.8;">
+          Thanks for signing up for Web Agent Bridge. Please confirm your email by clicking the button below.
+        </p>
+        <div style="text-align:center;margin:30px 0;">
+          <a href="${data.verifyUrl}" style="background:linear-gradient(135deg,#3b82f6,#8b5cf6);color:#fff;padding:14px 32px;border-radius:8px;text-decoration:none;font-weight:600;">Verify Email</a>
+        </div>
+        <p style="color:#64748b;font-size:13px;">
+          This link expires in 7 days. If you didn't create an account, ignore this email.
+        </p>
+        <p style="color:#64748b;font-size:12px;text-align:center;margin-top:30px;">
+          &copy; ${new Date().getFullYear()} Web Agent Bridge
+        </p>
+      </div>
+    `
+  }),
+
+  license_delivery: (data) => ({
+    subject: `Your ${sanitizeSubjectPart(data.tier || 'WAB')} license is active — Web Agent Bridge`,
+    html: `
+      <div style="font-family:Arial,sans-serif;max-width:600px;margin:0 auto;background:#0a0e1a;color:#f0f4ff;padding:40px;border-radius:12px;">
+        <div style="text-align:center;margin-bottom:30px;">
+          <div style="font-size:40px;">🎟️</div>
+          <h1 style="color:#10b981;margin:10px 0;">Payment received</h1>
+        </div>
+        <p style="color:#94a3b8;">Hello ${escapeHtml(data.name || '')},</p>
+        <p style="color:#94a3b8;line-height:1.8;">
+          Your subscription to <strong style="color:#10b981;">${escapeHtml(String(data.tier || '').toUpperCase())}</strong> is now active.
+          Below are your license details — keep them safe.
+        </p>
+        <div style="background:#1a2236;border-radius:8px;padding:20px;margin:20px 0;">
+          ${data.siteDomain ? `<p style="color:#94a3b8;"><strong style="color:#f0f4ff;">Site:</strong> ${escapeHtml(data.siteDomain)}</p>` : ''}
+          ${data.licenseKey ? `<p style="color:#94a3b8;"><strong style="color:#f0f4ff;">License key:</strong> <code style="color:#f0f4ff;">${escapeHtml(data.licenseKey)}</code></p>` : ''}
+          ${data.amount ? `<p style="color:#94a3b8;"><strong style="color:#f0f4ff;">Amount:</strong> ${escapeHtml(data.amount)}</p>` : ''}
+        </div>
+        <div style="text-align:center;margin-top:30px;">
+          <a href="${data.dashboardUrl || 'https://webagentbridge.com/dashboard'}" style="background:linear-gradient(135deg,#10b981,#3b82f6);color:#fff;padding:14px 32px;border-radius:8px;text-decoration:none;font-weight:600;">Open Dashboard</a>
+        </div>
+        <p style="color:#64748b;font-size:12px;text-align:center;margin-top:30px;">
+          &copy; ${new Date().getFullYear()} Web Agent Bridge
+        </p>
+      </div>
+    `
+  }),
+
   contact: (data) => ({
     subject: `New Contact Message: ${sanitizeSubjectPart(data.subject || 'No Subject')}`,
     html: `

package/server/services/stripe.js

@@ -116,12 +116,53 @@ function handleWebhookEvent(event) {
           periodEnd: null
         });
         updateSiteTier.run(tier || 'starter', wab_site_id, wab_user_id);
+
+        // ── License delivery email (best-effort, non-blocking) ──
+        try {
+          const { findUserById, findSiteById: getSite } = require('../models/db');
+          const user = findUserById.get(wab_user_id);
+          const site = getSite.get(wab_site_id);
+          if (user && site) {
+            const { sendEmail } = require('./email');
+            const baseUrl = process.env.BASE_URL || 'https://webagentbridge.com';
+            const amount = session.amount_total != null
+              ? `${(session.amount_total / 100).toFixed(2)} ${(session.currency || 'usd').toUpperCase()}`
+              : null;
+            Promise.resolve(sendEmail({
+              to: user.email,
+              template: 'license_delivery',
+              data: {
+                name: user.name,
+                tier: tier || 'starter',
+                siteDomain: site.domain,
+                licenseKey: site.license_key,
+                amount,
+                dashboardUrl: `${baseUrl}/dashboard`
+              },
+              userId: user.id
+            })).catch((e) => console.error('[stripe] license_delivery email failed:', e.message));
+          }
+        } catch (e) {
+          console.error('[stripe] license_delivery setup failed:', e.message);
+        }
       }
       break;
     }
 
     case 'invoice.payment_succeeded': {
       const invoice = event.data.object;
+
+      // ── ATP merchant commission invoice paid? Flip rows to 'collected'. ──
+      try {
+        if (invoice.metadata && invoice.metadata.wab_kind === 'atp_commission_batch') {
+          const billing = require('./commission-billing');
+          const changed = billing.onStripeInvoicePaid(invoice);
+          console.log(`[atp] commission invoice ${invoice.id} paid; ${changed} rows → collected`);
+        }
+      } catch (e) {
+        console.error('[atp] commission invoice paid handler failed (non-fatal):', e.message);
+      }
+
       if (invoice.subscription) {
         const sub = getStripeSubscriptionBySubId(invoice.subscription);
         if (sub) {
@@ -187,6 +228,85 @@ function handleWebhookEvent(event) {
       }
       break;
     }
+
+    case 'charge.refunded': {
+      const charge = event.data.object;
+      try {
+        const userId =
+          (charge.metadata && charge.metadata.wab_user_id) ||
+          (charge.invoice && (() => {
+            // best-effort: look up subscription via the invoice's subscription id
+            try {
+              const inv = charge.invoice;
+              if (typeof inv === 'string') return null;
+              if (inv && inv.subscription) {
+                const sub = getStripeSubscriptionBySubId(inv.subscription);
+                return sub ? sub.user_id : null;
+              }
+            } catch { return null; }
+            return null;
+          })()) || null;
+
+        if (userId) {
+          savePayment({
+            userId,
+            stripePaymentId: `refund_${charge.id}`,
+            amount: -(charge.amount_refunded || charge.amount || 0),
+            currency: charge.currency || 'usd',
+            status: 'refunded',
+            description: `Refund: ${charge.id}`
+          });
+        }
+
+        // Downgrade any subscription tied to this charge (best-effort)
+        if (charge.invoice) {
+          try {
+            const invId = typeof charge.invoice === 'string' ? null : charge.invoice;
+            // Subscription id can be on the expanded invoice; we mark the
+            // user's subscriptions as refunded so admin tools can review.
+            if (invId && invId.subscription) {
+              updateStripeSubscription(invId.subscription, { status: 'cancelled' });
+              const sub = getStripeSubscriptionBySubId(invId.subscription);
+              if (sub) updateSiteTier.run('free', sub.site_id, sub.user_id);
+            }
+          } catch (e) {
+            console.error('[stripe] charge.refunded subscription update failed:', e.message);
+          }
+        }
+        console.warn(`[stripe] charge.refunded processed: charge=${charge.id} amount=${charge.amount_refunded}`);
+      } catch (e) {
+        console.error('[stripe] charge.refunded handler error:', e.message);
+      }
+      break;
+    }
+
+    case 'charge.dispute.created': {
+      const dispute = event.data.object;
+      try {
+        const userId = (dispute.metadata && dispute.metadata.wab_user_id) || null;
+        if (userId) {
+          savePayment({
+            userId,
+            stripePaymentId: `dispute_${dispute.id}`,
+            amount: -(dispute.amount || 0),
+            currency: dispute.currency || 'usd',
+            status: 'disputed',
+            description: `Chargeback/dispute: ${dispute.id} reason=${dispute.reason || 'unknown'}`
+          });
+        }
+        // Suspend any subscription on the disputed charge
+        try {
+          if (dispute.charge) {
+            // Without expanding the charge we cannot reliably find the sub,
+            // but admins are alerted via the audit log + payments row above.
+          }
+        } catch { /* noop */ }
+        console.warn(`[stripe] charge.dispute.created: dispute=${dispute.id} reason=${dispute.reason}`);
+      } catch (e) {
+        console.error('[stripe] charge.dispute.created handler error:', e.message);
+      }
+      break;
+    }
   }
 }
 

package/server/services/transactions.js

@@ -292,6 +292,14 @@ function transitionTransaction(txId, toStatus, patch = {}) {
       db.prepare("UPDATE atp_intents SET status='consumed', updated_at=? WHERE id=? AND status='authorized'")
         .run(nowIso(), tx.intent_id);
     }
+
+    // Platform commission (best-effort, never blocks the tx).
+    try {
+      const commissions = require('./commissions');
+      commissions.recordCommissionForTransaction(getTransaction(txId));
+    } catch (e) {
+      console.error('[atp] commission record failed (non-fatal):', e.message);
+    }
   }
   if (toStatus === 'compensated' && tx.status === 'settled') {
     db.prepare(`
@@ -300,6 +308,13 @@ function transitionTransaction(txId, toStatus, patch = {}) {
              updated_at = ?
        WHERE id = ?
     `).run(tx.amount_cents, nowIso(), tx.intent_id);
+
+    try {
+      const commissions = require('./commissions');
+      commissions.markCommissionRefunded(txId, 'tx_compensated');
+    } catch (e) {
+      console.error('[atp] commission refund mark failed (non-fatal):', e.message);
+    }
   }
 
   return getTransaction(txId);