feat(trust): WAB v1.3 cryptographic trust layer (Ed25519 + DNSSEC + signed manifests)

Author: abokenan444

examples/wab-sign.js

@@ -0,0 +1,74 @@
+#!/usr/bin/env node
+/**
+ * wab-sign — generate Ed25519 keys and sign WAB discovery manifests.
+ *
+ * Usage:
+ *   wab-sign keygen                            # print a new keypair (save private offline)
+ *   wab-sign sign  manifest.json key.priv      # sign a manifest, write manifest.signed.json
+ *   wab-sign txt   <pubkey-b64> <endpoint>     # print the matching _wab TXT line
+ *
+ * Examples:
+ *   $ node wab-sign.js keygen > keys.json
+ *   $ jq -r .private_key keys.json > key.priv
+ *   $ node wab-sign.js sign wab.json key.priv
+ *
+ *   $ node wab-sign.js txt <(jq -r .public_key keys.json) https://example.com/.well-known/wab.json
+ */
+
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { generateKeyPair, signManifest, fingerprint } = require(
+  // try the bundled service first; fall back to a local copy if invoked from a downloads/ extract
+  fs.existsSync(path.join(__dirname, '..', 'server', 'services', 'wab-crypto.js'))
+    ? path.join(__dirname, '..', 'server', 'services', 'wab-crypto.js')
+    : './wab-crypto'
+);
+
+const [,, cmd, a1, a2] = process.argv;
+
+function usage() {
+  console.error('Usage:');
+  console.error('  wab-sign keygen');
+  console.error('  wab-sign sign <manifest.json> <key.priv>');
+  console.error('  wab-sign txt  <public-key-b64>  <endpoint-url>');
+  process.exit(1);
+}
+
+if (!cmd) usage();
+
+if (cmd === 'keygen') {
+  const kp = generateKeyPair();
+  process.stdout.write(JSON.stringify(kp, null, 2) + '\n');
+  process.stderr.write('\n[!] private_key is shown ONLY here. Save it offline immediately.\n');
+  process.stderr.write('[!] Publish public_key in your _wab DNS TXT as: pk=ed25519:' + kp.public_key + '\n');
+  process.exit(0);
+}
+
+if (cmd === 'sign') {
+  if (!a1 || !a2) usage();
+  const manifest = JSON.parse(fs.readFileSync(a1, 'utf8'));
+  const priv = fs.readFileSync(a2, 'utf8').trim();
+  const signed = signManifest(manifest, priv);
+  const out = a1.replace(/\.json$/, '') + '.signed.json';
+  fs.writeFileSync(out, JSON.stringify(signed, null, 2) + '\n');
+  console.log(`[OK] Signed manifest written: ${out}`);
+  console.log(`[OK] Signature key_id: ${signed.signature.key_id}`);
+  console.log(`[OK] Upload ${out} to https://${manifest.domain || '<your-domain>'}/.well-known/wab.json`);
+  process.exit(0);
+}
+
+if (cmd === 'txt') {
+  if (!a1 || !a2) usage();
+  const pub = a1.trim();
+  const endpoint = a2.trim();
+  if (!/^https:\/\//i.test(endpoint)) { console.error('endpoint must be HTTPS'); process.exit(1); }
+  const fp = fingerprint(pub);
+  console.log(`# _wab.${endpoint.replace(/^https?:\/\//,'').replace(/\/.*$/,'')}  TXT record:`);
+  console.log(`v=wab1; endpoint=${endpoint}; pk=ed25519:${pub}`);
+  console.log(`# key_id (fingerprint): ${fp}`);
+  process.exit(0);
+}
+
+usage();

examples/wab-verify.js

@@ -0,0 +1,60 @@
+#!/usr/bin/env node
+/**
+ * wab-verify — full trust check on a domain's WAB DNS Discovery setup.
+ *
+ * Usage:
+ *   wab-verify <domain>                  # full DNS + DNSSEC + signature trust report
+ *   wab-verify --json <domain>           # JSON output (for CI / scripts)
+ *   wab-verify --strict <domain>         # exit non-zero unless trust_score == 100
+ *
+ * Hits the public WAB Trust API at /api/discovery/trust/:domain.
+ * Override base URL with WAB_BASE_URL=https://your-instance.example.com
+ */
+
+'use strict';
+
+const fetch = (() => { try { return require('node-fetch'); } catch { return globalThis.fetch; } })();
+
+const args = process.argv.slice(2);
+const json   = args.includes('--json');
+const strict = args.includes('--strict');
+const domain = args.find(a => !a.startsWith('--'));
+const BASE   = process.env.WAB_BASE_URL || 'https://www.webagentbridge.com';
+
+if (!domain) {
+  console.error('Usage: wab-verify [--json] [--strict] <domain>');
+  process.exit(2);
+}
+
+(async () => {
+  const r = await fetch(`${BASE}/api/discovery/trust/${encodeURIComponent(domain)}`);
+  if (!r.ok) { console.error(`HTTP ${r.status}`); process.exit(2); }
+  const data = await r.json();
+
+  if (json) {
+    process.stdout.write(JSON.stringify(data, null, 2) + '\n');
+  } else {
+    const c = data.checks || {};
+    const tick = (b) => b ? '✓' : '✗';
+    console.log(`\nWAB Trust Report — ${data.domain}`);
+    console.log('═'.repeat(50));
+    console.log(`  Trust Score:   ${data.trust_score}/100   [${data.trust_label.toUpperCase()}]`);
+    console.log('  ──────────────────────────────────────────────');
+    console.log(`  ${tick(c.dns_resolved)}  DNS _wab record present`);
+    console.log(`  ${tick(c.dnssec_verified)}  DNSSEC verified (AD flag)`);
+    console.log(`  ${tick(c.has_public_key)}  Public key in DNS (pk=${c.pk_algorithm || '—'})`);
+    console.log(`  ${tick(c.https_endpoint && c.manifest_fetched)}  HTTPS manifest reachable`);
+    console.log(`  ${tick(c.signature_valid)}  Manifest signature valid`);
+    console.log('  ──────────────────────────────────────────────');
+    if (data.public_key) console.log(`  Key ID: ${data.public_key.fingerprint}  (ed25519)`);
+    if (data.endpoint)   console.log(`  Endpoint: ${data.endpoint}`);
+    if (data.findings && data.findings.length) {
+      console.log('\n  Findings:');
+      for (const f of data.findings) console.log('    • ' + f);
+    }
+    console.log('');
+  }
+
+  if (strict && data.trust_score < 100) process.exit(1);
+  process.exit(0);
+})().catch(err => { console.error('[ERROR]', err.message); process.exit(2); });

public/adoption-metrics.html

@@ -78,6 +78,7 @@ <h3>Recent runs</h3>
 
     <div class="panel" style="text-align:center;color:#9eb1d8;font-size:.86rem;">
       Want your domain on this dashboard? Run any <a href="/dns">WAB DNS</a> usage proof —
+      verify cryptographic trust at <a href="/wab-trust">/wab-trust</a> —
       or one-click enable via
       <a href="/cloudflare-integration">Cloudflare</a>,
       <a href="/route53-integration">Route 53</a>,

public/provider-onboarding.html

@@ -160,6 +160,8 @@ <h3>Integration Endpoints</h3>
           <a class="btn-mini btn-primary" href="/azure-dns-integration">Azure DNS One-Click</a>
           <a class="btn-mini btn-primary" href="/registrar-integrations">GoDaddy / Namecheap CLI</a>
           <a class="btn-mini btn-secondary" href="/adoption-metrics">Adoption Metrics</a>
+          <a class="btn-mini btn-primary" href="/wab-trust">Trust Layer (v1.3)</a>
+          <a class="btn-mini btn-secondary" href="/wab-vs-protocols">WAB vs Other Protocols</a>
           <a class="btn-mini btn-secondary" href="/downloads/wab-dns-provider.postman_collection.json" target="_blank" rel="noopener">Download Postman Collection</a>
           <a class="btn-mini btn-secondary" href="/dns">Open DNS Page</a>
         </div>

public/wab-trust.html

@@ -0,0 +1,200 @@
+<!DOCTYPE html>
+<html lang="en" dir="ltr">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>WAB Trust — Cryptographic Verification (v1.3)</title>
+  <meta name="description" content="WAB DNS Discovery v1.3 trust layer: DNSSEC + Ed25519 signed manifests anchored in domain ownership. Verify any domain's cryptographic trust score live.">
+  <link rel="stylesheet" href="/css/styles.css?v=3.3.0">
+  <style>
+    body { background:#081123; color:#e8efff; }
+    .hero { padding:100px 20px 26px; text-align:center; }
+    .hero .badge { display:inline-block; background:linear-gradient(135deg,#10b981,#059669); padding:4px 12px; border-radius:999px; font-size:.78rem; font-weight:700; letter-spacing:.5px; margin-bottom:12px; }
+    .hero h1 { font-size:clamp(1.9rem,4vw,2.8rem); margin:6px 0 8px; }
+    .hero p { color:#9eb1d8; max-width:840px; margin:0 auto; font-size:1rem; }
+    .wrap { max-width:1180px; margin:0 auto; padding:0 18px 70px; }
+    .panel { background:linear-gradient(180deg,rgba(17,24,39,.92),rgba(10,16,30,.96)); border:1px solid rgba(148,163,184,.2); border-radius:14px; padding:18px; margin-bottom:16px; }
+    .panel h3 { margin:0 0 10px; color:#fcd34d; font-size:1rem; }
+    .grid2 { display:grid; grid-template-columns:1.2fr 1fr; gap:14px; }
+    @media (max-width:880px) { .grid2 { grid-template-columns:1fr; } }
+    label { display:block; font-size:.78rem; color:#a8b7d7; margin-bottom:5px; }
+    input, textarea, select { width:100%; background:#0b162a; border:1px solid rgba(148,163,184,.28); color:#e8efff; border-radius:10px; padding:10px; font-family:Consolas,monospace; font-size:.85rem; }
+    button { background:linear-gradient(135deg,#10b981,#047857); color:#fff; border:none; border-radius:10px; padding:10px 14px; cursor:pointer; font-weight:700; font-size:.85rem; }
+    button.alt { background:linear-gradient(135deg,#334155,#1f2937); }
+    button.warn { background:linear-gradient(135deg,#f59e0b,#b45309); }
+    .actions { display:flex; gap:8px; flex-wrap:wrap; margin-top:8px; }
+    pre { background:#020617; border:1px solid rgba(148,163,184,.26); border-radius:10px; padding:12px; color:#c4b5fd; overflow:auto; font-size:.78rem; }
+    .score-card { text-align:center; padding:20px; border-radius:14px; }
+    .score-num { font-size:3.4rem; font-weight:800; line-height:1; }
+    .score-label { font-size:.86rem; text-transform:uppercase; letter-spacing:1.4px; margin-top:6px; }
+    .platinum { background:linear-gradient(135deg,#a855f7,#6366f1); color:#fff; }
+    .gold     { background:linear-gradient(135deg,#fbbf24,#d97706); color:#1f2937; }
+    .silver   { background:linear-gradient(135deg,#cbd5e1,#94a3b8); color:#1f2937; }
+    .bronze   { background:linear-gradient(135deg,#f97316,#c2410c); color:#fff; }
+    .basic    { background:linear-gradient(135deg,#475569,#1f2937); color:#fff; }
+    .unverified { background:#1f2937; color:#a8b7d7; border:1px solid rgba(148,163,184,.26); }
+    .check-row { display:flex; align-items:center; gap:10px; padding:8px 0; border-bottom:1px solid rgba(148,163,184,.12); font-size:.9rem; }
+    .check-row:last-child { border-bottom:0; }
+    .check-icon { width:22px; height:22px; border-radius:50%; display:flex; align-items:center; justify-content:center; font-weight:800; font-size:.78rem; }
+    .check-icon.ok { background:#064e3b; color:#a7f3d0; }
+    .check-icon.no { background:#7f1d1d; color:#fecaca; }
+    .findings { background:#0b162a; border-left:3px solid #f59e0b; padding:10px 14px; border-radius:6px; font-size:.84rem; color:#fde68a; margin-top:10px; }
+    .findings ul { margin:6px 0 0 18px; padding:0; }
+    table { width:100%; border-collapse:collapse; font-size:.84rem; }
+    th, td { padding:8px 10px; text-align:left; border-bottom:1px solid rgba(148,163,184,.14); }
+    th { color:#a8b7d7; font-weight:600; font-size:.74rem; text-transform:uppercase; letter-spacing:.5px; }
+    .pill { display:inline-block; padding:2px 8px; border-radius:999px; font-size:.7rem; font-weight:700; }
+    .pill.ok { background:#064e3b; color:#a7f3d0; }
+    .pill.no { background:#7f1d1d; color:#fecaca; }
+    .keyout { display:none; }
+    a { color:#fcd34d; }
+    .small { font-size:.8rem; color:#9eb1d8; }
+  </style>
+</head>
+<body>
+  <section class="hero">
+    <span class="badge">WAB v1.3 · Trust Layer</span>
+    <h1>Cryptographic Trust for Agent Discovery</h1>
+    <p>WAB v1.3 binds every domain's discovery manifest to an <strong>Ed25519 signature</strong>, with the public key published in DNS and protected by <strong>DNSSEC</strong>. No CA. No central registry. Trust is rooted exactly where it should be — in domain ownership.</p>
+  </section>
+
+  <div class="wrap">
+
+    <div class="grid2">
+      <!-- LIVE VERIFIER -->
+      <div class="panel">
+        <h3>Verify any domain</h3>
+        <p class="small">Runs the full 5-check trust report: DNS · DNSSEC · public key · HTTPS manifest · signature.</p>
+        <label>Domain</label>
+        <input id="vDomain" placeholder="example.com" value="webagentbridge.com" />
+        <div class="actions">
+          <button onclick="runVerify()">Run Trust Check</button>
+          <button class="alt" onclick="loadLeaderboard()">View Leaderboard</button>
+        </div>
+        <div id="vResult" style="margin-top:14px;"></div>
+      </div>
+
+      <!-- KEY GENERATOR -->
+      <div class="panel">
+        <h3>Generate Ed25519 keypair</h3>
+        <p class="small">Stateless. The server never stores your private key — save it offline and use it to sign your <code>wab.json</code>.</p>
+        <div class="actions">
+          <button class="warn" onclick="genKeys()">Generate New Keypair</button>
+          <button class="alt" onclick="document.getElementById('keyout').style.display='none'">Hide</button>
+        </div>
+        <div id="keyout" class="keyout" style="margin-top:14px;">
+          <label>TXT record (publish in DNS)</label>
+          <pre id="kTxt"></pre>
+          <label>Public key (base64)</label>
+          <pre id="kPub"></pre>
+          <label>Private key (base64) — save offline NOW</label>
+          <pre id="kPriv" style="border-color:#7f1d1d;color:#fecaca;"></pre>
+          <p class="small" style="color:#fde68a;">⚠ This is the only time the private key is shown. Copy it now.</p>
+        </div>
+      </div>
+    </div>
+
+    <!-- LEADERBOARD -->
+    <div class="panel" id="leaderboardPanel" style="display:none;">
+      <h3>Trust Leaderboard</h3>
+      <div id="leaderboard">Loading…</div>
+    </div>
+
+    <!-- HOW IT WORKS -->
+    <div class="panel">
+      <h3>How WAB v1.3 trust works</h3>
+      <ol style="color:#cbd5e1;font-size:.9rem;line-height:1.7;padding-left:20px;">
+        <li><strong>Generate keypair</strong> (Ed25519, 32 bytes each) — offline or via the button above.</li>
+        <li><strong>Publish public key in DNS</strong>: <code>_wab IN TXT "v=wab1; endpoint=https://example.com/.well-known/wab.json; pk=ed25519:&lt;BASE64&gt;"</code>.</li>
+        <li><strong>Enable DNSSEC</strong> on your zone (most registrars: 1-click). DNSSEC chain protects the key from spoofing.</li>
+        <li><strong>Sign your manifest</strong> with the private key: <code>node wab-sign.js sign wab.json key.priv</code> → <code>wab.signed.json</code>.</li>
+        <li><strong>Upload signed manifest</strong> to <code>https://example.com/.well-known/wab.json</code>.</li>
+        <li>Agents fetch the TXT (verify DNSSEC) → fetch the manifest (verify signature with DNS-published key) → trust established.</li>
+      </ol>
+      <p class="small" style="margin-top:10px;">Compare to ANS, sitemap.xml, llms.txt, ai.txt:
+        <a href="/wab-vs-protocols">WAB vs other protocols →</a></p>
+      <p class="small">Offline tools: <a href="/examples/wab-sign.js" target="_blank">wab-sign.js</a> · <a href="/examples/wab-verify.js" target="_blank">wab-verify.js</a></p>
+    </div>
+
+  </div>
+
+  <script>
+    const tick = (b) => b ? '<div class="check-icon ok">✓</div>' : '<div class="check-icon no">✗</div>';
+
+    async function runVerify() {
+      const d = document.getElementById('vDomain').value.trim();
+      if (!d) return;
+      const out = document.getElementById('vResult');
+      out.innerHTML = '<p class="small">Running trust check…</p>';
+      try {
+        const r = await fetch(`/api/discovery/trust/${encodeURIComponent(d)}`);
+        const data = await r.json();
+        if (!r.ok) { out.innerHTML = `<p style="color:#fecaca;">Error: ${data.error || r.status}</p>`; return; }
+        const c = data.checks || {};
+        const cls = data.trust_label || 'unverified';
+        out.innerHTML = `
+          <div class="score-card ${cls}">
+            <div class="score-num">${data.trust_score}<span style="font-size:1.2rem;opacity:.7">/100</span></div>
+            <div class="score-label">${cls}</div>
+          </div>
+          <div style="margin-top:10px;">
+            <div class="check-row">${tick(c.dns_resolved)}<span>DNS <code>_wab</code> record present</span></div>
+            <div class="check-row">${tick(c.dnssec_verified)}<span>DNSSEC verified (AD flag set)</span></div>
+            <div class="check-row">${tick(c.has_public_key)}<span>Public key in DNS (<code>pk=${c.pk_algorithm || '—'}</code>)</span></div>
+            <div class="check-row">${tick(c.https_endpoint && c.manifest_fetched)}<span>HTTPS manifest reachable</span></div>
+            <div class="check-row">${tick(c.signature_valid)}<span>Manifest signature valid (Ed25519)</span></div>
+          </div>
+          ${data.public_key ? `<p class="small" style="margin-top:10px;">Key fingerprint: <code>${data.public_key.fingerprint}</code></p>` : ''}
+          ${data.findings && data.findings.length ? `<div class="findings"><strong>Findings:</strong><ul>${data.findings.map(f=>`<li>${f}</li>`).join('')}</ul></div>` : ''}
+        `;
+      } catch (err) {
+        out.innerHTML = `<p style="color:#fecaca;">Error: ${err.message}</p>`;
+      }
+    }
+
+    async function genKeys() {
+      try {
+        const r = await fetch('/api/discovery/keys/generate', { method:'POST' });
+        const k = await r.json();
+        document.getElementById('keyout').style.display = 'block';
+        document.getElementById('kTxt').textContent = k.txt_record_snippet;
+        document.getElementById('kPub').textContent = k.public_key;
+        document.getElementById('kPriv').textContent = k.private_key;
+      } catch (err) {
+        alert('Key generation failed: ' + err.message);
+      }
+    }
+
+    async function loadLeaderboard() {
+      const panel = document.getElementById('leaderboardPanel');
+      panel.style.display = 'block';
+      const out = document.getElementById('leaderboard');
+      try {
+        const r = await fetch('/api/discovery/trust-leaderboard');
+        const data = await r.json();
+        if (!data.domains || !data.domains.length) {
+          out.innerHTML = '<p class="small">No trust runs recorded yet. Run a verify to populate.</p>';
+          return;
+        }
+        out.innerHTML = `<table>
+          <thead><tr><th>#</th><th>Domain</th><th>Score</th><th>DNSSEC</th><th>pk</th><th>Signed</th><th>Sig OK</th><th>Last check</th></tr></thead>
+          <tbody>${data.domains.map((d,i)=>`
+            <tr>
+              <td>${i+1}</td>
+              <td>${d.domain}</td>
+              <td><strong>${d.score}</strong></td>
+              <td>${d.dnssec === 'verified' ? '<span class="pill ok">✓</span>' : '<span class="pill no">'+d.dnssec+'</span>'}</td>
+              <td>${d.has_pk ? '<span class="pill ok">✓</span>' : '<span class="pill no">—</span>'}</td>
+              <td>${d.signed_manifest ? '<span class="pill ok">✓</span>' : '<span class="pill no">—</span>'}</td>
+              <td>${d.signature_valid ? '<span class="pill ok">✓</span>' : '<span class="pill no">—</span>'}</td>
+              <td class="small">${(d.last_checked||'').replace('T',' ').slice(0,16)}</td>
+            </tr>
+          `).join('')}</tbody>
+        </table>`;
+      } catch (err) {
+        out.innerHTML = `<p style="color:#fecaca;">Error: ${err.message}</p>`;
+      }
+    }
+  </script>
+</body>
+</html>