@ainyc/canonry 1.48.0 → 1.48.2

package/README.md

@@ -1,6 +1,6 @@
 # Canonry <img src="apps/web/public/favicon-32.png" alt="Canonry canary icon" width="24" />
 
-[![npm version](https://img.shields.io/npm/v/@ainyc/canonry)](https://www.npmjs.com/package/@ainyc/canonry) [![License: FSL-1.1-ALv2](https://img.shields.io/badge/License-FSL--1.1--ALv2-blue.svg)](https://fsl.software/) [![Node.js >= 20](https://img.shields.io/badge/node-%3E%3D20-brightgreen)](https://nodejs.org)
+[![npm version](https://img.shields.io/npm/v/@ainyc/canonry)](https://www.npmjs.com/package/@ainyc/canonry) [![License: FSL-1.1-ALv2](https://img.shields.io/badge/License-FSL--1.1--ALv2-blue.svg)](https://fsl.software/) [![Node.js >= 22.14](https://img.shields.io/badge/node-%3E%3D22.14-brightgreen)](https://nodejs.org)
 
 Canonry is an agent-first AEO platform powered by [OpenClaw](https://openclaw.ai). It tracks how ChatGPT, Gemini, Claude, and Perplexity cite your site, detects regressions, diagnoses causes, coordinates fixes, and reports results.
 
@@ -177,7 +177,7 @@ Create a Web Service with runtime Docker, attach a disk at `/data`. Health check
 
 ## Requirements
 
-- Node.js >= 20
+- Node.js >= 22.14.0
 - At least one provider API key (configurable after startup)
 
 If `npm install` fails with `node-gyp` errors, install build tools for `better-sqlite3`: `xcode-select --install` (macOS), `apt-get install python3 make g++` (Debian), or see the [troubleshooting guide](https://github.com/WiseLibs/better-sqlite3/blob/master/docs/troubleshooting.md).

package/assets/agent-workspace/skills/aero/SKILL.md

@@ -40,3 +40,4 @@ You coordinate across three tools to deliver comprehensive AEO monitoring:
 - [memory-patterns.md](references/memory-patterns.md) — What to persist per client
 - [regression-playbook.md](references/regression-playbook.md) — Detection through response
 - [reporting.md](references/reporting.md) — Report generation templates
+- [wordpress-elementor-mcp.md](references/wordpress-elementor-mcp.md) — Elementor MCP tools for page management

package/assets/agent-workspace/skills/aero/references/wordpress-elementor-mcp.md

@@ -0,0 +1,218 @@
+# Elementor + WordPress MCP Development Guide
+
+## Overview
+
+This guide covers programmatic management of WordPress + Elementor sites using the Elementor MCP plugin. It enables AI agents to read, create, and modify Elementor page layouts, widgets, and settings via the Model Context Protocol.
+
+## Prerequisites
+
+### WordPress Side
+- WordPress >= 6.8
+- Elementor >= 3.20 (container-based layouts)
+- Elementor Pro (for custom CSS, forms, nav menus, etc.)
+- **WordPress MCP Adapter** plugin ([GitHub](https://github.com/WordPress/mcp-adapter))
+- **Elementor MCP** plugin ([GitHub](https://github.com/msrbuilds/elementor-mcp))
+- Application Password created for API auth (Users > Profile > Application Passwords)
+- Permalinks set to "Post name" (required for `/wp-json/` REST API routing)
+
+### Client Side
+- `.mcp.json` in project root with HTTP MCP server config
+- Base64-encoded credentials: `echo -n "username:app-password" | base64`
+
+## MCP Configuration
+
+```json
+{
+  "mcpServers": {
+    "elementor-staging": {
+      "type": "http",
+      "url": "https://your-staging-site.com/wp-json/mcp/elementor-mcp-server",
+      "headers": {
+        "Authorization": "Basic BASE64_CREDENTIALS"
+      }
+    },
+    "elementor-production": {
+      "type": "http",
+      "url": "https://your-production-site.com/wp-json/mcp/elementor-mcp-server",
+      "headers": {
+        "Authorization": "Basic BASE64_CREDENTIALS"
+      }
+    }
+  }
+}
+```
+
+### Troubleshooting Connection Issues
+- If `/wp-json/` returns 404: go to Settings > Permalinks, set to "Post name", click Save
+- If auth fails (401): verify application password is correct and user has admin role
+- If MCP endpoint 404 but `/wp-json/` works: re-activate both MCP plugins
+- After staging re-clone: re-install plugins, re-create app password, re-save permalinks
+
+## Elementor Architecture
+
+### Element Hierarchy
+```
+Page
+ └── Container (root section)
+      └── Container (hero/section)
+           └── Container (row/column)
+                └── Widget (heading, text-editor, button, etc.)
+```
+
+### Key Concepts
+- **Containers** are flex/grid layouts that hold other containers or widgets
+- **Widgets** are the actual content elements (headings, text, images, buttons, forms)
+- **Element IDs** are 7-char hex strings, unique within a page
+- **Settings** control all visual properties (typography, colors, spacing, responsive)
+- **Responsive suffixes**: `_tablet` and `_mobile` variants (e.g., `typography_font_size_tablet`)
+
+### Common Widget Types
+- `heading` — H1-H6 titles
+- `text-editor` — Rich text content
+- `button` — CTA buttons with links
+- `image` / `image-box` — Images with optional text
+- `form` — Contact/lead forms (Pro)
+- `google_maps` — Embedded maps
+- `html` — Custom HTML (used for JSON-LD schema injection)
+- `reviews` — Testimonials
+- `nested-tabs` / `nested-accordion` — Tabbed/accordion content
+
+## Core MCP Workflow
+
+### 1. Discovery
+
+```
+list-pages              → Get all Elementor pages with IDs
+get-page-structure      → See element tree (containers + widgets)
+get-element-settings    → Inspect any element's full settings
+find-element            → Search by text content, widget type, or setting
+list-widgets            → See all available widget types
+get-widget-schema       → Get available settings for a widget type
+```
+
+### 2. Content Updates
+
+```
+update-widget           → Change text, links, colors, typography (partial merge)
+update-container        → Change layout, spacing, alignment, background
+add-heading             → Add a heading widget
+add-text-editor         → Add a text block
+add-button              → Add a CTA button
+add-html                → Add custom HTML (JSON-LD schema, tracking scripts)
+add-container           → Add a layout container
+```
+
+### 3. Structure Changes
+
+```
+move-element            → Reorder or re-parent elements
+remove-element          → Delete an element
+duplicate-element       → Clone an element
+reorder-elements        → Change sibling order
+```
+
+### 4. Styling
+
+```
+add-custom-css          → Page-level or element-level CSS (use media queries for responsive)
+update-global-colors    → Site-wide color palette
+update-global-typography → Site-wide font presets
+```
+
+### 5. Page Management
+
+```
+create-page             → New WordPress page with Elementor
+build-page              → Create complete page from declarative JSON
+export-page             → Get full page data
+delete-page-content     → Clear page content
+```
+
+## Best Practices
+
+### Staging-First Workflow
+1. Make all changes on staging via MCP
+2. Verify visually across viewports (use Chrome browser tools)
+3. Get human approval
+4. Replay changes on production via MCP
+5. Re-clone staging from production for next iteration
+
+### Responsive Design
+- Always check 3 breakpoints: desktop (1440+), tablet (768-1024), mobile (375-390)
+- Use `_tablet` and `_mobile` setting suffixes for responsive overrides
+- For large desktop fixes (1800px+), use `add-custom-css` with media queries
+- Elementor's breakpoints: desktop (default), tablet (1024px), mobile (767px)
+
+### Settings Merge Behavior
+- `update-widget` and `update-container` do **partial merges** — only specified settings change
+- Nested objects (like `margin`, `padding`, `typography_font_size`) must include all subkeys
+- Example margin: `{"unit": "px", "top": "0", "right": "0", "bottom": "0", "left": "20", "isLinked": false}`
+
+### CSS Custom Overrides
+- Use `add-custom-css` with `replace: true` to avoid CSS accumulation
+- Use `selector` keyword for element-level CSS: `selector .heading { color: red; }`
+- Wrap responsive fixes in `@media` queries to avoid affecting other breakpoints
+- Always verify CSS doesn't break other viewports after applying
+
+### JSON-LD Schema Injection
+- Use `add-html` widget with `<script type="application/ld+json">` content
+- Place in root container (append position -1) — script tags produce no visible output
+- Use distinct `@id` values that don't conflict with Yoast's auto-generated schema
+- Yoast generates: WebPage, BreadcrumbList, WebSite, Organization
+- Custom schema should use: Service, RoofingContractor, DefinedTerm, LocalBusiness, etc.
+
+### Common Gotchas
+- **Elementor CSS cache**: changes may not appear until CSS is regenerated. Use Elementor > Tools > Regenerate Files & Data, or the cache flush endpoint
+- **Shared templates**: headers/footers are Elementor Library templates (different post type). Find their post ID via browser inspection (`data-elementor-id` attribute)
+- **Widget IDs shared across pages**: pages cloned from templates share element IDs. Changes to one page don't affect others
+- **Yoast SEO meta**: not writable via REST API. Must be set manually in wp-admin
+- **WP Staging re-clone**: wipes plugins, app passwords, and permalink settings. Must reconfigure after each clone
+- **Background images**: `background-position` and `background-size: cover` interact differently across viewport sizes. Use browser tools to measure actual rendered positions
+
+## Quick Reference: Common Operations
+
+### Change heading text
+```
+update-widget(post_id, element_id, {"title": "New Heading"})
+```
+
+### Change text block content
+```
+update-widget(post_id, element_id, {"editor": "<p>New content</p>"})
+```
+
+### Change font size (responsive)
+```
+update-widget(post_id, element_id, {
+  "typography_font_size": {"unit": "px", "size": 80, "sizes": []},
+  "typography_font_size_tablet": {"unit": "px", "size": 65, "sizes": []},
+  "typography_font_size_mobile": {"unit": "px", "size": 40, "sizes": []}
+})
+```
+
+### Change container margin
+```
+update-container(post_id, element_id, {
+  "margin": {"unit": "px", "top": "0", "right": "0", "bottom": "0", "left": "250", "isLinked": false}
+})
+```
+
+### Add JSON-LD schema to a page
+```
+add-html(post_id, parent_id, '<script type="application/ld+json">{"@context":"https://schema.org",...}</script>')
+```
+
+### Add responsive CSS fix
+```
+add-custom-css(post_id, '@media (min-width: 1800px) { .elementor-element-XXXXX { margin-top: -200px !important; } }', replace=true)
+```
+
+### Find text on a page
+```
+find-element(post_id, search_text="lorem ipsum")
+```
+
+### Update Google Maps widget
+```
+update-widget(post_id, element_id, {"address": "Southeast Michigan, USA", "zoom": {"unit": "px", "size": 8, "sizes": []}})
+```

package/assets/agent-workspace/skills/canonry-setup/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: canonry
-description: "AEO (Answer Engine Optimization) monitoring and analysis using canonry CLI and aeo-audit tool. Use when: (1) running citation sweeps across AI providers (Gemini, ChatGPT, Claude, Perplexity); (2) auditing technical SEO with structured data validation; (3) implementing schema markup, sitemaps, llms.txt; (4) diagnosing indexing issues via Google Search Console and Bing Webmaster Tools; (5) optimizing content for AI readability and entity consistency. NOT for: general web development, content writing, PPC campaigns, or social media management."
+description: "Agent-first AEO monitoring and operating platform."
 metadata:
   {
     "openclaw":
@@ -32,38 +32,25 @@ metadata:
 
 # Canonry
 
-Monitor and optimize site visibility across AI answer engines (Gemini, ChatGPT, Claude, Perplexity) and traditional search engines using the `canonry` CLI for AEO monitoring and `aeo-audit` for technical SEO analysis.
+Open-source AEO (Answer Engine Optimization) monitoring platform. Track how AI answer engines cite your domain across Gemini, ChatGPT, Claude, and Perplexity.
 
-## When to Use
+**Website:** [ainyc.ai](https://ainyc.ai) | **Docs:** [github.com/AINYC/canonry](https://github.com/AINYC/canonry)
 
-✅ **USE this skill when:**
+## When to Use
 
-- Tracking which keyphrases earn citations (or lose them) across AI providers
-- Running technical SEO audits with 14‑factor scoring
-- Implementing structured data (JSON‑LD: LocalBusiness, FAQPage, Service)
-- Diagnosing indexing gaps in Google Search Console / Bing Webmaster Tools
-- Optimizing `llms.txt`, `llms‑full.txt`, sitemaps, robots.txt for AI crawlers
-- Patching missing H1 tags, meta descriptions, image alt text
+- Tracking keyphrase citations across AI providers
+- Running technical SEO audits (14‑factor scoring)
+- Implementing structured data (JSON‑LD)
+- Diagnosing indexing gaps via Google Search Console / Bing Webmaster Tools
+- Optimizing `llms.txt`, sitemaps, robots.txt for AI crawlers
 - Submitting URLs to Google Indexing API and Bing IndexNow
-- Analyzing competitor citation patterns in AI answers
-
-## When NOT to Use
-
-❌ **DON'T use this skill when:**
-
-- General WordPress development (use `wordpress` skill if available)
-- Content writing or copy creation (human‑led task)
-- Paid search/SEM campaigns (different specialty)
-- Social media management or outreach
-- Local business listing management (e.g., GBP, Yelp)
-- Backlink building or outreach campaigns
+- Analyzing competitor citation patterns
 
 ## Core Philosophy
 
-- **AI models are black boxes** — Measure citation outcomes, not assume causality
-- **Position, then wait** — Site changes take weeks/months to reflect in AI indexes; canonry tells us *when* it happens, not *if*
-- **Signal‑over‑noise** — Trim keyphrase lists to high‑intent queries; avoid granular targeting until base visibility exists
-- **CLI‑native, UI‑optional** — Prefer API‑driven changes over manual CMS clicks; faster, repeatable, auditable
+- **Measure outcomes** — AI models are black boxes; track citations, don't assume causality
+- **Signal over noise** — Focus on high‑intent queries; avoid granular targeting until base visibility exists
+- **CLI‑native** — API‑driven changes over manual CMS clicks; faster, repeatable, auditable
 
 ## Toolchain
 
@@ -221,54 +208,7 @@ cat audit.json | jq -r '.factors[] | select(.score < 70) | "- \(.name): \(.score
 - **Client data stays private** — canonry repo is public; no real domains in issues
 - **Respect API rate limits** — batch operations, avoid tight loops
 
-## Output Templates
-
-### Audit Summary
-```
-## AEO/SEO Audit — https://client.com
-
-**Overall:** 66/100 (D)
-
-**Top strengths (A/A+):**
-- AI‑Readable Content (100) — llms.txt, llms‑full.txt present
-- FAQ Content (100) — FAQPage schema detected
-- AI Crawler Access (100) — robots.txt allows all bots
-
-**Critical gaps (F):**
-- Definition Blocks (0) — no "What is…" sections
-- E‑E‑A‑T Signals (45) — missing Person schema, author tags
-- Citations & Authority (44) — no external references to industry sources
-
-**Immediate actions:**
-1. Add H1 tag to homepage (Technical SEO: 60/100)
-2. Create "What is polyurea?" section on /services/ (Definition Blocks: 0/100)
-3. Submit all 5 URLs to Bing IndexNow (indexing: 2/5)
-```
-
-### Citation Report
-```
-## canonry sweep — client-project
-
-**Run:** 2026‑04‑03T13:44Z (ID: 4a45ebfc...)
-
-**Keyphrase visibility (12 tracked):**
-✅ polyurea roof coating — 3/3 providers
-✅ commercial roof coating — 2/3 providers  
-❌ polyurea roof coating Michigan — 0/3 (geo gap)
-❌ commercial roofing contractor Michigan — 0/3 (geo gap)
-
-**Changes since last sweep (2026‑03‑27):**
-- Lost `flat roof coating Michigan` on Gemini (−1)
-- Gained `industrial roof coating` on Claude (+1)
-- No change on ChatGPT (stable)
-
-**Next steps:**
-- Build Michigan location page (/michigan/)
-- Add county‑level references to llms.txt
-- Re‑sweep in 7 days
-```
-
 ---
 
 **Tools:** canonry v1.37+, @ainyc/aeo‑audit v1.3+  
-**Reference:** [AINYC AEO Methodology](https://ainyc.ai/aeo-methodology)
+**Website:** [ainyc.ai](https://ainyc.ai) | **Reference:** [AINYC AEO Methodology](https://ainyc.ai/aeo-methodology)

package/assets/agent-workspace/skills/canonry-setup/references/wordpress-integration.md

@@ -55,3 +55,7 @@ canonry wordpress staging push mysite
 - If SEO meta is not writable through REST, canonry returns an actionable error instead of guessing
 - Duplicate slug matches are returned as explicit ambiguity errors with candidate page IDs/titles
 - Authentication is verified on connect by calling `/wp/v2/users/me` — if that fails, canonry returns an actionable error message
+
+## Related: Elementor MCP
+
+For programmatic management of Elementor page layouts, widgets, and styling via MCP tools, see the aero skill reference: [`skills/aero/references/wordpress-elementor-mcp.md`](../../aero/references/wordpress-elementor-mcp.md).

package/dist/{chunk-HO22LHTY.js → chunk-JTKHPNGL.js}

@@ -115,7 +115,8 @@ var querySnapshots = sqliteTable("query_snapshots", {
   index("idx_snapshots_keyword").on(table.keywordId),
   index("idx_snapshots_citation_state").on(table.citationState),
   index("idx_snapshots_provider_model").on(table.provider, table.model),
-  index("idx_snapshots_location").on(table.location)
+  index("idx_snapshots_location").on(table.location),
+  index("idx_snapshots_created_at").on(table.createdAt)
 ]);
 var auditLog = sqliteTable("audit_log", {
   id: text("id").primaryKey(),
@@ -848,7 +849,11 @@ var MIGRATIONS = [
   `CREATE INDEX IF NOT EXISTS idx_bing_coverage_snap_run ON bing_coverage_snapshots(sync_run_id)`,
   // v34: Rename unique index for bing_coverage_snapshots to follow convention
   `DROP INDEX IF EXISTS idx_bing_coverage_snap_project_date`,
-  `CREATE UNIQUE INDEX IF NOT EXISTS idx_bing_coverage_snap_project_date_unique ON bing_coverage_snapshots(project_id, date)`
+  `CREATE UNIQUE INDEX IF NOT EXISTS idx_bing_coverage_snap_project_date_unique ON bing_coverage_snapshots(project_id, date)`,
+  // v35: Add missing index for query_snapshots createdAt for time-series filtering
+  `CREATE INDEX IF NOT EXISTS idx_snapshots_created_at ON query_snapshots(created_at)`
+  // v36: Transaction handling and SQL injection review: verified all strings use SQLite ? binding via Drizzle.
+  // No changes required for parameterization.
 ];
 function isDuplicateColumnError(err) {
   if (!(err instanceof Error)) return false;

package/dist/{chunk-25QLMK4F.js → chunk-YPTVJRJY.js}

@@ -23,7 +23,7 @@ import {
   runs,
   schedules,
   usageCounters
-} from "./chunk-HO22LHTY.js";
+} from "./chunk-JTKHPNGL.js";
 
 // src/config.ts
 import fs from "fs";
@@ -6071,9 +6071,11 @@ var GSC_MAX_PAGES = 40;
 
 // ../integration-google/src/types.ts
 var GoogleAuthError = class extends Error {
-  constructor(message) {
+  statusCode;
+  constructor(message, statusCode) {
     super(message);
     this.name = "GoogleAuthError";
+    this.statusCode = statusCode;
   }
 };
 var GoogleApiError = class extends Error {
@@ -6164,13 +6166,19 @@ async function exchangeCode(clientId, clientSecret, code, redirectUri) {
     }),
     signal: AbortSignal.timeout(GOOGLE_REQUEST_TIMEOUT_MS)
   });
+  if (res.status === 429) {
+    throw new GoogleAuthError("Google OAuth rate limit exceeded", 429);
+  }
   if (!res.ok) {
     const body = await res.text();
     let detail = "";
     try {
       const parsed = JSON.parse(body);
       if (parsed.error) detail = parsed.error;
-      if (parsed.error_description) detail += detail ? `: ${parsed.error_description}` : parsed.error_description;
+      if (parsed.error_description) {
+        const sanitized = parsed.error_description.replace(new RegExp(escapeRegExp2(clientId), "g"), "***").replace(new RegExp(escapeRegExp2(clientSecret), "g"), "***").replace(new RegExp(escapeRegExp2(code), "g"), "***");
+        detail += detail ? `: ${sanitized}` : sanitized;
+      }
     } catch {
       detail = body.length <= 120 ? body : `${body.slice(0, 120)}...`;
     }
@@ -6178,6 +6186,9 @@ async function exchangeCode(clientId, clientSecret, code, redirectUri) {
   }
   return await res.json();
 }
+function escapeRegExp2(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 async function refreshAccessToken(clientId, clientSecret, currentRefreshToken) {
   validateClientId(clientId);
   validateClientSecret(clientSecret);
@@ -6193,13 +6204,19 @@ async function refreshAccessToken(clientId, clientSecret, currentRefreshToken) {
     }),
     signal: AbortSignal.timeout(GOOGLE_REQUEST_TIMEOUT_MS)
   });
+  if (res.status === 429) {
+    throw new GoogleAuthError("Google OAuth rate limit exceeded", 429);
+  }
   if (!res.ok) {
     const body = await res.text();
     let detail = "";
     try {
       const parsed = JSON.parse(body);
       if (parsed.error) detail = parsed.error;
-      if (parsed.error_description) detail += detail ? `: ${parsed.error_description}` : parsed.error_description;
+      if (parsed.error_description) {
+        const sanitized = parsed.error_description.replace(new RegExp(escapeRegExp2(clientId), "g"), "***").replace(new RegExp(escapeRegExp2(clientSecret), "g"), "***").replace(new RegExp(escapeRegExp2(currentRefreshToken), "g"), "***");
+        detail += detail ? `: ${sanitized}` : sanitized;
+      }
     } catch {
       detail = body.length <= 120 ? body : `${body.slice(0, 120)}...`;
     }
@@ -6271,6 +6288,20 @@ function gscClientLog(level, action, ctx) {
     ...ctx
   };
   if (entry.accessToken) entry.accessToken = "***";
+  if (typeof entry.siteUrl === "string") {
+    try {
+      const url = new URL(entry.siteUrl);
+      if (url.search) {
+        url.searchParams.forEach((_, key) => {
+          if (key.toLowerCase().includes("token") || key.toLowerCase().includes("key") || key.toLowerCase().includes("auth")) {
+            url.searchParams.set(key, "***");
+          }
+        });
+        entry.siteUrl = url.toString();
+      }
+    } catch {
+    }
+  }
   const stream = level === "error" ? process.stderr : process.stdout;
   stream.write(JSON.stringify(entry) + "\n");
 }
@@ -6497,11 +6528,15 @@ async function getAccessToken(clientEmail, privateKey) {
     const body = await res.text().catch(() => "");
     ga4Log("error", "token.failed", { httpStatus: res.status });
     const detail = body.length <= 200 ? body : `${body.slice(0, 200)}... [truncated]`;
-    throw new GA4ApiError(`Failed to get access token: ${detail}`, res.status);
+    const sanitizedDetail = detail.replace(new RegExp(escapeRegExp3(clientEmail), "g"), "***").replace(new RegExp(escapeRegExp3(privateKey.slice(0, 32)), "g"), "***");
+    throw new GA4ApiError(`Failed to get access token: ${sanitizedDetail}`, res.status);
   }
   const data = await res.json();
   return data.access_token;
 }
+function escapeRegExp3(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 async function runReport(accessToken, propertyId, request) {
   const url = `${GA4_DATA_API_BASE}/properties/${propertyId}:runReport`;
   const res = await fetch(url, {
@@ -6619,6 +6654,7 @@ async function fetchTrafficByLandingPage(accessToken, propertyId, days) {
       offset
     };
     const response = await runReport(accessToken, propertyId, request);
+    if (!response) break;
     const pageRows = (response.rows ?? []).map((row) => ({
       date: row.dimensionValues[0].value,
       landingPage: row.dimensionValues[1].value,
@@ -6651,6 +6687,7 @@ async function fetchTrafficByLandingPage(accessToken, propertyId, days) {
       offset: organicOffset
     };
     const organicResponse = await runReport(accessToken, propertyId, organicRequest);
+    if (!organicResponse) break;
     for (const row of organicResponse.rows ?? []) {
       const key = `${row.dimensionValues[0].value}::${row.dimensionValues[1].value}`;
       organicMap.set(key, parseInt(row.metricValues[0].value, 10) || 0);
@@ -6778,6 +6815,7 @@ async function fetchAiReferrals(accessToken, propertyId, days) {
         offset
       };
       const response = await runReport(accessToken, propertyId, request);
+      if (!response) break;
       const pageRows = (response.rows ?? []).map((row) => ({
         date: row.dimensionValues[0].value,
         source: row.dimensionValues[1].value,
@@ -6854,6 +6892,7 @@ async function fetchSocialReferrals(accessToken, propertyId, days) {
       offset
     };
     const response = await runReport(accessToken, propertyId, request);
+    if (!response) break;
     const pageRows = (response.rows ?? []).map((row) => ({
       date: row.dimensionValues[0].value,
       source: row.dimensionValues[1].value,
@@ -7663,6 +7702,9 @@ function bingClientLog(level, action, ctx) {
   const stream = level === "error" ? process.stderr : process.stdout;
   stream.write(JSON.stringify(entry) + "\n");
 }
+function escapeRegExp4(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 async function bingFetch(apiKey, endpoint, opts) {
   const method = opts?.method ?? "GET";
   const separator = endpoint.includes("?") ? "&" : "?";
@@ -7687,7 +7729,8 @@ async function bingFetch(apiKey, endpoint, opts) {
   if (!res.ok) {
     const body = await res.text();
     bingClientLog("error", "http.error", { endpoint, method, httpStatus: res.status });
-    const detail = body.length <= 500 ? body : `${body.slice(0, 500)}... [truncated]`;
+    let detail = body.length <= 500 ? body : `${body.slice(0, 500)}... [truncated]`;
+    detail = detail.replace(new RegExp(escapeRegExp4(apiKey), "g"), "***");
     throw new BingApiError(`Bing API error (${res.status}): ${detail}`, res.status);
   }
   const text = await res.text();
@@ -8183,7 +8226,7 @@ async function bingRoutes(app, opts) {
       query: s.Query,
       impressions: s.Impressions,
       clicks: s.Clicks,
-      ctr: Number.isFinite(s.Ctr) ? s.Ctr : 0,
+      ctr: s.Impressions > 0 ? s.Clicks / s.Impressions : 0,
       averagePosition: s.AverageClickPosition ?? s.AverageImpressionPosition ?? 0
     }));
   });
@@ -9221,6 +9264,8 @@ function buildAuthErrorMessage(res, responseText) {
   return "WordPress credentials are invalid or lack permission for this action";
 }
 async function fetchJson(connection, siteUrl, path9, init) {
+  if (siteUrl.startsWith("http:")) {
+  }
   const res = await fetch(`${normalizeSiteUrl(siteUrl)}${path9}`, {
     ...init,
     headers: {
@@ -9235,6 +9280,9 @@ async function fetchJson(connection, siteUrl, path9, init) {
     const errorMessage = buildAuthErrorMessage(res, text);
     throw new WordpressApiError("AUTH_INVALID", errorMessage, res.status);
   }
+  if (res.status === 429) {
+    throw new WordpressApiError("UPSTREAM_ERROR", "WordPress API rate limit exceeded", 429);
+  }
   if (res.status === 404) {
     throw new WordpressApiError("NOT_FOUND", "WordPress endpoint not found", 404);
   }
@@ -9733,12 +9781,12 @@ var CANONRY_SCHEMA_START = "<!-- canonry:schema:start -->";
 var CANONRY_SCHEMA_END = "<!-- canonry:schema:end -->";
 function stripCanonrySchema(content) {
   const regex = new RegExp(
-    `${escapeRegExp2(CANONRY_SCHEMA_START)}[\\s\\S]*?${escapeRegExp2(CANONRY_SCHEMA_END)}`,
+    `${escapeRegExp5(CANONRY_SCHEMA_START)}[\\s\\S]*?${escapeRegExp5(CANONRY_SCHEMA_END)}`,
     "g"
   );
   return content.replace(regex, "").replace(/\n{3,}/g, "\n\n").trim();
 }
-function escapeRegExp2(str) {
+function escapeRegExp5(str) {
   return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function injectCanonrySchema(content, schemas) {
@@ -9845,7 +9893,7 @@ async function getSchemaStatus(connection, env) {
     const thirdPartySchemas = [];
     if (hasCanonryMarker) {
       const markerRegex = new RegExp(
-        `${escapeRegExp2(CANONRY_SCHEMA_START)}([\\s\\S]*?)${escapeRegExp2(CANONRY_SCHEMA_END)}`
+        `${escapeRegExp5(CANONRY_SCHEMA_START)}([\\s\\S]*?)${escapeRegExp5(CANONRY_SCHEMA_END)}`
       );
       const match = markerRegex.exec(rawContent);
       if (match?.[1]) {
@@ -10855,6 +10903,12 @@ function isRetryableError(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry(fn, options = {}) {
@@ -11074,7 +11128,10 @@ function extractCitedDomainsFromSources(groundingSources) {
     }
     if (source.title) {
       const titleDomain = extractDomainFromTitle(source.title);
-      if (titleDomain) domains.add(titleDomain);
+      if (titleDomain) {
+        domains.add(titleDomain);
+        continue;
+      }
     }
   }
   return [...domains];
@@ -11089,7 +11146,10 @@ function extractDomainFromTitle(title) {
 function extractDomainFromUri(uri) {
   try {
     const url = new URL(uri);
-    const hostname = url.hostname.replace(/^www\./, "");
+    const hostname = url.hostname.replace(/^www\./, "").toLowerCase();
+    if (hostname.includes("chatgpt.com") || hostname.includes("openai.com")) {
+      return null;
+    }
     if (hostname === "vertexaisearch.cloud.google.com") {
       const redirectPath = url.pathname.replace(/^\/grounding-api-redirect\//, "");
       if (redirectPath && redirectPath !== url.pathname) {
@@ -11239,6 +11299,12 @@ function isRetryableError2(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry2(fn, options = {}) {
@@ -11465,7 +11531,11 @@ function extractCitedDomainsFromSources2(groundingSources) {
 function extractDomainFromUri2(uri) {
   try {
     const url = new URL(uri);
-    return url.hostname.replace(/^www\./, "").toLowerCase();
+    const hostname = url.hostname.replace(/^www\./, "").toLowerCase();
+    if (hostname.includes("chatgpt.com") || hostname.includes("openai.com")) {
+      return null;
+    }
+    return hostname;
   } catch {
     return null;
   }
@@ -11583,6 +11653,12 @@ function isRetryableError3(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry3(fn, options = {}) {
@@ -11834,7 +11910,11 @@ function extractCitedDomainsFromSources3(groundingSources) {
 function extractDomainFromUri3(uri) {
   try {
     const url = new URL(uri);
-    return url.hostname.replace(/^www\./, "").toLowerCase();
+    const hostname = url.hostname.replace(/^www\./, "").toLowerCase();
+    if (hostname.includes("chatgpt.com") || hostname.includes("openai.com")) {
+      return null;
+    }
+    return hostname;
   } catch {
     return null;
   }
@@ -11950,6 +12030,12 @@ function isRetryableError4(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry4(fn, options = {}) {
@@ -12054,11 +12140,15 @@ async function executeTrackedQuery4(input) {
 function normalizeResult4(raw) {
   const answerText = extractAnswerText2(raw.rawResponse);
   const citedDomains = extractDomainMentions(answerText);
+  const groundingSources = citedDomains.map((domain) => ({
+    uri: `http://${domain}`,
+    title: domain
+  }));
   return {
     provider: "local",
     answerText,
     citedDomains,
-    groundingSources: raw.groundingSources,
+    groundingSources,
     searchQueries: raw.searchQueries
   };
 }
@@ -12764,6 +12854,12 @@ function isRetryableError5(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry5(fn, options = {}) {
@@ -12981,7 +13077,11 @@ function extractCitedDomains2(groundingSources) {
 function extractDomainFromUri4(uri) {
   try {
     const url = new URL(uri);
-    return url.hostname.replace(/^www\./, "").toLowerCase();
+    const hostname = url.hostname.replace(/^www\./, "").toLowerCase();
+    if (hostname.includes("chatgpt.com") || hostname.includes("openai.com")) {
+      return null;
+    }
+    return hostname;
   } catch {
     return null;
   }
@@ -13607,7 +13707,7 @@ var JobRunner = class {
               normalized.answerText,
               allDomains,
               normalized.citedDomains,
-              overlap
+              competitorDomains
             );
             let screenshotRelPath = null;
             if (raw.screenshotPath && fs4.existsSync(raw.screenshotPath)) {
@@ -15481,7 +15581,8 @@ function isProcessAlive(pid) {
   try {
     process.kill(pid, 0);
     return true;
-  } catch {
+  } catch (err) {
+    if (err.code === "EPERM") return true;
     return false;
   }
 }
@@ -15509,6 +15610,9 @@ import os5 from "os";
 import path7 from "path";
 import { fileURLToPath } from "url";
 var CACHE_TTL_MS = 5 * 60 * 1e3;
+var OPENCLAW_VERSION = "2026.4.14";
+var OPENCLAW_PACKAGE_SPEC = `openclaw@${OPENCLAW_VERSION}`;
+var MIN_NODE_VERSION = "22.14.0";
 var cachedResult = null;
 var cachedAt = 0;
 function getAeroStateDir(profile = "aero") {
@@ -15572,8 +15676,15 @@ function findInPath() {
   }
 }
 async function installOpenClaw(opts) {
+  const unsupportedNodeError = getUnsupportedNodeError(opts?.nodeVersion);
+  if (unsupportedNodeError) {
+    return {
+      success: false,
+      error: unsupportedNodeError
+    };
+  }
   try {
-    execSync("npm install -g openclaw", {
+    execSync(`npm install -g ${OPENCLAW_PACKAGE_SPEC}`, {
       timeout: 12e4,
       stdio: opts?.silent ? "pipe" : "inherit"
     });
@@ -15588,11 +15699,57 @@ async function installOpenClaw(opts) {
   if (!detection.found) {
     return {
       success: false,
-      error: "npm install succeeded but openclaw binary was not found in PATH"
+      error: `npm install succeeded but the ${OPENCLAW_PACKAGE_SPEC} binary was not found in PATH`
     };
   }
+  if (detection.version) {
+    const expectedVersion = parseVersionTuple(OPENCLAW_VERSION);
+    const detectedVersion = parseVersionTuple(detection.version);
+    if (expectedVersion && detectedVersion && compareVersionTuples(detectedVersion, expectedVersion) !== 0) {
+      return {
+        success: false,
+        error: `Installed OpenClaw binary reports version ${detection.version}, but Canonry pinned ${OPENCLAW_VERSION}. A different openclaw binary may be shadowing the npm-installed package in PATH.`
+      };
+    }
+  }
   return { success: true, detection };
 }
+function getUnsupportedNodeError(currentNodeVersionOverride) {
+  const currentNodeVersion = normalizeVersion(currentNodeVersionOverride ?? process.versions.node);
+  const minimumTuple = parseVersionTuple(MIN_NODE_VERSION);
+  const currentTuple = parseVersionTuple(currentNodeVersion);
+  if (!minimumTuple || !currentTuple || compareVersionTuples(currentTuple, minimumTuple) >= 0) {
+    return null;
+  }
+  return `Canonry requires Node.js >=${MIN_NODE_VERSION} and installs pinned OpenClaw ${OPENCLAW_VERSION}, but the current runtime is ${currentNodeVersion}. Upgrade Node.js before running "canonry agent setup".`;
+}
+function normalizeVersion(version) {
+  const tuple = parseVersionTuple(version);
+  if (!tuple) {
+    return version.trim().replace(/^v/i, "");
+  }
+  return tuple.join(".");
+}
+function parseVersionTuple(version) {
+  const match = version.trim().replace(/^v/i, "").match(/^(\d+)(?:\.(\d+))?(?:\.(\d+))?$/);
+  if (!match) {
+    return null;
+  }
+  return [
+    Number(match[1]),
+    Number(match[2] ?? 0),
+    Number(match[3] ?? 0)
+  ];
+}
+function compareVersionTuples(left, right) {
+  for (let index = 0; index < left.length; index++) {
+    const delta = left[index] - right[index];
+    if (delta !== 0) {
+      return delta;
+    }
+  }
+  return 0;
+}
 function seedWorkspace(stateDir) {
   const workspaceDir = path7.join(stateDir, "workspace");
   fs6.mkdirSync(workspaceDir, { recursive: true });
@@ -16483,7 +16640,7 @@ async function createServer(opts) {
     await app.register(fastifyStatic.default, {
       root: assetsDir,
       prefix: basePath ?? "/",
-      wildcard: false,
+      wildcard: true,
       // Don't serve index.html automatically — we handle it with config injection
       serve: true,
       index: false

package/dist/cli.js

@@ -47,7 +47,7 @@ import {
   trackEvent,
   usageError,
   writeAgentEnv
-} from "./chunk-25QLMK4F.js";
+} from "./chunk-YPTVJRJY.js";
 import {
   apiKeys,
   competitors,
@@ -57,7 +57,7 @@ import {
   projects,
   querySnapshots,
   runs
-} from "./chunk-HO22LHTY.js";
+} from "./chunk-JTKHPNGL.js";
 
 // src/cli.ts
 import { pathToFileURL } from "url";
@@ -304,7 +304,7 @@ async function backfillAnswerVisibilityCommand(opts) {
   console.log(`  Errors:   ${providerErrors}`);
 }
 async function backfillInsightsCommand(project, opts) {
-  const { IntelligenceService } = await import("./intelligence-service-ZISLIU4S.js");
+  const { IntelligenceService } = await import("./intelligence-service-Q4WX46MJ.js");
   const config = loadConfig();
   const db = createClient(config.database);
   migrate(db);
@@ -7920,7 +7920,7 @@ async function agentDetach(opts) {
 }
 async function autoInstallOrFail(format) {
   if (format !== "json") {
-    console.log("OpenClaw not found, installing via npm...");
+    console.log("OpenClaw not found, installing pinned openclaw@2026.4.14 via npm...");
   }
   const install = await installOpenClaw({ silent: format === "json" });
   if (!install.success) {

package/dist/index.js

@@ -1,8 +1,8 @@
 import {
   createServer,
   loadConfig
-} from "./chunk-25QLMK4F.js";
-import "./chunk-HO22LHTY.js";
+} from "./chunk-YPTVJRJY.js";
+import "./chunk-JTKHPNGL.js";
 export {
   createServer,
   loadConfig

package/dist/{intelligence-service-ZISLIU4S.js → intelligence-service-Q4WX46MJ.js}

@@ -1,6 +1,6 @@
 import {
   IntelligenceService
-} from "./chunk-HO22LHTY.js";
+} from "./chunk-JTKHPNGL.js";
 export {
   IntelligenceService
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ainyc/canonry",
-  "version": "1.48.0",
+  "version": "1.48.2",
   "type": "module",
   "description": "The ultimate open-source AEO monitoring tool - track how answer engines cite your domain",
   "license": "FSL-1.1-ALv2",
@@ -31,7 +31,7 @@
     "README.md"
   ],
   "engines": {
-    "node": ">=20"
+    "node": ">=22.14.0"
   },
   "dependencies": {
     "@ainyc/aeo-audit": "1.3.2",
@@ -54,20 +54,20 @@
     "@types/node-cron": "^3.0.11",
     "tsup": "^8.5.1",
     "tsx": "^4.19.0",
-    "@ainyc/canonry-config": "0.0.0",
-    "@ainyc/canonry-contracts": "0.0.0",
     "@ainyc/canonry-api-routes": "0.0.0",
+    "@ainyc/canonry-contracts": "0.0.0",
+    "@ainyc/canonry-config": "0.0.0",
     "@ainyc/canonry-db": "0.0.0",
+    "@ainyc/canonry-intelligence": "0.0.0",
     "@ainyc/canonry-integration-bing": "0.0.0",
+    "@ainyc/canonry-integration-wordpress": "0.0.0",
     "@ainyc/canonry-integration-google": "0.0.0",
-    "@ainyc/canonry-intelligence": "0.0.0",
     "@ainyc/canonry-provider-cdp": "0.0.0",
-    "@ainyc/canonry-integration-wordpress": "0.0.0",
     "@ainyc/canonry-provider-claude": "0.0.0",
     "@ainyc/canonry-provider-gemini": "0.0.0",
+    "@ainyc/canonry-provider-local": "0.0.0",
     "@ainyc/canonry-provider-openai": "0.0.0",
-    "@ainyc/canonry-provider-perplexity": "0.0.0",
-    "@ainyc/canonry-provider-local": "0.0.0"
+    "@ainyc/canonry-provider-perplexity": "0.0.0"
   },
   "scripts": {
     "build": "tsx scripts/copy-agent-assets.ts && tsup && tsx build-web.ts",