@ainyc/canonry 1.48.0 → 1.48.4

package/README.md

@@ -1,8 +1,8 @@
 # Canonry <img src="apps/web/public/favicon-32.png" alt="Canonry canary icon" width="24" />
 
-[![npm version](https://img.shields.io/npm/v/@ainyc/canonry)](https://www.npmjs.com/package/@ainyc/canonry) [![License: FSL-1.1-ALv2](https://img.shields.io/badge/License-FSL--1.1--ALv2-blue.svg)](https://fsl.software/) [![Node.js >= 20](https://img.shields.io/badge/node-%3E%3D20-brightgreen)](https://nodejs.org)
+[![npm version](https://img.shields.io/npm/v/@ainyc/canonry)](https://www.npmjs.com/package/@ainyc/canonry) [![License: FSL-1.1-ALv2](https://img.shields.io/badge/License-FSL--1.1--ALv2-blue.svg)](https://fsl.software/) [![Node.js >= 22.14](https://img.shields.io/badge/node-%3E%3D22.14-brightgreen)](https://nodejs.org)
 
-Canonry is an agent-first AEO platform powered by [OpenClaw](https://openclaw.ai). It tracks how ChatGPT, Gemini, Claude, and Perplexity cite your site, detects regressions, diagnoses causes, coordinates fixes, and reports results.
+Canonry is an agent-first AEO platform — CLI- and API-native, with a bundled AI agent. It tracks how ChatGPT, Gemini, Claude, and Perplexity cite your site, detects regressions, diagnoses causes, coordinates fixes, and reports results.
 
 AEO (Answer Engine Optimization) is about making sure your content shows up accurately in AI-generated answers. As search shifts from links to synthesized responses, you need something that can monitor, analyze, and act across these engines continuously.
 
@@ -15,7 +15,7 @@ npm install -g @ainyc/canonry
 canonry agent setup
 ```
 
-One command. It installs [OpenClaw](https://openclaw.ai), configures the agent's LLM, sets up monitoring providers, and seeds the workspace. Interactive prompts guide you through everything, or pass flags for fully automated setup:
+One command. It installs the agent runtime, configures the agent's LLM, sets up monitoring providers, and seeds the workspace. Interactive prompts guide you through everything, or pass flags for fully automated setup:
 
 ```bash
 canonry agent setup --gemini-key <key> --agent-key <key> --format json
@@ -42,7 +42,7 @@ canonry serve
 
 ## What the Agent Does
 
-The Canonry agent ("Aero") is an [OpenClaw](https://openclaw.ai)-powered operator:
+The Canonry agent ("Aero") is an autonomous operator:
 
 - **Monitors** visibility sweeps across providers on schedule, tracking citation changes over time
 - **Analyzes** regressions, emerging opportunities, and correlates visibility shifts with site changes
@@ -53,7 +53,7 @@ Every action the agent takes goes through the same CLI and API available to ever
 
 ## Features
 
-- **Agent-operated.** The OpenClaw agent monitors, analyzes, and acts autonomously. Humans supervise via the dashboard.
+- **Agent-operated.** The bundled agent monitors, analyzes, and acts autonomously. Humans supervise via the dashboard.
 - **Multi-provider.** Query Gemini, OpenAI, Claude, Perplexity, and local LLMs from a single platform.
 - **Config-as-code.** Kubernetes-style YAML files. Version control your monitoring, let agents apply changes declaratively.
 - **Self-hosted.** Runs locally with SQLite. No cloud account required.
@@ -148,9 +148,9 @@ Integration setup guides: [Google Search Console](docs/google-search-console-set
 
 ## Skills
 
-The agent learns how to operate canonry through bundled [OpenClaw skills](https://clawhub.dev) that cover CLI commands, provider setup, analysis workflows, and troubleshooting. Skills are seeded into the agent workspace during `canonry agent setup`.
+The agent learns how to operate canonry through bundled skills that cover CLI commands, provider setup, analysis workflows, and troubleshooting. Skills are seeded into the agent workspace during `canonry agent setup`.
 
-**Claude Code** also picks up the skill automatically from `.claude/skills/canonry-setup/` when you open this repo. **ClawHub** hosts the same skill at [clawhub.dev](https://clawhub.dev) for any MCP-equipped agent.
+**Claude Code** also picks up the skill automatically from `.claude/skills/canonry-setup/` when you open this repo.
 
 ## Deployment
 
@@ -177,7 +177,7 @@ Create a Web Service with runtime Docker, attach a disk at `/data`. Health check
 
 ## Requirements
 
-- Node.js >= 20
+- Node.js >= 22.14.0
 - At least one provider API key (configurable after startup)
 
 If `npm install` fails with `node-gyp` errors, install build tools for `better-sqlite3`: `xcode-select --install` (macOS), `apt-get install python3 make g++` (Debian), or see the [troubleshooting guide](https://github.com/WiseLibs/better-sqlite3/blob/master/docs/troubleshooting.md).

package/assets/agent-workspace/skills/aero/SKILL.md

@@ -40,3 +40,4 @@ You coordinate across three tools to deliver comprehensive AEO monitoring:
 - [memory-patterns.md](references/memory-patterns.md) — What to persist per client
 - [regression-playbook.md](references/regression-playbook.md) — Detection through response
 - [reporting.md](references/reporting.md) — Report generation templates
+- [wordpress-elementor-mcp.md](references/wordpress-elementor-mcp.md) — Elementor MCP tools for page management

package/assets/agent-workspace/skills/aero/references/memory-patterns.md

@@ -2,7 +2,7 @@
 
 ## Per-Client State Template
 
-Store in OpenClaw agent memory after each significant event:
+Store in agent memory after each significant event:
 
 ```
 Client: <business name>

package/assets/agent-workspace/skills/aero/references/wordpress-elementor-mcp.md

@@ -0,0 +1,218 @@
+# Elementor + WordPress MCP Development Guide
+
+## Overview
+
+This guide covers programmatic management of WordPress + Elementor sites using the Elementor MCP plugin. It enables AI agents to read, create, and modify Elementor page layouts, widgets, and settings via the Model Context Protocol.
+
+## Prerequisites
+
+### WordPress Side
+- WordPress >= 6.8
+- Elementor >= 3.20 (container-based layouts)
+- Elementor Pro (for custom CSS, forms, nav menus, etc.)
+- **WordPress MCP Adapter** plugin ([GitHub](https://github.com/WordPress/mcp-adapter))
+- **Elementor MCP** plugin ([GitHub](https://github.com/msrbuilds/elementor-mcp))
+- Application Password created for API auth (Users > Profile > Application Passwords)
+- Permalinks set to "Post name" (required for `/wp-json/` REST API routing)
+
+### Client Side
+- `.mcp.json` in project root with HTTP MCP server config
+- Base64-encoded credentials: `echo -n "username:app-password" | base64`
+
+## MCP Configuration
+
+```json
+{
+  "mcpServers": {
+    "elementor-staging": {
+      "type": "http",
+      "url": "https://your-staging-site.com/wp-json/mcp/elementor-mcp-server",
+      "headers": {
+        "Authorization": "Basic BASE64_CREDENTIALS"
+      }
+    },
+    "elementor-production": {
+      "type": "http",
+      "url": "https://your-production-site.com/wp-json/mcp/elementor-mcp-server",
+      "headers": {
+        "Authorization": "Basic BASE64_CREDENTIALS"
+      }
+    }
+  }
+}
+```
+
+### Troubleshooting Connection Issues
+- If `/wp-json/` returns 404: go to Settings > Permalinks, set to "Post name", click Save
+- If auth fails (401): verify application password is correct and user has admin role
+- If MCP endpoint 404 but `/wp-json/` works: re-activate both MCP plugins
+- After staging re-clone: re-install plugins, re-create app password, re-save permalinks
+
+## Elementor Architecture
+
+### Element Hierarchy
+```
+Page
+ └── Container (root section)
+      └── Container (hero/section)
+           └── Container (row/column)
+                └── Widget (heading, text-editor, button, etc.)
+```
+
+### Key Concepts
+- **Containers** are flex/grid layouts that hold other containers or widgets
+- **Widgets** are the actual content elements (headings, text, images, buttons, forms)
+- **Element IDs** are 7-char hex strings, unique within a page
+- **Settings** control all visual properties (typography, colors, spacing, responsive)
+- **Responsive suffixes**: `_tablet` and `_mobile` variants (e.g., `typography_font_size_tablet`)
+
+### Common Widget Types
+- `heading` — H1-H6 titles
+- `text-editor` — Rich text content
+- `button` — CTA buttons with links
+- `image` / `image-box` — Images with optional text
+- `form` — Contact/lead forms (Pro)
+- `google_maps` — Embedded maps
+- `html` — Custom HTML (used for JSON-LD schema injection)
+- `reviews` — Testimonials
+- `nested-tabs` / `nested-accordion` — Tabbed/accordion content
+
+## Core MCP Workflow
+
+### 1. Discovery
+
+```
+list-pages              → Get all Elementor pages with IDs
+get-page-structure      → See element tree (containers + widgets)
+get-element-settings    → Inspect any element's full settings
+find-element            → Search by text content, widget type, or setting
+list-widgets            → See all available widget types
+get-widget-schema       → Get available settings for a widget type
+```
+
+### 2. Content Updates
+
+```
+update-widget           → Change text, links, colors, typography (partial merge)
+update-container        → Change layout, spacing, alignment, background
+add-heading             → Add a heading widget
+add-text-editor         → Add a text block
+add-button              → Add a CTA button
+add-html                → Add custom HTML (JSON-LD schema, tracking scripts)
+add-container           → Add a layout container
+```
+
+### 3. Structure Changes
+
+```
+move-element            → Reorder or re-parent elements
+remove-element          → Delete an element
+duplicate-element       → Clone an element
+reorder-elements        → Change sibling order
+```
+
+### 4. Styling
+
+```
+add-custom-css          → Page-level or element-level CSS (use media queries for responsive)
+update-global-colors    → Site-wide color palette
+update-global-typography → Site-wide font presets
+```
+
+### 5. Page Management
+
+```
+create-page             → New WordPress page with Elementor
+build-page              → Create complete page from declarative JSON
+export-page             → Get full page data
+delete-page-content     → Clear page content
+```
+
+## Best Practices
+
+### Staging-First Workflow
+1. Make all changes on staging via MCP
+2. Verify visually across viewports (use Chrome browser tools)
+3. Get human approval
+4. Replay changes on production via MCP
+5. Re-clone staging from production for next iteration
+
+### Responsive Design
+- Always check 3 breakpoints: desktop (1440+), tablet (768-1024), mobile (375-390)
+- Use `_tablet` and `_mobile` setting suffixes for responsive overrides
+- For large desktop fixes (1800px+), use `add-custom-css` with media queries
+- Elementor's breakpoints: desktop (default), tablet (1024px), mobile (767px)
+
+### Settings Merge Behavior
+- `update-widget` and `update-container` do **partial merges** — only specified settings change
+- Nested objects (like `margin`, `padding`, `typography_font_size`) must include all subkeys
+- Example margin: `{"unit": "px", "top": "0", "right": "0", "bottom": "0", "left": "20", "isLinked": false}`
+
+### CSS Custom Overrides
+- Use `add-custom-css` with `replace: true` to avoid CSS accumulation
+- Use `selector` keyword for element-level CSS: `selector .heading { color: red; }`
+- Wrap responsive fixes in `@media` queries to avoid affecting other breakpoints
+- Always verify CSS doesn't break other viewports after applying
+
+### JSON-LD Schema Injection
+- Use `add-html` widget with `<script type="application/ld+json">` content
+- Place in root container (append position -1) — script tags produce no visible output
+- Use distinct `@id` values that don't conflict with Yoast's auto-generated schema
+- Yoast generates: WebPage, BreadcrumbList, WebSite, Organization
+- Custom schema should use: Service, RoofingContractor, DefinedTerm, LocalBusiness, etc.
+
+### Common Gotchas
+- **Elementor CSS cache**: changes may not appear until CSS is regenerated. Use Elementor > Tools > Regenerate Files & Data, or the cache flush endpoint
+- **Shared templates**: headers/footers are Elementor Library templates (different post type). Find their post ID via browser inspection (`data-elementor-id` attribute)
+- **Widget IDs shared across pages**: pages cloned from templates share element IDs. Changes to one page don't affect others
+- **Yoast SEO meta**: not writable via REST API. Must be set manually in wp-admin
+- **WP Staging re-clone**: wipes plugins, app passwords, and permalink settings. Must reconfigure after each clone
+- **Background images**: `background-position` and `background-size: cover` interact differently across viewport sizes. Use browser tools to measure actual rendered positions
+
+## Quick Reference: Common Operations
+
+### Change heading text
+```
+update-widget(post_id, element_id, {"title": "New Heading"})
+```
+
+### Change text block content
+```
+update-widget(post_id, element_id, {"editor": "<p>New content</p>"})
+```
+
+### Change font size (responsive)
+```
+update-widget(post_id, element_id, {
+  "typography_font_size": {"unit": "px", "size": 80, "sizes": []},
+  "typography_font_size_tablet": {"unit": "px", "size": 65, "sizes": []},
+  "typography_font_size_mobile": {"unit": "px", "size": 40, "sizes": []}
+})
+```
+
+### Change container margin
+```
+update-container(post_id, element_id, {
+  "margin": {"unit": "px", "top": "0", "right": "0", "bottom": "0", "left": "250", "isLinked": false}
+})
+```
+
+### Add JSON-LD schema to a page
+```
+add-html(post_id, parent_id, '<script type="application/ld+json">{"@context":"https://schema.org",...}</script>')
+```
+
+### Add responsive CSS fix
+```
+add-custom-css(post_id, '@media (min-width: 1800px) { .elementor-element-XXXXX { margin-top: -200px !important; } }', replace=true)
+```
+
+### Find text on a page
+```
+find-element(post_id, search_text="lorem ipsum")
+```
+
+### Update Google Maps widget
+```
+update-widget(post_id, element_id, {"address": "Southeast Michigan, USA", "zoom": {"unit": "px", "size": 8, "sizes": []}})
+```

package/assets/agent-workspace/skills/canonry-setup/SKILL.md

@@ -1,9 +1,9 @@
 ---
 name: canonry
-description: "AEO (Answer Engine Optimization) monitoring and analysis using canonry CLI and aeo-audit tool. Use when: (1) running citation sweeps across AI providers (Gemini, ChatGPT, Claude, Perplexity); (2) auditing technical SEO with structured data validation; (3) implementing schema markup, sitemaps, llms.txt; (4) diagnosing indexing issues via Google Search Console and Bing Webmaster Tools; (5) optimizing content for AI readability and entity consistency. NOT for: general web development, content writing, PPC campaigns, or social media management."
+description: "Agent-first AEO monitoring and operating platform."
 metadata:
   {
-    "openclaw":
+    "agent":
       {
         "emoji": "📡",
         "requires": { "bins": ["canonry"] },
@@ -32,38 +32,25 @@ metadata:
 
 # Canonry
 
-Monitor and optimize site visibility across AI answer engines (Gemini, ChatGPT, Claude, Perplexity) and traditional search engines using the `canonry` CLI for AEO monitoring and `aeo-audit` for technical SEO analysis.
+Open-source AEO (Answer Engine Optimization) monitoring platform. Track how AI answer engines cite your domain across Gemini, ChatGPT, Claude, and Perplexity.
 
-## When to Use
+**Website:** [ainyc.ai](https://ainyc.ai) | **Docs:** [github.com/AINYC/canonry](https://github.com/AINYC/canonry)
 
-✅ **USE this skill when:**
+## When to Use
 
-- Tracking which keyphrases earn citations (or lose them) across AI providers
-- Running technical SEO audits with 14‑factor scoring
-- Implementing structured data (JSON‑LD: LocalBusiness, FAQPage, Service)
-- Diagnosing indexing gaps in Google Search Console / Bing Webmaster Tools
-- Optimizing `llms.txt`, `llms‑full.txt`, sitemaps, robots.txt for AI crawlers
-- Patching missing H1 tags, meta descriptions, image alt text
+- Tracking keyphrase citations across AI providers
+- Running technical SEO audits (14‑factor scoring)
+- Implementing structured data (JSON‑LD)
+- Diagnosing indexing gaps via Google Search Console / Bing Webmaster Tools
+- Optimizing `llms.txt`, sitemaps, robots.txt for AI crawlers
 - Submitting URLs to Google Indexing API and Bing IndexNow
-- Analyzing competitor citation patterns in AI answers
-
-## When NOT to Use
-
-❌ **DON'T use this skill when:**
-
-- General WordPress development (use `wordpress` skill if available)
-- Content writing or copy creation (human‑led task)
-- Paid search/SEM campaigns (different specialty)
-- Social media management or outreach
-- Local business listing management (e.g., GBP, Yelp)
-- Backlink building or outreach campaigns
+- Analyzing competitor citation patterns
 
 ## Core Philosophy
 
-- **AI models are black boxes** — Measure citation outcomes, not assume causality
-- **Position, then wait** — Site changes take weeks/months to reflect in AI indexes; canonry tells us *when* it happens, not *if*
-- **Signal‑over‑noise** — Trim keyphrase lists to high‑intent queries; avoid granular targeting until base visibility exists
-- **CLI‑native, UI‑optional** — Prefer API‑driven changes over manual CMS clicks; faster, repeatable, auditable
+- **Measure outcomes** — AI models are black boxes; track citations, don't assume causality
+- **Signal over noise** — Focus on high‑intent queries; avoid granular targeting until base visibility exists
+- **CLI‑native** — API‑driven changes over manual CMS clicks; faster, repeatable, auditable
 
 ## Toolchain
 
@@ -221,54 +208,7 @@ cat audit.json | jq -r '.factors[] | select(.score < 70) | "- \(.name): \(.score
 - **Client data stays private** — canonry repo is public; no real domains in issues
 - **Respect API rate limits** — batch operations, avoid tight loops
 
-## Output Templates
-
-### Audit Summary
-```
-## AEO/SEO Audit — https://client.com
-
-**Overall:** 66/100 (D)
-
-**Top strengths (A/A+):**
-- AI‑Readable Content (100) — llms.txt, llms‑full.txt present
-- FAQ Content (100) — FAQPage schema detected
-- AI Crawler Access (100) — robots.txt allows all bots
-
-**Critical gaps (F):**
-- Definition Blocks (0) — no "What is…" sections
-- E‑E‑A‑T Signals (45) — missing Person schema, author tags
-- Citations & Authority (44) — no external references to industry sources
-
-**Immediate actions:**
-1. Add H1 tag to homepage (Technical SEO: 60/100)
-2. Create "What is polyurea?" section on /services/ (Definition Blocks: 0/100)
-3. Submit all 5 URLs to Bing IndexNow (indexing: 2/5)
-```
-
-### Citation Report
-```
-## canonry sweep — client-project
-
-**Run:** 2026‑04‑03T13:44Z (ID: 4a45ebfc...)
-
-**Keyphrase visibility (12 tracked):**
-✅ polyurea roof coating — 3/3 providers
-✅ commercial roof coating — 2/3 providers  
-❌ polyurea roof coating Michigan — 0/3 (geo gap)
-❌ commercial roofing contractor Michigan — 0/3 (geo gap)
-
-**Changes since last sweep (2026‑03‑27):**
-- Lost `flat roof coating Michigan` on Gemini (−1)
-- Gained `industrial roof coating` on Claude (+1)
-- No change on ChatGPT (stable)
-
-**Next steps:**
-- Build Michigan location page (/michigan/)
-- Add county‑level references to llms.txt
-- Re‑sweep in 7 days
-```
-
 ---
 
 **Tools:** canonry v1.37+, @ainyc/aeo‑audit v1.3+  
-**Reference:** [AINYC AEO Methodology](https://ainyc.ai/aeo-methodology)
+**Website:** [ainyc.ai](https://ainyc.ai) | **Reference:** [AINYC AEO Methodology](https://ainyc.ai/aeo-methodology)

package/assets/agent-workspace/skills/canonry-setup/references/canonry-cli.md

@@ -296,10 +296,10 @@ canonry export <project> --include-results > project.yaml
 canonry sitemap inspect <project>
 ```
 
-## Agent (OpenClaw Integration)
+## Agent
 
 `canonry agent setup` is the single entry point for configuring the agent. It handles everything:
-canonry initialization, OpenClaw installation, profile setup, LLM credential configuration,
+canonry initialization, agent runtime installation, profile setup, LLM credential configuration,
 and workspace seeding. If canonry is not yet configured, it runs the interactive init flow first
 (prompting for monitoring provider keys and agent LLM credentials).
 
@@ -313,7 +313,7 @@ canonry agent setup --agent-provider openrouter --agent-key <key> --agent-model
 GEMINI_API_KEY=<key> canonry agent setup --agent-key <key> --format json
 
 # Lifecycle
-canonry agent start                              # start OpenClaw gateway as background process
+canonry agent start                              # start agent gateway as background process
 canonry agent stop                               # stop the gateway process
 canonry agent status                             # check if gateway is running
 canonry agent status --format json               # JSON output
@@ -336,9 +336,9 @@ canonry agent detach <project>                   # remove agent webhook from pro
 canonry agent detach <project> --format json     # JSON output
 ```
 
-**Setup flow:** init canonry (if needed) → install OpenClaw (if needed) → configure profile → configure gateway → set agent LLM credentials → seed workspace with skills.
+**Setup flow:** init canonry (if needed) → install agent runtime (if needed) → configure profile → configure gateway → set agent LLM credentials → seed workspace with skills.
 
-**Agent LLM credentials** are stored in `~/.openclaw-aero/.env` (e.g. `ANTHROPIC_API_KEY=...`) and loaded into the gateway process at start time. The model is set via `openclaw models set`.
+**Agent LLM credentials** are stored in the agent env file (e.g. `ANTHROPIC_API_KEY=...`) and loaded into the gateway process at start time. The model is set via the agent CLI.
 
 **Re-running is safe:** setup is idempotent — it skips steps that are already configured.
 

package/assets/agent-workspace/skills/canonry-setup/references/wordpress-integration.md

@@ -55,3 +55,7 @@ canonry wordpress staging push mysite
 - If SEO meta is not writable through REST, canonry returns an actionable error instead of guessing
 - Duplicate slug matches are returned as explicit ambiguity errors with candidate page IDs/titles
 - Authentication is verified on connect by calling `/wp/v2/users/me` — if that fails, canonry returns an actionable error message
+
+## Related: Elementor MCP
+
+For programmatic management of Elementor page layouts, widgets, and styling via MCP tools, see the aero skill reference: [`skills/aero/references/wordpress-elementor-mcp.md`](../../aero/references/wordpress-elementor-mcp.md).

package/dist/{chunk-25QLMK4F.js → chunk-IPOVH342.js}

@@ -6,6 +6,8 @@ import {
   bingUrlInspections,
   competitors,
   createLogger,
+  dropLegacyCredentialColumns,
+  extractLegacyCredentials,
   gaAiReferrals,
   gaSocialReferrals,
   gaTrafficSnapshots,
@@ -23,7 +25,7 @@ import {
   runs,
   schedules,
   usageCounters
-} from "./chunk-HO22LHTY.js";
+} from "./chunk-ZZ57GRV6.js";
 
 // src/config.ts
 import fs from "fs";
@@ -338,7 +340,7 @@ import crypto23 from "crypto";
 import fs7 from "fs";
 import path8 from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
-import { eq as eq24, sql as sql6 } from "drizzle-orm";
+import { eq as eq24 } from "drizzle-orm";
 import Fastify from "fastify";
 
 // ../contracts/src/config-schema.ts
@@ -6071,9 +6073,11 @@ var GSC_MAX_PAGES = 40;
 
 // ../integration-google/src/types.ts
 var GoogleAuthError = class extends Error {
-  constructor(message) {
+  statusCode;
+  constructor(message, statusCode) {
     super(message);
     this.name = "GoogleAuthError";
+    this.statusCode = statusCode;
   }
 };
 var GoogleApiError = class extends Error {
@@ -6164,13 +6168,19 @@ async function exchangeCode(clientId, clientSecret, code, redirectUri) {
     }),
     signal: AbortSignal.timeout(GOOGLE_REQUEST_TIMEOUT_MS)
   });
+  if (res.status === 429) {
+    throw new GoogleAuthError("Google OAuth rate limit exceeded", 429);
+  }
   if (!res.ok) {
     const body = await res.text();
     let detail = "";
     try {
       const parsed = JSON.parse(body);
       if (parsed.error) detail = parsed.error;
-      if (parsed.error_description) detail += detail ? `: ${parsed.error_description}` : parsed.error_description;
+      if (parsed.error_description) {
+        const sanitized = parsed.error_description.replace(new RegExp(escapeRegExp2(clientId), "g"), "***").replace(new RegExp(escapeRegExp2(clientSecret), "g"), "***").replace(new RegExp(escapeRegExp2(code), "g"), "***");
+        detail += detail ? `: ${sanitized}` : sanitized;
+      }
     } catch {
       detail = body.length <= 120 ? body : `${body.slice(0, 120)}...`;
     }
@@ -6178,6 +6188,9 @@ async function exchangeCode(clientId, clientSecret, code, redirectUri) {
   }
   return await res.json();
 }
+function escapeRegExp2(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 async function refreshAccessToken(clientId, clientSecret, currentRefreshToken) {
   validateClientId(clientId);
   validateClientSecret(clientSecret);
@@ -6193,13 +6206,19 @@ async function refreshAccessToken(clientId, clientSecret, currentRefreshToken) {
     }),
     signal: AbortSignal.timeout(GOOGLE_REQUEST_TIMEOUT_MS)
   });
+  if (res.status === 429) {
+    throw new GoogleAuthError("Google OAuth rate limit exceeded", 429);
+  }
   if (!res.ok) {
     const body = await res.text();
     let detail = "";
     try {
       const parsed = JSON.parse(body);
       if (parsed.error) detail = parsed.error;
-      if (parsed.error_description) detail += detail ? `: ${parsed.error_description}` : parsed.error_description;
+      if (parsed.error_description) {
+        const sanitized = parsed.error_description.replace(new RegExp(escapeRegExp2(clientId), "g"), "***").replace(new RegExp(escapeRegExp2(clientSecret), "g"), "***").replace(new RegExp(escapeRegExp2(currentRefreshToken), "g"), "***");
+        detail += detail ? `: ${sanitized}` : sanitized;
+      }
     } catch {
       detail = body.length <= 120 ? body : `${body.slice(0, 120)}...`;
     }
@@ -6271,6 +6290,20 @@ function gscClientLog(level, action, ctx) {
     ...ctx
   };
   if (entry.accessToken) entry.accessToken = "***";
+  if (typeof entry.siteUrl === "string") {
+    try {
+      const url = new URL(entry.siteUrl);
+      if (url.search) {
+        url.searchParams.forEach((_, key) => {
+          if (key.toLowerCase().includes("token") || key.toLowerCase().includes("key") || key.toLowerCase().includes("auth")) {
+            url.searchParams.set(key, "***");
+          }
+        });
+        entry.siteUrl = url.toString();
+      }
+    } catch {
+    }
+  }
   const stream = level === "error" ? process.stderr : process.stdout;
   stream.write(JSON.stringify(entry) + "\n");
 }
@@ -6497,11 +6530,15 @@ async function getAccessToken(clientEmail, privateKey) {
     const body = await res.text().catch(() => "");
     ga4Log("error", "token.failed", { httpStatus: res.status });
     const detail = body.length <= 200 ? body : `${body.slice(0, 200)}... [truncated]`;
-    throw new GA4ApiError(`Failed to get access token: ${detail}`, res.status);
+    const sanitizedDetail = detail.replace(new RegExp(escapeRegExp3(clientEmail), "g"), "***").replace(new RegExp(escapeRegExp3(privateKey.slice(0, 32)), "g"), "***");
+    throw new GA4ApiError(`Failed to get access token: ${sanitizedDetail}`, res.status);
   }
   const data = await res.json();
   return data.access_token;
 }
+function escapeRegExp3(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 async function runReport(accessToken, propertyId, request) {
   const url = `${GA4_DATA_API_BASE}/properties/${propertyId}:runReport`;
   const res = await fetch(url, {
@@ -6619,6 +6656,7 @@ async function fetchTrafficByLandingPage(accessToken, propertyId, days) {
       offset
     };
     const response = await runReport(accessToken, propertyId, request);
+    if (!response) break;
     const pageRows = (response.rows ?? []).map((row) => ({
       date: row.dimensionValues[0].value,
       landingPage: row.dimensionValues[1].value,
@@ -6651,6 +6689,7 @@ async function fetchTrafficByLandingPage(accessToken, propertyId, days) {
       offset: organicOffset
     };
     const organicResponse = await runReport(accessToken, propertyId, organicRequest);
+    if (!organicResponse) break;
     for (const row of organicResponse.rows ?? []) {
       const key = `${row.dimensionValues[0].value}::${row.dimensionValues[1].value}`;
       organicMap.set(key, parseInt(row.metricValues[0].value, 10) || 0);
@@ -6778,6 +6817,7 @@ async function fetchAiReferrals(accessToken, propertyId, days) {
         offset
       };
       const response = await runReport(accessToken, propertyId, request);
+      if (!response) break;
       const pageRows = (response.rows ?? []).map((row) => ({
         date: row.dimensionValues[0].value,
         source: row.dimensionValues[1].value,
@@ -6854,6 +6894,7 @@ async function fetchSocialReferrals(accessToken, propertyId, days) {
       offset
     };
     const response = await runReport(accessToken, propertyId, request);
+    if (!response) break;
     const pageRows = (response.rows ?? []).map((row) => ({
       date: row.dimensionValues[0].value,
       source: row.dimensionValues[1].value,
@@ -7663,6 +7704,9 @@ function bingClientLog(level, action, ctx) {
   const stream = level === "error" ? process.stderr : process.stdout;
   stream.write(JSON.stringify(entry) + "\n");
 }
+function escapeRegExp4(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 async function bingFetch(apiKey, endpoint, opts) {
   const method = opts?.method ?? "GET";
   const separator = endpoint.includes("?") ? "&" : "?";
@@ -7687,7 +7731,8 @@ async function bingFetch(apiKey, endpoint, opts) {
   if (!res.ok) {
     const body = await res.text();
     bingClientLog("error", "http.error", { endpoint, method, httpStatus: res.status });
-    const detail = body.length <= 500 ? body : `${body.slice(0, 500)}... [truncated]`;
+    let detail = body.length <= 500 ? body : `${body.slice(0, 500)}... [truncated]`;
+    detail = detail.replace(new RegExp(escapeRegExp4(apiKey), "g"), "***");
     throw new BingApiError(`Bing API error (${res.status}): ${detail}`, res.status);
   }
   const text = await res.text();
@@ -8183,7 +8228,7 @@ async function bingRoutes(app, opts) {
       query: s.Query,
       impressions: s.Impressions,
       clicks: s.Clicks,
-      ctr: Number.isFinite(s.Ctr) ? s.Ctr : 0,
+      ctr: s.Impressions > 0 ? s.Clicks / s.Impressions : 0,
       averagePosition: s.AverageClickPosition ?? s.AverageImpressionPosition ?? 0
     }));
   });
@@ -9221,6 +9266,8 @@ function buildAuthErrorMessage(res, responseText) {
   return "WordPress credentials are invalid or lack permission for this action";
 }
 async function fetchJson(connection, siteUrl, path9, init) {
+  if (siteUrl.startsWith("http:")) {
+  }
   const res = await fetch(`${normalizeSiteUrl(siteUrl)}${path9}`, {
     ...init,
     headers: {
@@ -9235,6 +9282,9 @@ async function fetchJson(connection, siteUrl, path9, init) {
     const errorMessage = buildAuthErrorMessage(res, text);
     throw new WordpressApiError("AUTH_INVALID", errorMessage, res.status);
   }
+  if (res.status === 429) {
+    throw new WordpressApiError("UPSTREAM_ERROR", "WordPress API rate limit exceeded", 429);
+  }
   if (res.status === 404) {
     throw new WordpressApiError("NOT_FOUND", "WordPress endpoint not found", 404);
   }
@@ -9733,12 +9783,12 @@ var CANONRY_SCHEMA_START = "<!-- canonry:schema:start -->";
 var CANONRY_SCHEMA_END = "<!-- canonry:schema:end -->";
 function stripCanonrySchema(content) {
   const regex = new RegExp(
-    `${escapeRegExp2(CANONRY_SCHEMA_START)}[\\s\\S]*?${escapeRegExp2(CANONRY_SCHEMA_END)}`,
+    `${escapeRegExp5(CANONRY_SCHEMA_START)}[\\s\\S]*?${escapeRegExp5(CANONRY_SCHEMA_END)}`,
     "g"
   );
   return content.replace(regex, "").replace(/\n{3,}/g, "\n\n").trim();
 }
-function escapeRegExp2(str) {
+function escapeRegExp5(str) {
   return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function injectCanonrySchema(content, schemas) {
@@ -9845,7 +9895,7 @@ async function getSchemaStatus(connection, env) {
     const thirdPartySchemas = [];
     if (hasCanonryMarker) {
       const markerRegex = new RegExp(
-        `${escapeRegExp2(CANONRY_SCHEMA_START)}([\\s\\S]*?)${escapeRegExp2(CANONRY_SCHEMA_END)}`
+        `${escapeRegExp5(CANONRY_SCHEMA_START)}([\\s\\S]*?)${escapeRegExp5(CANONRY_SCHEMA_END)}`
       );
       const match = markerRegex.exec(rawContent);
       if (match?.[1]) {
@@ -10855,6 +10905,12 @@ function isRetryableError(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry(fn, options = {}) {
@@ -11074,7 +11130,10 @@ function extractCitedDomainsFromSources(groundingSources) {
     }
     if (source.title) {
       const titleDomain = extractDomainFromTitle(source.title);
-      if (titleDomain) domains.add(titleDomain);
+      if (titleDomain) {
+        domains.add(titleDomain);
+        continue;
+      }
     }
   }
   return [...domains];
@@ -11089,7 +11148,10 @@ function extractDomainFromTitle(title) {
 function extractDomainFromUri(uri) {
   try {
     const url = new URL(uri);
-    const hostname = url.hostname.replace(/^www\./, "");
+    const hostname = url.hostname.replace(/^www\./, "").toLowerCase();
+    if (hostname.includes("chatgpt.com") || hostname.includes("openai.com")) {
+      return null;
+    }
     if (hostname === "vertexaisearch.cloud.google.com") {
       const redirectPath = url.pathname.replace(/^\/grounding-api-redirect\//, "");
       if (redirectPath && redirectPath !== url.pathname) {
@@ -11239,6 +11301,12 @@ function isRetryableError2(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry2(fn, options = {}) {
@@ -11465,7 +11533,11 @@ function extractCitedDomainsFromSources2(groundingSources) {
 function extractDomainFromUri2(uri) {
   try {
     const url = new URL(uri);
-    return url.hostname.replace(/^www\./, "").toLowerCase();
+    const hostname = url.hostname.replace(/^www\./, "").toLowerCase();
+    if (hostname.includes("chatgpt.com") || hostname.includes("openai.com")) {
+      return null;
+    }
+    return hostname;
   } catch {
     return null;
   }
@@ -11583,6 +11655,12 @@ function isRetryableError3(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry3(fn, options = {}) {
@@ -11834,7 +11912,11 @@ function extractCitedDomainsFromSources3(groundingSources) {
 function extractDomainFromUri3(uri) {
   try {
     const url = new URL(uri);
-    return url.hostname.replace(/^www\./, "").toLowerCase();
+    const hostname = url.hostname.replace(/^www\./, "").toLowerCase();
+    if (hostname.includes("chatgpt.com") || hostname.includes("openai.com")) {
+      return null;
+    }
+    return hostname;
   } catch {
     return null;
   }
@@ -11950,6 +12032,12 @@ function isRetryableError4(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry4(fn, options = {}) {
@@ -12054,11 +12142,15 @@ async function executeTrackedQuery4(input) {
 function normalizeResult4(raw) {
   const answerText = extractAnswerText2(raw.rawResponse);
   const citedDomains = extractDomainMentions(answerText);
+  const groundingSources = citedDomains.map((domain) => ({
+    uri: `http://${domain}`,
+    title: domain
+  }));
   return {
     provider: "local",
     answerText,
     citedDomains,
-    groundingSources: raw.groundingSources,
+    groundingSources,
     searchQueries: raw.searchQueries
   };
 }
@@ -12764,6 +12856,12 @@ function isRetryableError5(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry5(fn, options = {}) {
@@ -12981,7 +13079,11 @@ function extractCitedDomains2(groundingSources) {
 function extractDomainFromUri4(uri) {
   try {
     const url = new URL(uri);
-    return url.hostname.replace(/^www\./, "").toLowerCase();
+    const hostname = url.hostname.replace(/^www\./, "").toLowerCase();
+    if (hostname.includes("chatgpt.com") || hostname.includes("openai.com")) {
+      return null;
+    }
+    return hostname;
   } catch {
     return null;
   }
@@ -13607,7 +13709,7 @@ var JobRunner = class {
               normalized.answerText,
               allDomains,
               normalized.citedDomains,
-              overlap
+              competitorDomains
             );
             let screenshotRelPath = null;
             if (raw.screenshotPath && fs4.existsSync(raw.screenshotPath)) {
@@ -15481,7 +15583,8 @@ function isProcessAlive(pid) {
   try {
     process.kill(pid, 0);
     return true;
-  } catch {
+  } catch (err) {
+    if (err.code === "EPERM") return true;
     return false;
   }
 }
@@ -15509,6 +15612,9 @@ import os5 from "os";
 import path7 from "path";
 import { fileURLToPath } from "url";
 var CACHE_TTL_MS = 5 * 60 * 1e3;
+var OPENCLAW_VERSION = "2026.4.14";
+var OPENCLAW_PACKAGE_SPEC = `openclaw@${OPENCLAW_VERSION}`;
+var MIN_NODE_VERSION = "22.14.0";
 var cachedResult = null;
 var cachedAt = 0;
 function getAeroStateDir(profile = "aero") {
@@ -15572,8 +15678,15 @@ function findInPath() {
   }
 }
 async function installOpenClaw(opts) {
+  const unsupportedNodeError = getUnsupportedNodeError(opts?.nodeVersion);
+  if (unsupportedNodeError) {
+    return {
+      success: false,
+      error: unsupportedNodeError
+    };
+  }
   try {
-    execSync("npm install -g openclaw", {
+    execSync(`npm install -g ${OPENCLAW_PACKAGE_SPEC}`, {
       timeout: 12e4,
       stdio: opts?.silent ? "pipe" : "inherit"
     });
@@ -15588,11 +15701,57 @@ async function installOpenClaw(opts) {
   if (!detection.found) {
     return {
       success: false,
-      error: "npm install succeeded but openclaw binary was not found in PATH"
+      error: `npm install succeeded but the ${OPENCLAW_PACKAGE_SPEC} binary was not found in PATH`
     };
   }
+  if (detection.version) {
+    const expectedVersion = parseVersionTuple(OPENCLAW_VERSION);
+    const detectedVersion = parseVersionTuple(detection.version);
+    if (expectedVersion && detectedVersion && compareVersionTuples(detectedVersion, expectedVersion) !== 0) {
+      return {
+        success: false,
+        error: `Installed OpenClaw binary reports version ${detection.version}, but Canonry pinned ${OPENCLAW_VERSION}. A different openclaw binary may be shadowing the npm-installed package in PATH.`
+      };
+    }
+  }
   return { success: true, detection };
 }
+function getUnsupportedNodeError(currentNodeVersionOverride) {
+  const currentNodeVersion = normalizeVersion(currentNodeVersionOverride ?? process.versions.node);
+  const minimumTuple = parseVersionTuple(MIN_NODE_VERSION);
+  const currentTuple = parseVersionTuple(currentNodeVersion);
+  if (!minimumTuple || !currentTuple || compareVersionTuples(currentTuple, minimumTuple) >= 0) {
+    return null;
+  }
+  return `Canonry requires Node.js >=${MIN_NODE_VERSION} and installs pinned OpenClaw ${OPENCLAW_VERSION}, but the current runtime is ${currentNodeVersion}. Upgrade Node.js before running "canonry agent setup".`;
+}
+function normalizeVersion(version) {
+  const tuple = parseVersionTuple(version);
+  if (!tuple) {
+    return version.trim().replace(/^v/i, "");
+  }
+  return tuple.join(".");
+}
+function parseVersionTuple(version) {
+  const match = version.trim().replace(/^v/i, "").match(/^(\d+)(?:\.(\d+))?(?:\.(\d+))?$/);
+  if (!match) {
+    return null;
+  }
+  return [
+    Number(match[1]),
+    Number(match[2] ?? 0),
+    Number(match[3] ?? 0)
+  ];
+}
+function compareVersionTuples(left, right) {
+  for (let index = 0; index < left.length; index++) {
+    const delta = left[index] - right[index];
+    if (delta !== 0) {
+      return delta;
+    }
+  }
+  return 0;
+}
 function seedWorkspace(stateDir) {
   const workspaceDir = path7.join(stateDir, "workspace");
   fs6.mkdirSync(workspaceDir, { recursive: true });
@@ -15802,68 +15961,46 @@ function serializeSessionCookie(opts) {
   }
   return parts.join("; ");
 }
-function migrateDbCredentialsToConfig(db, config) {
-  try {
-    const googleColCheck = db.all(sql6.raw(
-      `SELECT COUNT(*) as c FROM pragma_table_info('google_connections') WHERE name = 'access_token'`
-    ));
-    if (googleColCheck[0]?.c) {
-      const rows = db.all(sql6.raw(
-        `SELECT domain, connection_type, property_id, sitemap_url, access_token, refresh_token, token_expires_at, scopes, created_at, updated_at FROM google_connections WHERE refresh_token IS NOT NULL AND refresh_token != ''`
-      ));
-      let migrated = 0;
-      for (const row of rows) {
-        const connType = row.connection_type;
-        const existing = getGoogleConnection(config, row.domain, connType);
-        if (existing?.refreshToken) continue;
-        upsertGoogleConnection(config, {
-          domain: row.domain,
-          connectionType: connType,
-          propertyId: row.property_id ?? null,
-          sitemapUrl: row.sitemap_url ?? null,
-          accessToken: row.access_token ?? void 0,
-          refreshToken: row.refresh_token ?? null,
-          tokenExpiresAt: row.token_expires_at ?? null,
-          scopes: parseJsonColumn(row.scopes, []),
-          createdAt: row.created_at,
-          updatedAt: row.updated_at
-        });
-        migrated++;
-      }
-      if (migrated > 0) {
-        saveConfigPatch({ google: config.google });
-        log9.info("credentials.migrated", { type: "google", count: migrated });
-      }
-    }
-    const gaColCheck = db.all(sql6.raw(
-      `SELECT COUNT(*) as c FROM pragma_table_info('ga_connections') WHERE name = 'private_key'`
-    ));
-    if (gaColCheck[0]?.c) {
-      const rows = db.all(sql6.raw(
-        `SELECT id, project_id, property_id, client_email, private_key, created_at, updated_at FROM ga_connections WHERE private_key IS NOT NULL AND private_key != ''`
-      ));
-      let migrated = 0;
-      for (const row of rows) {
-        const project = db.select({ name: projects.name }).from(projects).where(eq24(projects.id, row.project_id)).get();
-        if (!project) continue;
-        const existing = getGa4Connection(config, project.name);
-        if (existing?.privateKey) continue;
-        upsertGa4Connection(config, {
-          projectName: project.name,
-          propertyId: row.property_id,
-          clientEmail: row.client_email,
-          privateKey: row.private_key,
-          createdAt: row.created_at,
-          updatedAt: row.updated_at
-        });
-        migrated++;
-      }
-      if (migrated > 0) {
-        saveConfigPatch({ ga4: config.ga4 });
-        log9.info("credentials.migrated", { type: "ga4", count: migrated });
-      }
-    }
-  } catch {
+function applyLegacyCredentials(rows, config) {
+  let migratedGoogle = 0;
+  for (const row of rows.google) {
+    const existing = getGoogleConnection(config, row.domain, row.connectionType);
+    if (existing?.refreshToken) continue;
+    upsertGoogleConnection(config, {
+      domain: row.domain,
+      connectionType: row.connectionType,
+      propertyId: row.propertyId,
+      sitemapUrl: row.sitemapUrl,
+      accessToken: row.accessToken ?? void 0,
+      refreshToken: row.refreshToken,
+      tokenExpiresAt: row.tokenExpiresAt,
+      scopes: row.scopes,
+      createdAt: row.createdAt,
+      updatedAt: row.updatedAt
+    });
+    migratedGoogle++;
+  }
+  if (migratedGoogle > 0) {
+    saveConfigPatch({ google: config.google });
+    log9.info("credentials.migrated", { type: "google", count: migratedGoogle });
+  }
+  let migratedGa4 = 0;
+  for (const row of rows.ga4) {
+    const existing = getGa4Connection(config, row.projectName);
+    if (existing?.privateKey) continue;
+    upsertGa4Connection(config, {
+      projectName: row.projectName,
+      propertyId: row.propertyId,
+      clientEmail: row.clientEmail,
+      privateKey: row.privateKey,
+      createdAt: row.createdAt,
+      updatedAt: row.updatedAt
+    });
+    migratedGa4++;
+  }
+  if (migratedGa4 > 0) {
+    saveConfigPatch({ ga4: config.ga4 });
+    log9.info("credentials.migrated", { type: "ga4", count: migratedGa4 });
   }
 }
 async function createServer(opts) {
@@ -15890,7 +16027,15 @@ async function createServer(opts) {
       quota: opts.config.geminiQuota
     };
   }
-  migrateDbCredentialsToConfig(opts.db, opts.config);
+  try {
+    const legacyRows = extractLegacyCredentials(opts.db);
+    applyLegacyCredentials(legacyRows, opts.config);
+    dropLegacyCredentialColumns(opts.db);
+  } catch (err) {
+    log9.warn("credentials.migration.failed", {
+      error: err instanceof Error ? err.message : String(err)
+    });
+  }
   log9.info("providers.configured", { providers: Object.keys(providers).filter((k) => {
     const p = providers[k];
     return p?.apiKey || p?.baseUrl || p?.vertexProject;
@@ -16483,7 +16628,7 @@ async function createServer(opts) {
     await app.register(fastifyStatic.default, {
       root: assetsDir,
       prefix: basePath ?? "/",
-      wildcard: false,
+      wildcard: true,
       // Don't serve index.html automatically — we handle it with config injection
       serve: true,
       index: false

package/dist/{chunk-HO22LHTY.js → chunk-ZZ57GRV6.js}

@@ -115,7 +115,8 @@ var querySnapshots = sqliteTable("query_snapshots", {
   index("idx_snapshots_keyword").on(table.keywordId),
   index("idx_snapshots_citation_state").on(table.citationState),
   index("idx_snapshots_provider_model").on(table.provider, table.model),
-  index("idx_snapshots_location").on(table.location)
+  index("idx_snapshots_location").on(table.location),
+  index("idx_snapshots_created_at").on(table.createdAt)
 ]);
 var auditLog = sqliteTable("audit_log", {
   id: text("id").primaryKey(),
@@ -848,7 +849,17 @@ var MIGRATIONS = [
   `CREATE INDEX IF NOT EXISTS idx_bing_coverage_snap_run ON bing_coverage_snapshots(sync_run_id)`,
   // v34: Rename unique index for bing_coverage_snapshots to follow convention
   `DROP INDEX IF EXISTS idx_bing_coverage_snap_project_date`,
-  `CREATE UNIQUE INDEX IF NOT EXISTS idx_bing_coverage_snap_project_date_unique ON bing_coverage_snapshots(project_id, date)`
+  `CREATE UNIQUE INDEX IF NOT EXISTS idx_bing_coverage_snap_project_date_unique ON bing_coverage_snapshots(project_id, date)`,
+  // v35: Add missing index for query_snapshots createdAt for time-series filtering
+  `CREATE INDEX IF NOT EXISTS idx_snapshots_created_at ON query_snapshots(created_at)`
+  // v36: Transaction handling and SQL injection review: verified all strings use SQLite ? binding via Drizzle.
+  // No changes required for parameterization.
+  // v37: The legacy credential columns (private_key on ga_connections; access_token,
+  // refresh_token, token_expires_at on google_connections) are removed by the
+  // extractLegacyCredentials / dropLegacyCredentialColumns pair below. Callers
+  // read the rows, persist them to config.yaml, and only then drop the columns
+  // so a failed config write doesn't permanently lose credentials. Keeping the
+  // DROPs as raw SQL here would race with that read.
 ];
 function isDuplicateColumnError(err) {
   if (!(err instanceof Error)) return false;
@@ -856,6 +867,83 @@ function isDuplicateColumnError(err) {
   if (err.cause instanceof Error && err.cause.message.includes("duplicate column name")) return true;
   return false;
 }
+function columnExists(db, table, column) {
+  const rows = db.all(sql.raw(
+    `SELECT COUNT(*) as c FROM pragma_table_info('${table}') WHERE name = '${column}'`
+  ));
+  return (rows[0]?.c ?? 0) > 0;
+}
+function dropColumnIfExists(db, table, column) {
+  try {
+    db.run(sql.raw(`ALTER TABLE ${table} DROP COLUMN ${column}`));
+  } catch (err) {
+    if (!(err instanceof Error)) throw err;
+    const msg = err.message;
+    const causeMsg = err.cause instanceof Error ? err.cause.message : "";
+    const expected = `no such column: "${column}"`;
+    const expectedAlt = `no such column: ${column}`;
+    if (msg.includes(expected) || msg.includes(expectedAlt)) return;
+    if (causeMsg.includes(expected) || causeMsg.includes(expectedAlt)) return;
+    throw err;
+  }
+}
+function extractLegacyCredentials(db) {
+  const out = { google: [], ga4: [] };
+  if (columnExists(db, "google_connections", "access_token")) {
+    const rows = db.all(sql.raw(
+      `SELECT domain, connection_type, property_id, sitemap_url, access_token, refresh_token, token_expires_at, scopes, created_at, updated_at
+       FROM google_connections
+       WHERE refresh_token IS NOT NULL AND refresh_token != ''`
+    ));
+    for (const row of rows) {
+      out.google.push({
+        domain: row.domain,
+        connectionType: row.connection_type,
+        propertyId: row.property_id,
+        sitemapUrl: row.sitemap_url,
+        accessToken: row.access_token,
+        refreshToken: row.refresh_token,
+        tokenExpiresAt: row.token_expires_at,
+        scopes: parseJsonColumn(row.scopes, []),
+        createdAt: row.created_at,
+        updatedAt: row.updated_at
+      });
+    }
+  }
+  if (columnExists(db, "ga_connections", "private_key")) {
+    const rows = db.all(sql.raw(
+      `SELECT p.name AS project_name, ga.property_id, ga.client_email, ga.private_key, ga.created_at, ga.updated_at
+       FROM ga_connections ga
+       INNER JOIN projects p ON p.id = ga.project_id
+       WHERE ga.private_key IS NOT NULL AND ga.private_key != ''`
+    ));
+    for (const row of rows) {
+      out.ga4.push({
+        projectName: row.project_name,
+        propertyId: row.property_id,
+        clientEmail: row.client_email,
+        privateKey: row.private_key,
+        createdAt: row.created_at,
+        updatedAt: row.updated_at
+      });
+    }
+  }
+  return out;
+}
+function dropLegacyCredentialColumns(db) {
+  if (columnExists(db, "google_connections", "access_token")) {
+    dropColumnIfExists(db, "google_connections", "access_token");
+  }
+  if (columnExists(db, "google_connections", "refresh_token")) {
+    dropColumnIfExists(db, "google_connections", "refresh_token");
+  }
+  if (columnExists(db, "google_connections", "token_expires_at")) {
+    dropColumnIfExists(db, "google_connections", "token_expires_at");
+  }
+  if (columnExists(db, "ga_connections", "private_key")) {
+    dropColumnIfExists(db, "ga_connections", "private_key");
+  }
+}
 function migrate(db) {
   const statements = MIGRATION_SQL.split(";").map((s) => s.trim()).filter((s) => s.length > 0);
   for (const statement of statements) {
@@ -1303,6 +1391,8 @@ export {
   healthSnapshots,
   createClient,
   parseJsonColumn,
+  extractLegacyCredentials,
+  dropLegacyCredentialColumns,
   migrate,
   createLogger,
   IntelligenceService

package/dist/cli.js

@@ -47,7 +47,7 @@ import {
   trackEvent,
   usageError,
   writeAgentEnv
-} from "./chunk-25QLMK4F.js";
+} from "./chunk-IPOVH342.js";
 import {
   apiKeys,
   competitors,
@@ -57,7 +57,7 @@ import {
   projects,
   querySnapshots,
   runs
-} from "./chunk-HO22LHTY.js";
+} from "./chunk-ZZ57GRV6.js";
 
 // src/cli.ts
 import { pathToFileURL } from "url";
@@ -304,7 +304,7 @@ async function backfillAnswerVisibilityCommand(opts) {
   console.log(`  Errors:   ${providerErrors}`);
 }
 async function backfillInsightsCommand(project, opts) {
-  const { IntelligenceService } = await import("./intelligence-service-ZISLIU4S.js");
+  const { IntelligenceService } = await import("./intelligence-service-MZ7SXEGE.js");
   const config = loadConfig();
   const db = createClient(config.database);
   migrate(db);
@@ -7920,7 +7920,7 @@ async function agentDetach(opts) {
 }
 async function autoInstallOrFail(format) {
   if (format !== "json") {
-    console.log("OpenClaw not found, installing via npm...");
+    console.log("OpenClaw not found, installing pinned openclaw@2026.4.14 via npm...");
   }
   const install = await installOpenClaw({ silent: format === "json" });
   if (!install.success) {

package/dist/index.js

@@ -1,8 +1,8 @@
 import {
   createServer,
   loadConfig
-} from "./chunk-25QLMK4F.js";
-import "./chunk-HO22LHTY.js";
+} from "./chunk-IPOVH342.js";
+import "./chunk-ZZ57GRV6.js";
 export {
   createServer,
   loadConfig

package/dist/{intelligence-service-ZISLIU4S.js → intelligence-service-MZ7SXEGE.js}

@@ -1,6 +1,6 @@
 import {
   IntelligenceService
-} from "./chunk-HO22LHTY.js";
+} from "./chunk-ZZ57GRV6.js";
 export {
   IntelligenceService
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ainyc/canonry",
-  "version": "1.48.0",
+  "version": "1.48.4",
   "type": "module",
   "description": "The ultimate open-source AEO monitoring tool - track how answer engines cite your domain",
   "license": "FSL-1.1-ALv2",
@@ -31,7 +31,7 @@
     "README.md"
   ],
   "engines": {
-    "node": ">=20"
+    "node": ">=22.14.0"
   },
   "dependencies": {
     "@ainyc/aeo-audit": "1.3.2",
@@ -54,20 +54,20 @@
     "@types/node-cron": "^3.0.11",
     "tsup": "^8.5.1",
     "tsx": "^4.19.0",
-    "@ainyc/canonry-config": "0.0.0",
-    "@ainyc/canonry-contracts": "0.0.0",
     "@ainyc/canonry-api-routes": "0.0.0",
+    "@ainyc/canonry-contracts": "0.0.0",
+    "@ainyc/canonry-config": "0.0.0",
     "@ainyc/canonry-db": "0.0.0",
     "@ainyc/canonry-integration-bing": "0.0.0",
-    "@ainyc/canonry-integration-google": "0.0.0",
-    "@ainyc/canonry-intelligence": "0.0.0",
-    "@ainyc/canonry-provider-cdp": "0.0.0",
     "@ainyc/canonry-integration-wordpress": "0.0.0",
+    "@ainyc/canonry-provider-cdp": "0.0.0",
+    "@ainyc/canonry-intelligence": "0.0.0",
     "@ainyc/canonry-provider-claude": "0.0.0",
-    "@ainyc/canonry-provider-gemini": "0.0.0",
+    "@ainyc/canonry-provider-local": "0.0.0",
     "@ainyc/canonry-provider-openai": "0.0.0",
+    "@ainyc/canonry-integration-google": "0.0.0",
     "@ainyc/canonry-provider-perplexity": "0.0.0",
-    "@ainyc/canonry-provider-local": "0.0.0"
+    "@ainyc/canonry-provider-gemini": "0.0.0"
   },
   "scripts": {
     "build": "tsx scripts/copy-agent-assets.ts && tsup && tsx build-web.ts",