@ainyc/canonry 4.21.4 → 4.23.0

package/dist/{chunk-3UGJUNQX.js → chunk-CLVZF3X7.js}

@@ -5,7 +5,7 @@ import {
   loadConfig,
   loadConfigRaw,
   saveConfigPatch
-} from "./chunk-VFKGHXVJ.js";
+} from "./chunk-VOSBGXXG.js";
 import {
   DEFAULT_RUN_HISTORY_LIMIT,
   IntelligenceService,
@@ -66,7 +66,7 @@ import {
   schedules,
   trafficSources,
   usageCounters
-} from "./chunk-GVQYROIK.js";
+} from "./chunk-OYYFXKRK.js";
 import {
   AGENT_MEMORY_VALUE_MAX_BYTES,
   AGENT_PROVIDER_IDS,
@@ -154,12 +154,13 @@ import {
   serializeRunError,
   snapshotRequestSchema,
   summarizeCheckResults,
+  trafficConnectWordpressRequestSchema,
   unsupportedKind,
   validationError,
   visibilityStateFromAnswerMentioned,
   windowCutoff,
   wordpressEnvSchema
-} from "./chunk-EY63PENL.js";
+} from "./chunk-EUGCQSFC.js";
 
 // src/telemetry.ts
 import crypto from "crypto";
@@ -10007,6 +10008,37 @@ var routeCatalog = [
       404: { description: "Project not found." }
     }
   },
+  {
+    method: "post",
+    path: "/api/v1/projects/{name}/traffic/connect/wordpress",
+    summary: "Connect a WordPress traffic-logger source",
+    description: "Probes the WordPress traffic-logger plugin endpoint with the supplied Application Password (single page, `limit=1`) before persisting. On success, stores the credential in `~/.canonry/config.yaml` and creates / updates the project's active WordPress `traffic_sources` row. A probe failure (HTTP 4xx/5xx, network error) surfaces as 502 with the upstream status in the message so the caller learns about a bad credential up front instead of at the first sync.",
+    tags: ["traffic"],
+    parameters: [nameParameter],
+    requestBody: {
+      required: true,
+      content: {
+        "application/json": {
+          schema: {
+            type: "object",
+            required: ["baseUrl", "username", "applicationPassword"],
+            properties: {
+              baseUrl: { ...stringSchema, description: "Absolute base URL of the WordPress site (e.g. `https://example.com`)." },
+              username: { ...stringSchema, description: "WordPress username paired with the Application Password." },
+              applicationPassword: { ...stringSchema, description: "WordPress Application Password (raw; the server base64-encodes it for Basic auth)." },
+              displayName: stringSchema
+            }
+          }
+        }
+      }
+    },
+    responses: {
+      200: { description: "Traffic source DTO returned." },
+      400: { description: "Invalid WordPress connection request." },
+      404: { description: "Project not found." },
+      502: { description: "WordPress plugin endpoint probe failed (bad credentials, unreachable host, etc.)." }
+    }
+  },
   {
     method: "post",
     path: "/api/v1/projects/{name}/traffic/sources/{id}/sync",
@@ -16779,6 +16811,12 @@ function hostMatches(host, domain) {
   const normalizedDomain = normalizeHost(domain);
   return normalizedHost === normalizedDomain || normalizedHost.endsWith(`.${normalizedDomain}`);
 }
+function utmTokenMatchesDomain(utmSource, domain) {
+  if (hostMatches(utmSource, domain)) return true;
+  const normalizedUtm = normalizeHost(utmSource);
+  const firstLabel = normalizeHost(domain).split(".")[0];
+  return Boolean(firstLabel) && normalizedUtm === firstLabel;
+}
 function hostFromUrl(value) {
   if (!value) return null;
   try {
@@ -16833,7 +16871,7 @@ function classifyAiReferral(event) {
   }
   const utmSource = utmSourceFromQuery(event.queryString);
   if (utmSource) {
-    const rule = DEFAULT_AI_REFERRER_RULES.find((candidate) => hostMatches(utmSource, candidate.domain));
+    const rule = DEFAULT_AI_REFERRER_RULES.find((candidate) => utmTokenMatchesDomain(utmSource, candidate.domain));
     if (rule) {
       return {
         operator: rule.operator,
@@ -16845,7 +16883,7 @@ function classifyAiReferral(event) {
   }
   const refererUtmSource = utmSourceFromUrl(event.referer);
   if (refererUtmSource) {
-    const rule = DEFAULT_AI_REFERRER_RULES.find((candidate) => hostMatches(refererUtmSource, candidate.domain));
+    const rule = DEFAULT_AI_REFERRER_RULES.find((candidate) => utmTokenMatchesDomain(refererUtmSource, candidate.domain));
     if (rule) {
       return {
         operator: rule.operator,
@@ -16971,20 +17009,19 @@ function buildTrafficProbeReport(events, options = {}) {
       incrementBucket(topAiReferralLandingPaths, pathNormalized, { landingPathNormalized: pathNormalized });
     }
     if (!crawler && !aiReferral) unknownHits += 1;
-    if (samples.length < sampleLimit) {
-      samples.push({
-        eventId: event.eventId,
-        observedAt: event.observedAt,
-        sourceType: event.sourceType,
-        path: event.path,
-        pathNormalized,
-        status: event.status,
-        userAgent: event.userAgent,
-        referer: event.referer,
-        crawler,
-        aiReferral
-      });
-    }
+    samples.push({
+      eventId: event.eventId,
+      observedAt: event.observedAt,
+      sourceType: event.sourceType,
+      path: event.path,
+      pathNormalized,
+      status: event.status,
+      userAgent: event.userAgent,
+      referer: event.referer,
+      crawler,
+      aiReferral
+    });
+    if (samples.length > sampleLimit) samples.shift();
   }
   return {
     generatedAt: options.generatedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
@@ -17009,10 +17046,155 @@ function incrementBucket(map, key, fields) {
   else map.set(key, { fields, hits: 1 });
 }
 
+// ../integration-wordpress-traffic/src/normalize.ts
+function trimOrNull(value) {
+  if (value === null || value === void 0) return null;
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function buildEventId2(event) {
+  return `wordpress:${event.observed_at}:${event.id}`;
+}
+function normalizeWordpressTrafficEvent(event) {
+  if (!event.observed_at) return null;
+  if (typeof event.id !== "number" || !Number.isFinite(event.id)) return null;
+  const path15 = event.path?.trim();
+  if (!path15) return null;
+  const queryString = trimOrNull(event.query_string);
+  const host = trimOrNull(event.host);
+  const requestUrl = host ? `https://${host}${path15}${queryString ? `?${queryString}` : ""}` : `${path15}${queryString ? `?${queryString}` : ""}`;
+  return {
+    sourceType: TrafficSourceTypes.wordpress,
+    evidenceKind: TrafficEvidenceKinds["raw-request"],
+    confidence: TrafficEventConfidences.observed,
+    eventId: buildEventId2(event),
+    observedAt: event.observed_at,
+    method: trimOrNull(event.method),
+    requestUrl,
+    host,
+    path: path15,
+    queryString,
+    status: typeof event.status === "number" && Number.isFinite(event.status) ? event.status : null,
+    userAgent: trimOrNull(event.user_agent),
+    remoteIp: trimOrNull(event.remote_ip_hash),
+    referer: trimOrNull(event.referer),
+    latencyMs: null,
+    requestSizeBytes: null,
+    responseSizeBytes: null,
+    providerResource: {
+      type: "wordpress_site",
+      labels: host ? { host } : {}
+    },
+    providerLabels: {}
+  };
+}
+
+// ../integration-wordpress-traffic/src/client.ts
+var WORDPRESS_TRAFFIC_ENDPOINT_PATH = "/wp-json/canonry/v1/events";
+var DEFAULT_PAGE_SIZE2 = 500;
+var DEFAULT_MAX_PAGES2 = 1;
+var DEFAULT_TIMEOUT_MS2 = 3e4;
+var WordpressTrafficApiError = class extends Error {
+  constructor(message, status, body) {
+    super(message);
+    this.status = status;
+    this.body = body;
+    this.name = "WordpressTrafficApiError";
+  }
+};
+function trimRequired(name, value) {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    throw new WordpressTrafficApiError(`${name} is required`, 400);
+  }
+  return trimmed;
+}
+function normalizePageSize2(pageSize) {
+  if (pageSize === void 0) return DEFAULT_PAGE_SIZE2;
+  if (!Number.isInteger(pageSize) || pageSize < 1) {
+    throw new WordpressTrafficApiError("pageSize must be a positive integer", 400);
+  }
+  return pageSize;
+}
+function normalizeMaxPages2(maxPages) {
+  if (maxPages === void 0) return DEFAULT_MAX_PAGES2;
+  if (!Number.isInteger(maxPages) || maxPages < 1) {
+    throw new WordpressTrafficApiError("maxPages must be a positive integer", 400);
+  }
+  return maxPages;
+}
+function resolveEndpoint(baseUrl) {
+  const trimmed = trimRequired("baseUrl", baseUrl).replace(/\/+$/, "");
+  return `${trimmed}${WORDPRESS_TRAFFIC_ENDPOINT_PATH}`;
+}
+function buildBasicAuthHeader(username, applicationPassword) {
+  const credentials = `${trimRequired("username", username)}:${trimRequired("applicationPassword", applicationPassword)}`;
+  return `Basic ${Buffer.from(credentials, "utf8").toString("base64")}`;
+}
+async function readErrorBody2(response) {
+  const text = await response.text().catch(() => "");
+  if (!text) return void 0;
+  return text.length <= 500 ? text : `${text.slice(0, 500)}... [truncated]`;
+}
+async function listWordpressTrafficEvents(options) {
+  const endpoint = resolveEndpoint(options.baseUrl);
+  const authHeader = buildBasicAuthHeader(options.username, options.applicationPassword);
+  const pageSize = normalizePageSize2(options.pageSize);
+  const maxPages = normalizeMaxPages2(options.maxPages);
+  const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS2;
+  let cursor = options.cursor;
+  let rawEntryCount = 0;
+  let skippedEntryCount = 0;
+  const events = [];
+  for (let page = 0; page < maxPages; page += 1) {
+    const url = new URL(endpoint);
+    url.searchParams.set("limit", String(pageSize));
+    if (cursor !== void 0 && cursor !== "") {
+      url.searchParams.set("cursor", cursor);
+    }
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: authHeader,
+        Accept: "application/json"
+      },
+      signal: AbortSignal.timeout(timeoutMs)
+    });
+    if (!response.ok) {
+      const body2 = await readErrorBody2(response);
+      throw new WordpressTrafficApiError(
+        `WordPress traffic endpoint returned HTTP ${response.status}`,
+        response.status,
+        body2
+      );
+    }
+    const body = await response.json();
+    const entries = body.events ?? [];
+    rawEntryCount += entries.length;
+    for (const entry of entries) {
+      const normalized = normalizeWordpressTrafficEvent(entry);
+      if (normalized) {
+        events.push(normalized);
+      } else {
+        skippedEntryCount += 1;
+      }
+    }
+    cursor = body.next_cursor ?? void 0;
+    if (!body.has_more || !cursor) break;
+  }
+  return {
+    events,
+    rawEntryCount,
+    skippedEntryCount,
+    nextCursor: cursor,
+    endpoint
+  };
+}
+
 // ../api-routes/src/traffic.ts
 var DEFAULT_SYNC_WINDOW_MINUTES = 43200;
-var DEFAULT_PAGE_SIZE2 = 1e3;
-var DEFAULT_MAX_PAGES2 = 5;
+var DEFAULT_PAGE_SIZE3 = 1e3;
+var DEFAULT_MAX_PAGES3 = 5;
 var DEFAULT_SAMPLE_LIMIT2 = 100;
 var MAX_TRACKED_EVENT_IDS = 1e3;
 var DEFAULT_BACKFILL_DAYS = 30;
@@ -17089,7 +17271,7 @@ async function runBackfillTask(options) {
       location,
       startTime: windowStart.toISOString(),
       endTime: windowEnd.toISOString(),
-      pageSize: DEFAULT_PAGE_SIZE2,
+      pageSize: DEFAULT_PAGE_SIZE3,
       maxPages: BACKFILL_MAX_PAGES,
       // Backfill is intentionally `firstSync: false`. We don't want desc
       // ordering — the in-memory rollup builder handles any order, and the
@@ -17118,7 +17300,7 @@ async function runBackfillTask(options) {
   const newSorted = allEvents.slice().sort((a, b) => a.observedAt < b.observedAt ? 1 : a.observedAt > b.observedAt ? -1 : 0).map((e) => e.eventId);
   const newRingBuffer = newSorted.slice(0, MAX_TRACKED_EVENT_IDS);
   const currentLastSyncedMs = sourceRow.lastSyncedAt ? new Date(sourceRow.lastSyncedAt).getTime() : Number.NEGATIVE_INFINITY;
-  const nextLastSyncedAt = Math.max(currentLastSyncedMs, windowEnd.getTime()) === windowEnd.getTime() ? finishedAt : sourceRow.lastSyncedAt;
+  const nextLastSyncedAt = Math.max(currentLastSyncedMs, windowEnd.getTime()) === windowEnd.getTime() ? windowEndIso : sourceRow.lastSyncedAt;
   try {
     app.db.transaction((tx) => {
       tx.delete(crawlerEventsHourly).where(
@@ -17219,9 +17401,10 @@ async function runBackfillTask(options) {
 async function trafficRoutes(app, opts) {
   const pullEvents = opts.pullCloudRunEvents ?? listCloudRunTrafficEvents;
   const resolveAccessToken2 = opts.resolveCloudRunAccessToken ?? defaultResolveAccessToken;
+  const pullWordpressEvents = opts.pullWordpressTrafficEvents ?? listWordpressTrafficEvents;
   const syncWindowMinutes = opts.defaultSyncWindowMinutes ?? DEFAULT_SYNC_WINDOW_MINUTES;
-  const pageSize = opts.defaultPageSize ?? DEFAULT_PAGE_SIZE2;
-  const maxPages = opts.defaultMaxPages ?? DEFAULT_MAX_PAGES2;
+  const pageSize = opts.defaultPageSize ?? DEFAULT_PAGE_SIZE3;
+  const maxPages = opts.defaultMaxPages ?? DEFAULT_MAX_PAGES3;
   const sampleLimit = opts.defaultSampleLimit ?? DEFAULT_SAMPLE_LIMIT2;
   app.post("/projects/:name/traffic/connect/cloud-run", async (request) => {
     const project = resolveProject(app.db, request.params.name);
@@ -17305,6 +17488,84 @@ async function trafficRoutes(app, opts) {
     });
     return rowToDto(sourceRow);
   });
+  app.post("/projects/:name/traffic/connect/wordpress", async (request) => {
+    const project = resolveProject(app.db, request.params.name);
+    if (!opts.wordpressTrafficCredentialStore) {
+      throw validationError("WordPress traffic credential storage is not configured for this deployment");
+    }
+    const credentialStore = opts.wordpressTrafficCredentialStore;
+    const parsed = trafficConnectWordpressRequestSchema.safeParse(request.body ?? {});
+    if (!parsed.success) {
+      throw validationError(parsed.error.issues.map((i) => i.message).join("; "));
+    }
+    const { baseUrl, username, applicationPassword, displayName } = parsed.data;
+    try {
+      await pullWordpressEvents({
+        baseUrl,
+        username,
+        applicationPassword,
+        pageSize: 1,
+        maxPages: 1
+      });
+    } catch (e) {
+      if (e instanceof WordpressTrafficApiError) {
+        throw providerError(
+          `WordPress traffic probe failed (HTTP ${e.status}): ${e.message}${e.body ? ` \u2014 ${e.body}` : ""}`
+        );
+      }
+      const msg = e instanceof Error ? e.message : String(e);
+      throw providerError(`WordPress traffic probe failed: ${msg}`);
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const existing = credentialStore.getConnection(project.name);
+    credentialStore.upsertConnection({
+      projectName: project.name,
+      baseUrl,
+      username,
+      applicationPassword,
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now
+    });
+    const activeSource = app.db.select().from(trafficSources).where(eq23(trafficSources.projectId, project.id)).all().find((row) => row.sourceType === TrafficSourceTypes.wordpress && row.status !== TrafficSourceStatuses.archived);
+    const config = { baseUrl, username };
+    const fallbackName = displayName ?? `WordPress \xB7 ${new URL(baseUrl).host}`;
+    let sourceRow;
+    if (activeSource) {
+      app.db.update(trafficSources).set({
+        displayName: fallbackName,
+        status: TrafficSourceStatuses.connected,
+        lastError: null,
+        configJson: JSON.stringify(config),
+        updatedAt: now
+      }).where(eq23(trafficSources.id, activeSource.id)).run();
+      sourceRow = app.db.select().from(trafficSources).where(eq23(trafficSources.id, activeSource.id)).get();
+    } else {
+      const newId = crypto20.randomUUID();
+      app.db.insert(trafficSources).values({
+        id: newId,
+        projectId: project.id,
+        sourceType: TrafficSourceTypes.wordpress,
+        displayName: fallbackName,
+        status: TrafficSourceStatuses.connected,
+        lastSyncedAt: null,
+        lastCursor: null,
+        lastError: null,
+        archivedAt: null,
+        configJson: JSON.stringify(config),
+        createdAt: now,
+        updatedAt: now
+      }).run();
+      sourceRow = app.db.select().from(trafficSources).where(eq23(trafficSources.id, newId)).get();
+    }
+    writeAuditLog(app.db, {
+      projectId: project.id,
+      actor: "api",
+      action: "traffic.wordpress.connected",
+      entityType: "traffic_source",
+      entityId: sourceRow.id
+    });
+    return rowToDto(sourceRow);
+  });
   app.post("/projects/:name/traffic/sources/:id/sync", async (request) => {
     const project = resolveProject(app.db, request.params.name);
     const sourceRow = app.db.select().from(trafficSources).where(eq23(trafficSources.id, request.params.id)).get();
@@ -17398,25 +17659,35 @@ async function trafficRoutes(app, opts) {
       markFailed(msg, "PROVIDER_PULL");
       throw providerError(`Cloud Run pull failed: ${msg}`);
     }
-    const seenEventIds = new Set(parseJsonColumn(sourceRow.lastEventIds, []));
-    const dedupedEvents = seenEventIds.size === 0 ? allEvents : allEvents.filter((e) => !seenEventIds.has(e.eventId));
-    const newSorted = dedupedEvents.slice().sort((a, b) => a.observedAt < b.observedAt ? 1 : a.observedAt > b.observedAt ? -1 : 0).map((e) => e.eventId);
-    const previousIds = parseJsonColumn(sourceRow.lastEventIds, []);
-    const merged = [];
-    const mergedSet = /* @__PURE__ */ new Set();
-    for (const id of [...newSorted, ...previousIds]) {
-      if (mergedSet.has(id)) continue;
-      mergedSet.add(id);
-      merged.push(id);
-      if (merged.length >= MAX_TRACKED_EVENT_IDS) break;
-    }
-    const nextEventIds = merged;
-    const report = buildTrafficProbeReport(dedupedEvents, { sampleLimit });
-    const finishedAt = (/* @__PURE__ */ new Date()).toISOString();
     let crawlerBucketRows = 0;
     let aiReferralBucketRows = 0;
     let sampleRows = 0;
+    let finishedAt = (/* @__PURE__ */ new Date()).toISOString();
+    let pulledEventsCount = 0;
+    let crawlerHitsCount = 0;
+    let aiReferralHitsCount = 0;
+    let unknownHitsCount = 0;
     app.db.transaction((tx) => {
+      const latestRow = tx.select().from(trafficSources).where(eq23(trafficSources.id, sourceRow.id)).get();
+      const previousIds = parseJsonColumn(latestRow.lastEventIds, []);
+      const seenEventIds = new Set(previousIds);
+      const dedupedEvents = seenEventIds.size === 0 ? allEvents : allEvents.filter((e) => !seenEventIds.has(e.eventId));
+      const newSorted = dedupedEvents.slice().sort((a, b) => a.observedAt < b.observedAt ? 1 : a.observedAt > b.observedAt ? -1 : 0).map((e) => e.eventId);
+      const merged = [];
+      const mergedSet = /* @__PURE__ */ new Set();
+      for (const id of [...newSorted, ...previousIds]) {
+        if (mergedSet.has(id)) continue;
+        mergedSet.add(id);
+        merged.push(id);
+        if (merged.length >= MAX_TRACKED_EVENT_IDS) break;
+      }
+      const nextEventIds = merged;
+      const report = buildTrafficProbeReport(dedupedEvents, { sampleLimit });
+      finishedAt = (/* @__PURE__ */ new Date()).toISOString();
+      pulledEventsCount = report.totals.normalizedEvents;
+      crawlerHitsCount = report.totals.crawlerHits;
+      aiReferralHitsCount = report.totals.aiReferralHits;
+      unknownHitsCount = report.totals.unknownHits;
       for (const bucket of report.crawlerEventsHourly) {
         const status = bucket.status ?? 0;
         tx.insert(crawlerEventsHourly).values({
@@ -17515,7 +17786,11 @@ async function trafficRoutes(app, opts) {
       }
       tx.update(trafficSources).set({
         status: TrafficSourceStatuses.connected,
-        lastSyncedAt: finishedAt,
+        // Advance to windowEnd, not finishedAt — events arriving at the
+        // source between windowEnd and finishedAt aren't in this pull's
+        // range. If we stored finishedAt, the next sync's clamp would skip
+        // past them and they'd be lost.
+        lastSyncedAt: windowEnd.toISOString(),
         lastError: null,
         lastEventIds: JSON.stringify(nextEventIds),
         updatedAt: finishedAt
@@ -17534,9 +17809,9 @@ async function trafficRoutes(app, opts) {
         status: "completed",
         sourceType: sourceRow.sourceType,
         sourceId: sourceRow.id,
-        pulledEvents: report.totals.normalizedEvents,
-        crawlerHits: report.totals.crawlerHits,
-        aiReferralHits: report.totals.aiReferralHits,
+        pulledEvents: pulledEventsCount,
+        crawlerHits: crawlerHitsCount,
+        aiReferralHits: aiReferralHitsCount,
         durationMs: Date.now() - syncStartedAtMs
       });
     } catch {
@@ -17545,10 +17820,10 @@ async function trafficRoutes(app, opts) {
       sourceId: sourceRow.id,
       runId,
       syncedAt: finishedAt,
-      pulledEvents: report.totals.normalizedEvents,
-      crawlerHits: report.totals.crawlerHits,
-      aiReferralHits: report.totals.aiReferralHits,
-      unknownHits: report.totals.unknownHits,
+      pulledEvents: pulledEventsCount,
+      crawlerHits: crawlerHitsCount,
+      aiReferralHits: aiReferralHitsCount,
+      unknownHits: unknownHitsCount,
       crawlerBucketRows,
       aiReferralBucketRows,
       sampleRows,
@@ -18548,8 +18823,16 @@ var recentDataCheck = {
         )
       ).get()?.total ?? 0
     );
+    const olderReferrals = Number(
+      ctx.db.select({ total: sql9`COALESCE(SUM(${aiReferralEventsHourly.sessionsOrHits}), 0)` }).from(aiReferralEventsHourly).where(
+        and15(
+          eq24(aiReferralEventsHourly.projectId, ctx.project.id),
+          gte3(aiReferralEventsHourly.tsHour, failCutoff)
+        )
+      ).get()?.total ?? 0
+    );
     const lastSyncedAt = sources.map((s) => s.lastSyncedAt).filter(Boolean).sort().at(-1) ?? null;
-    if (olderCrawlers > 0 || lastSyncedAt) {
+    if (olderCrawlers > 0 || olderReferrals > 0 || lastSyncedAt) {
       return {
         status: CheckStatuses.warn,
         code: "traffic.recent-data.stale",
@@ -18955,6 +19238,8 @@ async function apiRoutes(app, opts) {
       cloudRunCredentialStore: opts.cloudRunCredentialStore,
       pullCloudRunEvents: opts.pullCloudRunEvents,
       resolveCloudRunAccessToken: opts.resolveCloudRunAccessToken,
+      wordpressTrafficCredentialStore: opts.wordpressTrafficCredentialStore,
+      pullWordpressTrafficEvents: opts.pullWordpressTrafficEvents,
       onTrafficSynced: opts.onTrafficSynced
     });
     await api.register(backlinksRoutes, {
@@ -19021,6 +19306,50 @@ function buildTrafficSourceValidators(opts) {
       validateScopes: () => null
     };
   }
+  if (opts.wordpressTrafficCredentialStore) {
+    const store = opts.wordpressTrafficCredentialStore;
+    const pullEvents = opts.pullWordpressTrafficEvents ?? listWordpressTrafficEvents;
+    validators[TrafficSourceTypes.wordpress] = {
+      validateCredentials: async (source) => {
+        const record = store.getConnection(source.projectName);
+        if (!record) {
+          return {
+            status: CheckStatuses.fail,
+            code: "traffic.credentials.missing",
+            summary: `No WordPress traffic credential found in ~/.canonry/config.yaml for project "${source.projectName}".`,
+            remediation: "Re-run `canonry traffic connect wordpress <project> --url <site> --username <user> --app-password <password>`."
+          };
+        }
+        try {
+          await pullEvents({
+            baseUrl: record.baseUrl,
+            username: record.username,
+            applicationPassword: record.applicationPassword,
+            pageSize: 1,
+            maxPages: 1
+          });
+          return {
+            status: CheckStatuses.ok,
+            code: "traffic.credentials.resolved",
+            summary: `WordPress endpoint responds for "${source.displayName}" (${new URL(record.baseUrl).host}).`
+          };
+        } catch (e) {
+          const httpStatus = e instanceof WordpressTrafficApiError ? e.status : null;
+          const msg = e instanceof Error ? e.message : String(e);
+          return {
+            status: CheckStatuses.fail,
+            code: httpStatus === 401 || httpStatus === 403 ? "traffic.credentials.unauthorized" : "traffic.credentials.resolve-failed",
+            summary: httpStatus ? `WordPress endpoint returned HTTP ${httpStatus}: ${msg}.` : `WordPress endpoint probe failed: ${msg}.`,
+            remediation: "Verify the site URL is reachable and the Application Password is valid. Re-connect the source if needed."
+          };
+        }
+      },
+      // WordPress Application Passwords have no scope concept — auth is
+      // strictly "valid credential or not". Surface a skipped result so the
+      // framework is uniform without producing a false signal.
+      validateScopes: () => null
+    };
+  }
   return Object.keys(validators).length > 0 ? validators : void 0;
 }
 
@@ -21458,8 +21787,40 @@ function removeCloudRunConnection(config, projectName) {
   return true;
 }
 
-// src/wordpress-config.ts
+// src/wordpress-traffic-config.ts
 function ensureConnections4(config) {
+  if (!config.wordpressTraffic) config.wordpressTraffic = {};
+  if (!config.wordpressTraffic.connections) config.wordpressTraffic.connections = [];
+  return config.wordpressTraffic.connections;
+}
+function getWordpressTrafficConnection(config, projectName) {
+  return (config.wordpressTraffic?.connections ?? []).find((c) => c.projectName === projectName);
+}
+function upsertWordpressTrafficConnection(config, connection) {
+  const connections = ensureConnections4(config);
+  const index = connections.findIndex((c) => c.projectName === connection.projectName);
+  if (index === -1) {
+    connections.push(connection);
+    return connection;
+  }
+  connections[index] = connection;
+  return connection;
+}
+function removeWordpressTrafficConnection(config, projectName) {
+  const connections = config.wordpressTraffic?.connections;
+  if (!connections?.length) return false;
+  const next = connections.filter((c) => c.projectName !== projectName);
+  if (next.length === connections.length) return false;
+  if (!config.wordpressTraffic) return false;
+  config.wordpressTraffic.connections = next;
+  if (next.length === 0) {
+    delete config.wordpressTraffic;
+  }
+  return true;
+}
+
+// src/wordpress-config.ts
+function ensureConnections5(config) {
   if (!config.wordpress) config.wordpress = {};
   if (!config.wordpress.connections) config.wordpress.connections = [];
   return config.wordpress.connections;
@@ -21476,7 +21837,7 @@ function getWordpressConnection(config, projectName) {
   return (config.wordpress?.connections ?? []).find((connection) => connection.projectName === projectName);
 }
 function upsertWordpressConnection(config, connection) {
-  const connections = ensureConnections4(config);
+  const connections = ensureConnections5(config);
   const normalized = normalizeConnection(connection);
   const index = connections.findIndex((entry) => entry.projectName === connection.projectName);
   if (index === -1) {
@@ -25808,6 +26169,21 @@ async function createServer(opts) {
       return removed;
     }
   };
+  const wordpressTrafficCredentialStore = {
+    getConnection: (projectName) => {
+      return getWordpressTrafficConnection(opts.config, projectName);
+    },
+    upsertConnection: (record) => {
+      const updated = upsertWordpressTrafficConnection(opts.config, record);
+      saveConfigPatch(opts.config);
+      return updated;
+    },
+    deleteConnection: (projectName) => {
+      const removed = removeWordpressTrafficConnection(opts.config, projectName);
+      if (removed) saveConfigPatch(opts.config);
+      return removed;
+    }
+  };
   const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto31.randomBytes(32).toString("hex");
   const googleConnectionStore = {
     listConnections: (domain) => listGoogleConnections(opts.config, domain),
@@ -26152,6 +26528,7 @@ async function createServer(opts) {
     wordpressConnectionStore,
     ga4CredentialStore,
     cloudRunCredentialStore,
+    wordpressTrafficCredentialStore,
     onTrafficSynced: (event) => {
       trackEvent("traffic.synced", {
         status: event.status,

package/dist/{chunk-EY63PENL.js → chunk-EUGCQSFC.js}

@@ -2227,6 +2227,10 @@ var cloudRunSourceConfigSchema = z20.object({
   location: z20.string().nullable().optional(),
   authMode: trafficSourceAuthModeSchema
 });
+var wordpressTrafficSourceConfigSchema = z20.object({
+  baseUrl: z20.string().url(),
+  username: z20.string().min(1)
+});
 var trafficSourceDtoSchema = z20.object({
   id: z20.string(),
   projectId: z20.string(),
@@ -2249,6 +2253,13 @@ var trafficConnectCloudRunRequestSchema = z20.object({
   /** Service-account JSON content (string). When omitted, defaults to OAuth via `canonry google connect <project> --type ga4` flow. */
   keyJson: z20.string().optional()
 });
+var trafficConnectWordpressRequestSchema = z20.object({
+  baseUrl: z20.string().url(),
+  username: z20.string().min(1),
+  /** WordPress Application Password (the same auth used by the content client). */
+  applicationPassword: z20.string().min(1),
+  displayName: z20.string().min(1).optional()
+});
 var trafficSyncResponseSchema = z20.object({
   sourceId: z20.string(),
   runId: z20.string(),
@@ -2494,6 +2505,7 @@ export {
   TrafficSourceAuthModes,
   VerificationStatuses,
   trafficConnectCloudRunRequestSchema,
+  trafficConnectWordpressRequestSchema,
   trafficEventKindSchema,
   TrafficEventKinds,
   formatRatio,