@ainyc/canonry 4.53.0 → 4.55.1

package/dist/{chunk-KVE7RLBI.js → chunk-2OI7HFAB.js}

@@ -6,7 +6,7 @@ import {
   loadConfig,
   loadConfigRaw,
   saveConfigPatch
-} from "./chunk-J7MX3YOH.js";
+} from "./chunk-ZY3EDW3S.js";
 import {
   DEFAULT_RUN_HISTORY_LIMIT,
   IntelligenceService,
@@ -84,7 +84,7 @@ import {
   smoothedRunDelta,
   trafficSources,
   usageCounters
-} from "./chunk-JHAHNKSN.js";
+} from "./chunk-UTM3FPAJ.js";
 import {
   AGENT_MEMORY_VALUE_MAX_BYTES,
   AGENT_PROVIDER_IDS,
@@ -185,6 +185,7 @@ import {
   emptyCitationVisibility,
   extractAnswerMentions,
   findDuplicateLocationLabels,
+  forbidden,
   formatDate,
   formatDateRange,
   formatDeltaCopy,
@@ -285,7 +286,7 @@ import {
   wordpressSchemaDeployResultDtoSchema,
   wordpressSchemaStatusResultDtoSchema,
   wordpressStatusDtoSchema
-} from "./chunk-VZPDBHBW.js";
+} from "./chunk-OFY3Z2F7.js";
 
 // src/telemetry.ts
 import crypto from "crypto";
@@ -586,6 +587,12 @@ import fs8 from "fs";
 // ../api-routes/src/auth.ts
 import crypto2 from "crypto";
 import { eq } from "drizzle-orm";
+function requireScope(request, scope) {
+  const key = request.apiKey;
+  if (!key) return;
+  if (key.scopes.includes("*") || key.scopes.includes(scope)) return;
+  throw forbidden(`This action requires the "${scope}" scope on your API key.`);
+}
 function hashKey(key) {
   return crypto2.createHash("sha256").update(key).digest("hex");
 }
@@ -645,6 +652,8 @@ async function authPlugin(app, opts = {}) {
       throw authRequired();
     }
     app.db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq(apiKeys.id, key.id)).run();
+    const scopes = Array.isArray(key.scopes) ? key.scopes : [];
+    request.apiKey = { id: key.id, name: key.name, scopes };
   });
 }
 
@@ -1653,9 +1662,9 @@ async function runRoutes(app, opts) {
   });
   app.get("/projects/:name/runs/latest", async (request, reply) => {
     const project = resolveProject(app.db, request.params.name);
-    const countRow = app.db.select({ count: sql4`count(*)` }).from(runs).where(eq7(runs.projectId, project.id)).get();
+    const countRow = app.db.select({ count: sql4`count(*)` }).from(runs).where(and2(eq7(runs.projectId, project.id), notProbeRun())).get();
     const totalRuns = countRow?.count ?? 0;
-    const latestRun = app.db.select().from(runs).where(eq7(runs.projectId, project.id)).orderBy(desc(runs.createdAt), desc(runs.id)).limit(1).get();
+    const latestRun = app.db.select().from(runs).where(and2(eq7(runs.projectId, project.id), notProbeRun())).orderBy(desc(runs.createdAt), desc(runs.id)).limit(1).get();
     if (!latestRun) {
       return reply.send({ totalRuns: 0, run: null });
     }
@@ -3816,6 +3825,14 @@ var COLORS = {
 function escapeHtml(value) {
   return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
 }
+function safeHref(value) {
+  const trimmed = (value ?? "").trim();
+  if (!trimmed) return "#";
+  if (trimmed.startsWith("/")) return escapeHtml(trimmed);
+  if (/^https?:\/\//i.test(trimmed)) return escapeHtml(trimmed);
+  if (/^mailto:/i.test(trimmed)) return escapeHtml(trimmed);
+  return "#";
+}
 function summarizeQueryParams(params) {
   const keys = Array.from(params.keys());
   const total = keys.length;
@@ -5075,7 +5092,7 @@ function renderCompetitorLandscape(report) {
     const mentionCount = mention?.mentionCount ?? 0;
     const mentionTotal = mention?.totalCount ?? mentionLandscape.totalAnswerSnapshots;
     const pagesDisclosure = c.theirCitedPages.length > 0 ? `<details class="cited-pages"><summary>${c.theirCitedPages.length} cited URL${c.theirCitedPages.length > 1 ? "s" : ""}</summary>
-          <ul>${c.theirCitedPages.map((p) => `<li><a href="${escapeHtml(p.url)}">${escapeHtml(p.url)}</a> <span class="cited-for">${escapeHtml(p.citedFor.join(", "))}</span></li>`).join("")}</ul>
+          <ul>${c.theirCitedPages.map((p) => `<li><a href="${safeHref(p.url)}" target="_blank" rel="noopener noreferrer">${escapeHtml(p.url)}</a> <span class="cited-for">${escapeHtml(p.citedFor.join(", "))}</span></li>`).join("")}</ul>
         </details>` : "";
     return `<tr>
       <td>${escapeHtml(c.domain)}</td>
@@ -5490,7 +5507,7 @@ function renderServerActivity(report, audience) {
           <thead><tr><th>AI tool</th><th class="numeric">Bot requests (7d)</th><th class="numeric">User fetches (7d)</th><th class="numeric">Referral sessions</th></tr></thead>
           <tbody>${clientOperatorRows}</tbody>
         </table>
-        <p class="meta">Bot requests are bulk crawl (GPTBot, PerplexityBot, \u2026). User fetches are on-demand reads triggered by real users inside an AI surface (ChatGPT-User, Perplexity-User, \u2026). Verified requests are reverse-DNS confirmed; unverified requests are UA claims shown separately in agency diagnostics.</p>
+        <p class="meta">Bot requests are bulk crawl (GPTBot, PerplexityBot, \u2026). User fetches are on-demand reads triggered by real users inside an AI surface (ChatGPT-User, Perplexity-User, \u2026). Verified means the request came from an IP the operator publishes as its own; unverified means the user-agent matched but the IP is not in a published range. User-fetch totals count both, since many genuine user fetches come from outside any published range.</p>
       </div>` : ""}`
     );
   }
@@ -5556,7 +5573,7 @@ function renderServerActivity(report, audience) {
     </div>
     ${trendChart}
     ${operatorRows ? `<div class="chart-card"><h3>Per AI operator</h3>
-      <p class="meta">Verified means rDNS-confirmed. Unverified bots claim the user-agent but couldn't be verified \u2014 could be the real bot or an imitator. User fetches are on-demand reads from an AI surface on behalf of a real user (ChatGPT-User, Perplexity-User, \u2026) \u2014 disjoint from bulk crawl.</p>
+      <p class="meta">Verified means the request's source IP falls inside the operator's published range. Unverified bots claim the user-agent but the IP is not in a published range, so it could be the real bot or an imitator. User fetches are on-demand reads from an AI surface on behalf of a real user (ChatGPT-User, Perplexity-User, \u2026), disjoint from bulk crawl and counted whether or not the IP can be verified.</p>
       <table class="report-table">
         <thead><tr><th>Operator</th><th class="numeric">Verified hits</th><th class="numeric">Unverified</th><th class="numeric">User fetches</th><th class="numeric">Referral sessions</th><th class="numeric">7d delta</th></tr></thead>
         <tbody>${operatorRows}</tbody>
@@ -5707,8 +5724,8 @@ function renderOpportunities(report) {
     </article>`).join("")}
   </div>`;
   const rows = opps.slice(0, 10).map((o) => {
-    const ourPage = o.ourBestPage ? `<a href="${escapeHtml(absolutizeProjectUrl(o.ourBestPage.url, canonical))}">${escapeHtml(o.ourBestPage.url)}</a>` : '<span class="cell-not-cited">No page yet</span>';
-    const winning = o.winningCompetitor ? `<a href="${escapeHtml(o.winningCompetitor.url)}">${escapeHtml(o.winningCompetitor.domain)}</a>` : '<span class="cell-not-cited">\u2014</span>';
+    const ourPage = o.ourBestPage ? `<a href="${safeHref(absolutizeProjectUrl(o.ourBestPage.url, canonical))}" target="_blank" rel="noopener noreferrer">${escapeHtml(o.ourBestPage.url)}</a>` : '<span class="cell-not-cited">No page yet</span>';
+    const winning = o.winningCompetitor ? `<a href="${safeHref(o.winningCompetitor.url)}" target="_blank" rel="noopener noreferrer">${escapeHtml(o.winningCompetitor.domain)}</a>` : '<span class="cell-not-cited">\u2014</span>';
     const drivers = o.drivers.length > 0 ? `<ul class="driver-list">${o.drivers.map((d) => `<li>${escapeHtml(d)}</li>`).join("")}</ul>` : '<span class="cell-not-cited">No driver signal yet</span>';
     return `<tr>
       <td>${escapeHtml(o.query)}</td>
@@ -6026,10 +6043,12 @@ function renderReportHtml(report, opts = {}) {
     renderRecommendedNextSteps(report)
   ].join("\n");
   const json = escapeJsonForScript(JSON.stringify(report));
+  const csp = "default-src 'none'; style-src 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data: https:; connect-src 'none'; script-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'";
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8" />
+<meta http-equiv="Content-Security-Policy" content="${csp}" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>${escapeHtml(title)}</title>
 <style>${STYLE}</style>
@@ -11392,7 +11411,7 @@ var routeCatalog = [
     method: "post",
     path: "/api/v1/projects/{name}/traffic/connect/vercel",
     summary: "Connect a Vercel traffic source",
-    description: "Probes Vercel's internal `request-logs` endpoint with the supplied API token (single page, 60-minute window) before persisting. On success, stores the token in `~/.canonry/config.yaml` and creates / updates the project's active Vercel `traffic_sources` row. A probe failure (bad token, wrong project / team id, unreachable host) surfaces as 502 with the upstream status in the message so the caller learns about it up front instead of at the first sync. The project id, team id, and environment are stored as non-secret config on the row; only the API token lives in the credential file.",
+    description: "Probes Vercel's internal `request-logs` endpoint with the supplied personal access token (single page, 60-minute window) before persisting. On success, stores the token in `~/.canonry/config.yaml` and creates / updates the project's active Vercel `traffic_sources` row. A probe failure (bad token, wrong project / team id, unreachable host) surfaces as 502 with the upstream status in the message so the caller learns about it up front instead of at the first sync. The project id, team id, and environment are stored as non-secret config on the row; only the personal access token lives in the credential file.",
     tags: ["traffic"],
     parameters: [nameParameter],
     requestBody: {
@@ -11404,8 +11423,8 @@ var routeCatalog = [
             required: ["projectId", "teamId", "token"],
             properties: {
               projectId: { ...stringSchema, description: "Vercel project id (e.g. `prj_...`) \u2014 from the Vercel dashboard or `.vercel/project.json`." },
-              teamId: { ...stringSchema, description: "Vercel team / owner id (e.g. `team_...`)." },
-              token: { ...stringSchema, description: "Vercel API token (personal access token). Stored in `~/.canonry/config.yaml`, never the DB or response." },
+              teamId: { ...stringSchema, description: "Vercel team or account id: the org that owns the project (`orgId` in `.vercel/project.json`)." },
+              token: { ...stringSchema, description: "Vercel personal access token. Stored in `~/.canonry/config.yaml`, never the DB or response." },
               environment: { type: "string", enum: ["production", "preview"], description: "Which deployment environment's request logs to pull. Default: `production`." },
               displayName: stringSchema
             }
@@ -11454,7 +11473,7 @@ var routeCatalog = [
     method: "post",
     path: "/api/v1/projects/{name}/traffic/sources/{id}/backfill",
     summary: "Reclassify historical traffic-source logs",
-    description: 'Async one-shot backfill: pulls the last `days` of events (clamped server-side to the upstream retention ceiling \u2014 30d for Cloud Logging `_Default`; the WordPress plugin honours the same window via `since`/`until` query params), classifies them with the current rules, and replaces the hourly rollup buckets + sample slice in the window inside one transaction. Returns immediately with `{ runId, status: "running" }`; poll `GET /runs/{id}` for completion. lastSyncedAt only advances forward, so a backfill never undoes incremental sync progress that ran ahead of it. Supported source types: `cloud-run`, `wordpress`.',
+    description: 'Async one-shot backfill: pulls the last `days` of events (clamped server-side to the upstream retention ceiling \u2014 30d for Cloud Logging `_Default`; the WordPress plugin honours the same window via `since`/`until` query params), classifies them with the current rules, and replaces the hourly rollup buckets + sample slice in the window inside one transaction. Returns immediately with `{ runId, status: "running" }`; poll `GET /runs/{id}` for completion. lastSyncedAt only advances forward, so a backfill never undoes incremental sync progress that ran ahead of it. Supported source types: `cloud-run`, `wordpress`, `vercel`.',
     tags: ["traffic"],
     parameters: [
       nameParameter,
@@ -11885,6 +11904,7 @@ function buildOperationId(method, path16) {
 }
 
 // ../api-routes/src/settings.ts
+var SETTINGS_WRITE_SCOPE = "settings.write";
 async function settingsRoutes(app, opts) {
   app.get("/settings", async () => ({
     providers: opts.providerSummary ?? [],
@@ -11892,6 +11912,7 @@ async function settingsRoutes(app, opts) {
     bing: opts.bing ?? { configured: false }
   }));
   app.put("/settings/providers/:name", async (request) => {
+    requireScope(request, SETTINGS_WRITE_SCOPE);
     const { apiKey, baseUrl, model, quota } = request.body ?? {};
     const name = request.params.name;
     const adapters = opts.providerAdapters ?? [];
@@ -11950,6 +11971,7 @@ async function settingsRoutes(app, opts) {
     return result;
   });
   app.put("/settings/google", async (request) => {
+    requireScope(request, SETTINGS_WRITE_SCOPE);
     const { clientId, clientSecret } = request.body ?? {};
     if (!clientId || typeof clientId !== "string" || !clientSecret || typeof clientSecret !== "string") {
       throw validationError("clientId and clientSecret are required");
@@ -11964,6 +11986,7 @@ async function settingsRoutes(app, opts) {
     return result;
   });
   app.put("/settings/bing", async (request) => {
+    requireScope(request, SETTINGS_WRITE_SCOPE);
     const { apiKey } = request.body ?? {};
     if (!apiKey || typeof apiKey !== "string") {
       throw validationError("apiKey is required");
@@ -13482,7 +13505,14 @@ async function googleRoutes(app, opts) {
     }
     const scopes = type === "gsc" ? [GSC_SCOPE, INDEXING_SCOPE] : [GA4_SCOPE];
     const stateEncoded = buildSignedState(
-      { domain: project.canonicalDomain, type, propertyId, redirectUri },
+      {
+        projectId: project.id,
+        projectName: project.name,
+        domain: project.canonicalDomain,
+        type,
+        propertyId,
+        redirectUri
+      },
       stateSecret
     );
     const authUrl = getAuthUrl(googleClientId, redirectUri, scopes, stateEncoded);
@@ -13529,7 +13559,19 @@ async function googleRoutes(app, opts) {
     if (!stateData) {
       return reply.status(400).send("Invalid or tampered state parameter");
     }
-    const { domain, type, propertyId, redirectUri } = stateData;
+    const { domain, type, propertyId, redirectUri, projectId, projectName } = stateData;
+    if (!projectId) {
+      return reply.status(400).send("Stale OAuth state \u2014 restart the connect flow.");
+    }
+    const project = app.db.select().from(projects).where(eq19(projects.id, projectId)).get();
+    if (!project) {
+      return reply.status(400).send("Project no longer exists. Restart the connect flow.");
+    }
+    if (project.canonicalDomain.toLowerCase() !== domain.toLowerCase()) {
+      return reply.status(400).send(
+        `Project "${projectName ?? project.name}" canonical domain changed since this OAuth flow started. Expected "${domain}", got "${project.canonicalDomain}". Restart the connect flow.`
+      );
+    }
     let tokens;
     try {
       tokens = await exchangeCode(googleClientId, googleClientSecret, code, redirectUri);
@@ -13550,6 +13592,11 @@ async function googleRoutes(app, opts) {
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const expiresAt = new Date(Date.now() + tokens.expires_in * 1e3).toISOString();
     const existing = store.getConnection(domain, type);
+    if (existing && existing.createdByProjectId && existing.createdByProjectId !== projectId) {
+      return reply.status(403).send(
+        `This domain already has a Google ${String(type).toUpperCase()} connection owned by another project. Disconnect it from that project first (DELETE /api/v1/projects/<owner>/google/connections/${escapeHtml2(String(type))}) before re-connecting from "${escapeHtml2(projectName ?? "")}".`
+      );
+    }
     store.upsertConnection({
       domain,
       connectionType: type,
@@ -13558,6 +13605,9 @@ async function googleRoutes(app, opts) {
       refreshToken: tokens.refresh_token ?? existing?.refreshToken ?? null,
       tokenExpiresAt: expiresAt,
       scopes: tokens.scope?.split(" ") ?? [],
+      // Stamp ownership on first write; subsequent same-project re-connects
+      // preserve it.
+      createdByProjectId: existing?.createdByProjectId ?? projectId,
       createdAt: existing?.createdAt ?? now,
       updatedAt: now
     });
@@ -13586,16 +13636,26 @@ async function googleRoutes(app, opts) {
   app.delete("/projects/:name/google/connections/:type", async (request, reply) => {
     const store = requireConnectionStore();
     const project = resolveProject(app.db, request.params.name);
-    const deleted = store.deleteConnection(project.canonicalDomain, request.params.type);
+    const type = request.params.type;
+    const existing = store.getConnection(project.canonicalDomain, type);
+    if (!existing) {
+      throw notFound("Google connection", type);
+    }
+    if (existing.createdByProjectId && existing.createdByProjectId !== project.id) {
+      throw validationError(
+        `This Google ${type.toUpperCase()} connection is owned by a different project. Disconnect from the owning project instead.`
+      );
+    }
+    const deleted = store.deleteConnection(project.canonicalDomain, type);
     if (!deleted) {
-      throw notFound("Google connection", request.params.type);
+      throw notFound("Google connection", type);
     }
     writeAuditLog(app.db, {
       projectId: project.id,
       actor: "api",
       action: "google.disconnected",
       entityType: "google_connection",
-      entityId: request.params.type
+      entityId: type
     });
     return reply.status(204).send();
   });
@@ -14342,10 +14402,16 @@ async function bingRoutes(app, opts) {
     }
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const existing = store.getConnection(project.canonicalDomain);
+    if (existing && existing.createdByProjectId && existing.createdByProjectId !== project.id) {
+      throw validationError(
+        `This domain already has a Bing connection owned by another project. Disconnect it from that project first before re-connecting from "${project.name}".`
+      );
+    }
     store.upsertConnection({
       domain: project.canonicalDomain,
       apiKey,
       siteUrl: existing?.siteUrl ?? null,
+      createdByProjectId: existing?.createdByProjectId ?? project.id,
       createdAt: existing?.createdAt ?? now,
       updatedAt: now
     });
@@ -14366,6 +14432,15 @@ async function bingRoutes(app, opts) {
   app.delete("/projects/:name/bing/disconnect", async (request, reply) => {
     const store = requireConnectionStore();
     const project = resolveProject(app.db, request.params.name);
+    const existing = store.getConnection(project.canonicalDomain);
+    if (!existing) {
+      throw notFound("Bing connection", project.canonicalDomain);
+    }
+    if (existing.createdByProjectId && existing.createdByProjectId !== project.id) {
+      throw validationError(
+        `This Bing connection is owned by a different project. Disconnect from the owning project instead.`
+      );
+    }
     const deleted = store.deleteConnection(project.canonicalDomain);
     if (!deleted) {
       throw notFound("Bing connection", project.canonicalDomain);
@@ -14775,6 +14850,7 @@ async function cdpRoutes(app, opts) {
     return reply.type("image/png").send(stream);
   });
   app.put("/settings/cdp", async (request, reply) => {
+    requireScope(request, SETTINGS_WRITE_SCOPE);
     if (!opts.onCdpConfigure) {
       const err = notImplemented("CDP configuration not supported in this deployment");
       return reply.code(err.statusCode).send(err.toJSON());
@@ -18085,6 +18161,7 @@ async function backlinksRoutes(app, opts) {
 
 // ../api-routes/src/traffic.ts
 import crypto21 from "crypto";
+import { Agent as UndiciAgent } from "undici";
 import { and as and19, desc as desc13, eq as eq24, gte as gte3, lte as lte2, sql as sql10 } from "drizzle-orm";
 
 // ../integration-cloud-run/src/auth.ts
@@ -21260,6 +21337,9 @@ function incrementBucket(map, key, fields) {
   else map.set(key, { fields, hits: 1 });
 }
 
+// ../integration-wordpress-traffic/src/client.ts
+import { randomUUID } from "crypto";
+
 // ../integration-wordpress-traffic/src/normalize.ts
 function trimOrNull(value) {
   if (value === null || value === void 0) return null;
@@ -21290,7 +21370,7 @@ function normalizeWordpressTrafficEvent(event) {
     queryString,
     status: typeof event.status === "number" && Number.isFinite(event.status) ? event.status : null,
     userAgent: trimOrNull(event.user_agent),
-    remoteIp: trimOrNull(event.remote_ip_hash),
+    remoteIp: trimOrNull(event.remote_ip),
     referer: trimOrNull(event.referer),
     latencyMs: null,
     requestSizeBytes: null,
@@ -21361,6 +21441,7 @@ async function listWordpressTrafficEvents(options) {
   let skippedEntryCount = 0;
   let hasMore = false;
   const events = [];
+  const dispatcher = options.dispatcher;
   for (let page = 0; page < maxPages; page += 1) {
     const url = new URL(endpoint);
     url.searchParams.set("limit", String(pageSize));
@@ -21373,14 +21454,20 @@ async function listWordpressTrafficEvents(options) {
     if (options.until !== void 0 && options.until !== "") {
       url.searchParams.set("until", options.until);
     }
-    const response = await fetch(url, {
+    url.searchParams.set("_cb", randomUUID());
+    const fetchInit = {
       method: "GET",
       headers: {
         Authorization: authHeader,
-        Accept: "application/json"
+        Accept: "application/json",
+        "Cache-Control": "no-cache"
       },
       signal: AbortSignal.timeout(timeoutMs)
-    });
+    };
+    if (dispatcher !== void 0) {
+      fetchInit.dispatcher = dispatcher;
+    }
+    const response = await fetch(url, fetchInit);
     if (!response.ok) {
       const body2 = await readErrorBody2(response);
       throw new WordpressTrafficApiError(
@@ -21594,6 +21681,62 @@ async function listVercelTrafficEvents(options) {
   };
 }
 
+// ../integration-vercel/src/drain.ts
+var MIN_SUB_WINDOW_MS = 6e4;
+function toMs(value) {
+  return typeof value === "number" ? value : value.getTime();
+}
+async function drainVercelTrafficEvents(options) {
+  const startMs = toMs(options.startDate);
+  const endMs = toMs(options.endDate);
+  const events = [];
+  const seenEventIds = /* @__PURE__ */ new Set();
+  if (endMs <= startMs) return { events, subWindowCount: 0 };
+  let cursorMs = startMs;
+  let spanMs = endMs - startMs;
+  let subWindowCount = 0;
+  while (cursorMs < endMs) {
+    if (subWindowCount >= options.maxSubWindows) {
+      throw new Error(
+        `Vercel window not drained within ${options.maxSubWindows} sub-windows \u2014 narrow the time range`
+      );
+    }
+    const subEndMs = Math.min(cursorMs + spanMs, endMs);
+    const page = await options.pull({
+      token: options.token,
+      projectId: options.projectId,
+      teamId: options.teamId,
+      environment: options.environment,
+      startDate: cursorMs,
+      endDate: subEndMs,
+      maxPages: options.pagesPerSubWindow
+    });
+    subWindowCount += 1;
+    if (page.hasMore) {
+      const subSpanMs = subEndMs - cursorMs;
+      if (subSpanMs <= MIN_SUB_WINDOW_MS) {
+        throw new Error(
+          `Vercel window holds more than ${options.pagesPerSubWindow} pages within a ${MIN_SUB_WINDOW_MS / 6e4}-minute slice \u2014 cannot subdivide further`
+        );
+      }
+      spanMs = Math.max(Math.floor(subSpanMs / 2), MIN_SUB_WINDOW_MS);
+      continue;
+    }
+    for (const event of page.events) {
+      if (!seenEventIds.has(event.eventId)) {
+        seenEventIds.add(event.eventId);
+        events.push(event);
+      }
+    }
+    cursorMs = subEndMs;
+    const remainingMs = endMs - cursorMs;
+    if (remainingMs > 0) {
+      spanMs = Math.min(spanMs * 2, remainingMs);
+    }
+  }
+  return { events, subWindowCount };
+}
+
 // ../api-routes/src/traffic.ts
 var DEFAULT_SYNC_WINDOW_MINUTES = 43200;
 var DEFAULT_PAGE_SIZE3 = 1e3;
@@ -21602,6 +21745,7 @@ var DEFAULT_SAMPLE_LIMIT2 = 100;
 var DEFAULT_WP_PAGE_SIZE = 500;
 var DEFAULT_WP_MAX_PAGES = 20;
 var DEFAULT_VERCEL_MAX_PAGES = 50;
+var VERCEL_MAX_SUB_WINDOWS = 5e3;
 var MAX_TRACKED_EVENT_IDS = 1e3;
 var DEFAULT_BACKFILL_DAYS = 30;
 var MAX_BACKFILL_DAYS = 90;
@@ -21807,6 +21951,30 @@ async function trafficRoutes(app, opts) {
   const resolveAccessToken2 = opts.resolveCloudRunAccessToken ?? defaultResolveAccessToken;
   const pullWordpressEvents = opts.pullWordpressTrafficEvents ?? listWordpressTrafficEvents;
   const pullVercelEvents = opts.pullVercelTrafficEvents ?? listVercelTrafficEvents;
+  const allowLoopback = opts.allowLoopbackWebhooks === true;
+  async function assertWordpressTargetAllowed(baseUrl) {
+    const check = await resolveWebhookTarget(baseUrl, { allowLoopback });
+    if (!check.ok) {
+      throw validationError(`WordPress baseUrl rejected: ${check.message}`);
+    }
+    const { address, family } = check.target;
+    return new UndiciAgent({
+      connect: {
+        lookup: (_hostname, _options, cb) => {
+          cb(null, address, family === 6 ? 6 : 4);
+        }
+      }
+    });
+  }
+  async function withPinnedWordpressDispatcher(baseUrl, fn) {
+    const dispatcher = await assertWordpressTargetAllowed(baseUrl);
+    try {
+      return await fn(dispatcher);
+    } finally {
+      await dispatcher.close().catch(() => {
+      });
+    }
+  }
   const vercelMaxPages = opts.defaultVercelMaxPages ?? DEFAULT_VERCEL_MAX_PAGES;
   const syncWindowMinutes = opts.defaultSyncWindowMinutes ?? DEFAULT_SYNC_WINDOW_MINUTES;
   const pageSize = opts.defaultPageSize ?? DEFAULT_PAGE_SIZE3;
@@ -21905,23 +22073,26 @@ async function trafficRoutes(app, opts) {
       throw validationError(parsed.error.issues.map((i) => i.message).join("; "));
     }
     const { baseUrl, username, applicationPassword, displayName } = parsed.data;
-    try {
-      await pullWordpressEvents({
-        baseUrl,
-        username,
-        applicationPassword,
-        pageSize: 1,
-        maxPages: 1
-      });
-    } catch (e) {
-      if (e instanceof WordpressTrafficApiError) {
-        throw providerError(
-          `WordPress traffic probe failed (HTTP ${e.status}): ${e.message}${e.body ? ` \u2014 ${e.body}` : ""}`
-        );
+    await withPinnedWordpressDispatcher(baseUrl, async (dispatcher) => {
+      try {
+        await pullWordpressEvents({
+          baseUrl,
+          username,
+          applicationPassword,
+          pageSize: 1,
+          maxPages: 1,
+          dispatcher
+        });
+      } catch (e) {
+        if (e instanceof WordpressTrafficApiError) {
+          throw providerError(
+            `WordPress traffic probe failed (HTTP ${e.status}): ${e.message}${e.body ? ` \u2014 ${e.body}` : ""}`
+          );
+        }
+        const msg = e instanceof Error ? e.message : String(e);
+        throw providerError(`WordPress traffic probe failed: ${msg}`);
       }
-      const msg = e instanceof Error ? e.message : String(e);
-      throw providerError(`WordPress traffic probe failed: ${msg}`);
-    }
+    });
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const existing = credentialStore.getConnection(project.name);
     credentialStore.upsertConnection({
@@ -22171,6 +22342,14 @@ async function trafficRoutes(app, opts) {
       windowStart = sourceRow.lastSyncedAt ? new Date(sourceRow.lastSyncedAt) : windowEnd;
       const wpPageSize = opts.defaultWordpressPageSize ?? DEFAULT_WP_PAGE_SIZE;
       const wpMaxPages = opts.defaultWordpressMaxPages ?? DEFAULT_WP_MAX_PAGES;
+      let pinnedDispatcher;
+      try {
+        pinnedDispatcher = await assertWordpressTargetAllowed(credential.baseUrl);
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        markFailed(msg, "PROVIDER_PULL");
+        throw e;
+      }
       const collected = [];
       let cursor = sourceRow.lastCursor ?? void 0;
       try {
@@ -22181,7 +22360,8 @@ async function trafficRoutes(app, opts) {
             applicationPassword: credential.applicationPassword,
             cursor,
             pageSize: wpPageSize,
-            maxPages: 1
+            maxPages: 1,
+            dispatcher: pinnedDispatcher
           });
           collected.push(...pageResult.events);
           const previousCursor = cursor;
@@ -22195,6 +22375,9 @@ async function trafficRoutes(app, opts) {
         const msg = e instanceof Error ? e.message : String(e);
         markFailed(msg, "PROVIDER_PULL");
         throw providerError(`WordPress pull failed: ${msg}`);
+      } finally {
+        await pinnedDispatcher.close().catch(() => {
+        });
       }
     } else {
       auditAction = "traffic.vercel.synced";
@@ -22221,28 +22404,24 @@ async function trafficRoutes(app, opts) {
       windowStart = new Date(
         Math.min(windowEnd.getTime(), Math.max(requestedStartMs, lastSyncedMs))
       );
-      let page;
       try {
-        page = await pullVercelEvents({
+        const drained = await drainVercelTrafficEvents({
+          pull: pullVercelEvents,
           token: credential.token,
           projectId: vercelProjectId,
           teamId: vercelTeamId,
           environment: vercelEnvironment,
           startDate: windowStart.getTime(),
           endDate: windowEnd.getTime(),
-          maxPages: vercelMaxPages
+          pagesPerSubWindow: vercelMaxPages,
+          maxSubWindows: VERCEL_MAX_SUB_WINDOWS
         });
+        allEvents = drained.events;
       } catch (e) {
         const msg = e instanceof Error ? e.message : String(e);
         markFailed(msg, "PROVIDER_PULL");
         throw providerError(`Vercel pull failed: ${msg}`);
       }
-      if (page.hasMore) {
-        const msg = `Vercel sync window exceeded the ${vercelMaxPages}-page budget \u2014 narrow the window with --since-minutes or run a backfill`;
-        markFailed(msg, "PROVIDER_PULL");
-        throw providerError(`Vercel pull failed: ${msg}`);
-      }
-      allEvents = page.events;
     }
     let crawlerBucketRows = 0;
     let aiUserFetchBucketRows = 0;
@@ -22529,33 +22708,42 @@ async function trafficRoutes(app, opts) {
           `No WordPress credential found for project "${project.name}". Run "canonry traffic connect wordpress" first.`
         );
       }
+      await (await assertWordpressTargetAllowed(credential.baseUrl)).close().catch(() => {
+      });
       const wpPageSize = opts.defaultWordpressPageSize ?? DEFAULT_WP_PAGE_SIZE;
       pullErrorPrefix = "WordPress pull failed";
       pullForBackfill = async () => {
-        const collected = [];
-        const windowStartIso = windowStart.toISOString();
-        const windowEndIso = windowEnd.toISOString();
-        let cursor = void 0;
-        for (let page = 0; page < BACKFILL_MAX_PAGES; page += 1) {
-          const pageResult = await pullWordpressEvents({
-            baseUrl: credential.baseUrl,
-            username: credential.username,
-            applicationPassword: credential.applicationPassword,
-            cursor,
-            pageSize: wpPageSize,
-            // Each call fetches a single page; the for-loop drives
-            // continuation. Matches the WP sync path's pattern.
-            maxPages: 1,
-            since: windowStartIso,
-            until: windowEndIso
+        const pinnedDispatcher = await assertWordpressTargetAllowed(credential.baseUrl);
+        try {
+          const collected = [];
+          const windowStartIso = windowStart.toISOString();
+          const windowEndIso = windowEnd.toISOString();
+          let cursor = void 0;
+          for (let page = 0; page < BACKFILL_MAX_PAGES; page += 1) {
+            const pageResult = await pullWordpressEvents({
+              baseUrl: credential.baseUrl,
+              username: credential.username,
+              applicationPassword: credential.applicationPassword,
+              cursor,
+              pageSize: wpPageSize,
+              // Each call fetches a single page; the for-loop drives
+              // continuation. Matches the WP sync path's pattern.
+              maxPages: 1,
+              since: windowStartIso,
+              until: windowEndIso,
+              dispatcher: pinnedDispatcher
+            });
+            collected.push(...pageResult.events);
+            const previousCursor = cursor;
+            cursor = pageResult.nextCursor;
+            if (!pageResult.hasMore) break;
+            if (!cursor || cursor === previousCursor) break;
+          }
+          return collected;
+        } finally {
+          await pinnedDispatcher.close().catch(() => {
           });
-          collected.push(...pageResult.events);
-          const previousCursor = cursor;
-          cursor = pageResult.nextCursor;
-          if (!pageResult.hasMore) break;
-          if (!cursor || cursor === previousCursor) break;
         }
-        return collected;
       };
     } else {
       const credentialStore = opts.vercelTrafficCredentialStore;
@@ -22574,21 +22762,18 @@ async function trafficRoutes(app, opts) {
       const vercelEnvironment = config.environment ?? credential.environment;
       pullErrorPrefix = "Vercel pull failed";
       pullForBackfill = async () => {
-        const page = await pullVercelEvents({
+        const drained = await drainVercelTrafficEvents({
+          pull: pullVercelEvents,
           token: credential.token,
           projectId: vercelProjectId,
           teamId: vercelTeamId,
           environment: vercelEnvironment,
           startDate: windowStart.getTime(),
           endDate: windowEnd.getTime(),
-          maxPages: BACKFILL_MAX_PAGES
+          pagesPerSubWindow: vercelMaxPages,
+          maxSubWindows: VERCEL_MAX_SUB_WINDOWS
         });
-        if (page.hasMore) {
-          throw new Error(
-            `backfill window exceeded the ${BACKFILL_MAX_PAGES}-page budget \u2014 narrow the window with --days`
-          );
-        }
-        return page.events;
+        return drained.events;
       };
     }
     const startedAt = windowEnd.toISOString();
@@ -23899,6 +24084,76 @@ var TRAFFIC_SOURCE_CHECKS = [
   scopesCheck2
 ];
 
+// ../api-routes/src/doctor/checks/wordpress-publish.ts
+var WORDPRESS_PUBLISH_CHECKS = [
+  {
+    id: "wordpress.publish.connection",
+    category: CheckCategories.auth,
+    scope: CheckScopes.project,
+    title: "WordPress publishing connection",
+    run: async (ctx) => {
+      if (!ctx.project) {
+        return {
+          status: CheckStatuses.skipped,
+          code: "wordpress.publish.no-project",
+          summary: "Project context required.",
+          remediation: null
+        };
+      }
+      const store = ctx.wordpressConnectionStore;
+      if (!store) {
+        return {
+          status: CheckStatuses.skipped,
+          code: "wordpress.publish.store-unavailable",
+          summary: "WordPress connection store is not configured for this deployment.",
+          remediation: null
+        };
+      }
+      const connection = store.getConnection(ctx.project.name);
+      if (!connection) {
+        return {
+          status: CheckStatuses.skipped,
+          code: "wordpress.publish.not-configured",
+          summary: `No WordPress publishing connection configured for ${ctx.project.name}.`,
+          remediation: `If this project publishes to WordPress, run \`canonry wordpress connect ${ctx.project.name} --url <url> --user <user>\`.`
+        };
+      }
+      try {
+        const status = await verifyWordpressConnection(connection);
+        return {
+          status: CheckStatuses.ok,
+          code: "wordpress.publish.connected",
+          summary: `WordPress publishing connection verified; wp/v2 REST API reachable at ${status.url}.`,
+          remediation: null,
+          details: {
+            url: status.url,
+            wordpressVersion: status.version,
+            pageCount: status.pageCount
+          }
+        };
+      } catch (err) {
+        if (err instanceof WordpressApiError && err.code === "AUTH_INVALID") {
+          return {
+            status: CheckStatuses.fail,
+            code: "wordpress.publish.unauthorized",
+            summary: "WordPress rejected the stored application password.",
+            remediation: `Regenerate the Application Password in wp-admin (Users \u2192 Profile \u2192 Application Passwords), then reconnect with \`canonry wordpress connect ${ctx.project.name} --url <url> --user <user>\`.`,
+            details: { error: err.message }
+          };
+        }
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+          status: CheckStatuses.fail,
+          code: "wordpress.publish.verification-failed",
+          summary: "WordPress publishing connection could not be verified.",
+          remediation: "Confirm the site URL is correct and the WordPress REST API is reachable.",
+          details: { error: message }
+        };
+      }
+    }
+  }
+];
+
 // ../api-routes/src/doctor/registry.ts
 var ALL_CHECKS = [
   // Runtime-state checks run first so file-system gone errors surface
@@ -23906,6 +24161,7 @@ var ALL_CHECKS = [
   ...RUNTIME_STATE_CHECKS,
   ...GOOGLE_AUTH_CHECKS,
   ...BING_AUTH_CHECKS,
+  ...WORDPRESS_PUBLISH_CHECKS,
   ...GA_AUTH_CHECKS,
   ...PROVIDERS_CHECKS,
   ...TRAFFIC_SOURCE_CHECKS,
@@ -23990,6 +24246,7 @@ async function doctorRoutes(app, opts) {
       project: null,
       googleConnectionStore: opts.googleConnectionStore,
       bingConnectionStore: opts.bingConnectionStore,
+      wordpressConnectionStore: opts.wordpressConnectionStore,
       ga4CredentialStore: opts.ga4CredentialStore,
       getGoogleAuthConfig: opts.getGoogleAuthConfig,
       redirectUri,
@@ -24012,6 +24269,7 @@ async function doctorRoutes(app, opts) {
       },
       googleConnectionStore: opts.googleConnectionStore,
       bingConnectionStore: opts.bingConnectionStore,
+      wordpressConnectionStore: opts.wordpressConnectionStore,
       ga4CredentialStore: opts.ga4CredentialStore,
       getGoogleAuthConfig: opts.getGoogleAuthConfig,
       redirectUri,
@@ -24623,7 +24881,8 @@ async function apiRoutes(app, opts) {
       pullWordpressTrafficEvents: opts.pullWordpressTrafficEvents,
       vercelTrafficCredentialStore: opts.vercelTrafficCredentialStore,
       pullVercelTrafficEvents: opts.pullVercelTrafficEvents,
-      onTrafficSynced: opts.onTrafficSynced
+      onTrafficSynced: opts.onTrafficSynced,
+      allowLoopbackWebhooks: opts.allowLoopbackWebhooks
     });
     await api.register(backlinksRoutes, {
       getBacklinksStatus: opts.getBacklinksStatus,
@@ -24640,6 +24899,7 @@ async function apiRoutes(app, opts) {
     await api.register(doctorRoutes, {
       googleConnectionStore: opts.googleConnectionStore,
       bingConnectionStore: opts.bingConnectionStore,
+      wordpressConnectionStore: opts.wordpressConnectionStore,
       ga4CredentialStore: opts.ga4CredentialStore,
       getGoogleAuthConfig: opts.getGoogleAuthConfig,
       publicUrl: opts.publicUrl,
@@ -27172,7 +27432,8 @@ function upsertGoogleConnection(config, connection) {
     sitemapUrl: connection.sitemapUrl ?? null,
     refreshToken: connection.refreshToken ?? null,
     tokenExpiresAt: connection.tokenExpiresAt ?? null,
-    scopes: connection.scopes ?? []
+    scopes: connection.scopes ?? [],
+    createdByProjectId: connection.createdByProjectId ?? null
   };
   if (index === -1) {
     connections.push(normalized);
@@ -29802,7 +30063,7 @@ function readStoredGroundingSources(rawResponse) {
   return result;
 }
 async function backfillInsightsCommand(project, opts) {
-  const { IntelligenceService: IntelligenceService2 } = await import("./intelligence-service-OCREQUCQ.js");
+  const { IntelligenceService: IntelligenceService2 } = await import("./intelligence-service-NKAEHHJ5.js");
   const config = loadConfig();
   const db = createClient(config.database);
   migrate(db);
@@ -32957,6 +33218,48 @@ function summarizeProviderConfig(provider, config) {
 function hashApiKey(key) {
   return crypto35.createHash("sha256").update(key).digest("hex");
 }
+var DASHBOARD_SCRYPT_KEYLEN = 64;
+var DASHBOARD_SCRYPT_COST = 1 << 15;
+var DASHBOARD_SCRYPT_MAXMEM = 64 * 1024 * 1024;
+function hashDashboardPassword(password) {
+  const salt = crypto35.randomBytes(16);
+  const derived = crypto35.scryptSync(password, salt, DASHBOARD_SCRYPT_KEYLEN, {
+    N: DASHBOARD_SCRYPT_COST,
+    maxmem: DASHBOARD_SCRYPT_MAXMEM
+  });
+  return `scrypt$1$${salt.toString("base64")}$${derived.toString("base64")}`;
+}
+function verifyDashboardPassword(password, storedHash) {
+  if (storedHash.startsWith("scrypt$1$")) {
+    const parts = storedHash.split("$");
+    if (parts.length !== 4) return { ok: false, needsRehash: false };
+    const saltB64 = parts[2];
+    const hashB64 = parts[3];
+    if (!saltB64 || !hashB64) return { ok: false, needsRehash: false };
+    let salt;
+    let expected;
+    try {
+      salt = Buffer.from(saltB64, "base64");
+      expected = Buffer.from(hashB64, "base64");
+    } catch {
+      return { ok: false, needsRehash: false };
+    }
+    const derived = crypto35.scryptSync(password, salt, expected.length, {
+      N: DASHBOARD_SCRYPT_COST,
+      maxmem: DASHBOARD_SCRYPT_MAXMEM
+    });
+    if (derived.length !== expected.length) return { ok: false, needsRehash: false };
+    return { ok: crypto35.timingSafeEqual(derived, expected), needsRehash: false };
+  }
+  if (/^[a-f0-9]{64}$/i.test(storedHash)) {
+    const candidate = Buffer.from(hashApiKey(password), "hex");
+    const expected = Buffer.from(storedHash, "hex");
+    if (candidate.length !== expected.length) return { ok: false, needsRehash: false };
+    const ok = crypto35.timingSafeEqual(candidate, expected);
+    return { ok, needsRehash: ok };
+  }
+  return { ok: false, needsRehash: false };
+}
 function parseCookies2(header) {
   if (!header) return {};
   return header.split(";").map((part) => part.trim()).filter(Boolean).reduce((cookies, part) => {
@@ -33185,13 +33488,14 @@ async function createServer(opts) {
       if (!opts.config.bing) opts.config.bing = {};
       if (!opts.config.bing.connections) opts.config.bing.connections = [];
       const idx = opts.config.bing.connections.findIndex((c) => c.domain === connection.domain);
+      const normalized = { ...connection, createdByProjectId: connection.createdByProjectId ?? null };
       if (idx >= 0) {
-        opts.config.bing.connections[idx] = connection;
+        opts.config.bing.connections[idx] = normalized;
       } else {
-        opts.config.bing.connections.push(connection);
+        opts.config.bing.connections.push(normalized);
       }
       saveConfigPatch(opts.config);
-      return connection;
+      return normalized;
     },
     updateConnection: (domain, patch) => {
       const conn = opts.config.bing?.connections?.find((c) => c.domain === domain);
@@ -33399,7 +33703,7 @@ async function createServer(opts) {
       const err = validationError("Password must be at least 8 characters");
       return reply.status(err.statusCode).send(err.toJSON());
     }
-    opts.config.dashboardPasswordHash = hashApiKey(password);
+    opts.config.dashboardPasswordHash = hashDashboardPassword(password);
     saveConfigPatch(opts.config);
     if (!createPasswordSession(reply)) {
       const err = authInvalid();
@@ -33415,9 +33719,14 @@ async function createServer(opts) {
         const err2 = validationError("No dashboard password configured \u2014 use /session/setup first");
         return reply.status(err2.statusCode).send(err2.toJSON());
       }
-      if (hashApiKey(password) !== opts.config.dashboardPasswordHash) {
+      const verification = verifyDashboardPassword(password, opts.config.dashboardPasswordHash);
+      if (!verification.ok) {
         return reply.status(401).send({ error: { code: "AUTH_INVALID", message: "Incorrect password" } });
       }
+      if (verification.needsRehash) {
+        opts.config.dashboardPasswordHash = hashDashboardPassword(password);
+        saveConfigPatch(opts.config);
+      }
       if (!createPasswordSession(reply)) {
         return reply.status(401).send({ error: { code: "AUTH_INVALID", message: "Server API key not found \u2014 re-run canonry init" } });
       }