@ainyc/canonry 4.54.0 → 4.55.3

package/dist/{chunk-J7MX3YOH.js → chunk-UOQ62KDD.js}

@@ -22,7 +22,7 @@ import {
   trafficConnectVercelRequestSchema,
   trafficConnectWordpressRequestSchema,
   trafficEventKindSchema
-} from "./chunk-VZPDBHBW.js";
+} from "./chunk-XHU35P3S.js";
 
 // src/config.ts
 import fs from "fs";
@@ -3564,9 +3564,14 @@ var ApiClient = class {
       })
     );
   }
-  async listRuns(project, limit) {
+  async listRuns(project, limit, kind) {
     return this.invoke(
-      () => getApiV1ProjectsByNameRuns({ client: this.heyClient, path: { name: project }, query: { limit } })
+      () => getApiV1ProjectsByNameRuns({
+        client: this.heyClient,
+        path: { name: project },
+        // kind arrives as a free CLI string; the server validates it against the enum.
+        query: { limit, kind }
+      })
     );
   }
   async getLatestRun(project) {

package/dist/{chunk-JHAHNKSN.js → chunk-XB6Y63NI.js}

@@ -9,8 +9,10 @@ import {
   categorizeSourceWithCompetitors,
   categoryLabel,
   determineAnswerMentioned,
-  normalizeProjectDomain
-} from "./chunk-VZPDBHBW.js";
+  effectiveDomains,
+  normalizeProjectDomain,
+  registrableDomain
+} from "./chunk-XHU35P3S.js";
 
 // src/intelligence-service.ts
 import { eq, desc, asc, and, ne, or, inArray } from "drizzle-orm";
@@ -243,10 +245,19 @@ var googleConnections = sqliteTable("google_connections", {
   propertyId: text("property_id"),
   sitemapUrl: text("sitemap_url"),
   scopes: text("scopes", { mode: "json" }).$type().notNull().default([]),
+  // The project that established this connection. Used by the OAuth callback
+  // and the DELETE route to refuse cross-project takeover (a malicious caller
+  // who points another project at the same `canonicalDomain` cannot overwrite
+  // or remove an existing connection owned by the original project). Nullable
+  // for legacy rows written before the column existed — those are treated as
+  // unowned and the first connect call to claim them succeeds. See root
+  // AGENTS.md "Deployment Posture" for the broader multi-tenancy posture.
+  createdByProjectId: text("created_by_project_id").references(() => projects.id, { onDelete: "set null" }),
   createdAt: text("created_at").notNull(),
   updatedAt: text("updated_at").notNull()
 }, (table) => [
-  uniqueIndex("idx_google_conn_domain_type").on(table.domain, table.connectionType)
+  uniqueIndex("idx_google_conn_domain_type").on(table.domain, table.connectionType),
+  index("idx_google_conn_project").on(table.createdByProjectId)
 ]);
 var gscSearchData = sqliteTable("gsc_search_data", {
   id: text("id").primaryKey(),
@@ -319,10 +330,16 @@ var bingConnections = sqliteTable("bing_connections", {
   id: text("id").primaryKey(),
   domain: text("domain").notNull(),
   siteUrl: text("site_url"),
+  // Same takeover-prevention column as `google_connections.createdByProjectId`.
+  // The Bing connect / disconnect routes refuse cross-project writes when an
+  // existing row's owner doesn't match. Null for legacy rows (treated as
+  // unowned).
+  createdByProjectId: text("created_by_project_id").references(() => projects.id, { onDelete: "set null" }),
   createdAt: text("created_at").notNull(),
   updatedAt: text("updated_at").notNull()
 }, (table) => [
-  uniqueIndex("idx_bing_conn_domain").on(table.domain)
+  uniqueIndex("idx_bing_conn_domain").on(table.domain),
+  index("idx_bing_conn_project").on(table.createdByProjectId)
 ]);
 var bingUrlInspections = sqliteTable("bing_url_inspections", {
   id: text("id").primaryKey(),
@@ -2157,6 +2174,68 @@ var MIGRATION_VERSIONS = [
       `DELETE FROM crawler_events_hourly WHERE bot_id = 'mistral-ai' AND sampled_user_agent LIKE '%MistralAI-User%'`,
       `UPDATE crawler_events_hourly SET bot_id = 'mistral-bot' WHERE bot_id = 'mistral-ai'`
     ]
+  },
+  {
+    version: 66,
+    name: "oauth-connections-track-owning-project",
+    // Cross-project OAuth takeover defense. Before this column, the OAuth
+    // callback for Google and the connect route for Bing keyed everything on
+    // `domain` alone — an attacker who created a project pointed at a victim's
+    // canonical domain could complete OAuth from their own Google/Bing account
+    // and silently overwrite the legitimate refresh token under that domain
+    // key. The new `created_by_project_id` column records the project that
+    // first established each connection; the callback and DELETE routes refuse
+    // cross-project writes when it doesn't match.
+    //
+    // Backfill: for each existing connection row, set the owner to the project
+    // whose `canonical_domain` matches AND whose `created_at` is oldest (the
+    // most likely original owner in a 1:N domain-shared install). Rows with no
+    // matching project stay NULL — treated as "unowned" so a future legitimate
+    // connect from any project can claim them.
+    //
+    // Uses the `run` hook so the schema-edit + backfill only fire when the
+    // target tables exist. The legacy-keyword test scenario seeds a DB at v46
+    // without google_connections / bing_connections (they're created in v6 but
+    // the test bypasses the bootstrap) — without the guard, this version's
+    // ALTER fails with "no such table".
+    //
+    // Idempotent: column-existence guard means re-running this version is a
+    // no-op; the backfill UPDATE only writes rows where the column is NULL.
+    statements: [],
+    run: (db) => {
+      if (tableExists(db, "google_connections") && !columnExists(db, "google_connections", "created_by_project_id")) {
+        db.run(sql.raw(
+          `ALTER TABLE google_connections ADD COLUMN created_by_project_id TEXT REFERENCES projects(id) ON DELETE SET NULL`
+        ));
+        db.run(sql.raw(`CREATE INDEX IF NOT EXISTS idx_google_conn_project ON google_connections(created_by_project_id)`));
+        db.run(sql.raw(
+          `UPDATE google_connections
+              SET created_by_project_id = (
+                SELECT p.id FROM projects p
+                 WHERE LOWER(p.canonical_domain) = LOWER(google_connections.domain)
+                 ORDER BY p.created_at ASC
+                 LIMIT 1
+              )
+            WHERE created_by_project_id IS NULL`
+        ));
+      }
+      if (tableExists(db, "bing_connections") && !columnExists(db, "bing_connections", "created_by_project_id")) {
+        db.run(sql.raw(
+          `ALTER TABLE bing_connections ADD COLUMN created_by_project_id TEXT REFERENCES projects(id) ON DELETE SET NULL`
+        ));
+        db.run(sql.raw(`CREATE INDEX IF NOT EXISTS idx_bing_conn_project ON bing_connections(created_by_project_id)`));
+        db.run(sql.raw(
+          `UPDATE bing_connections
+              SET created_by_project_id = (
+                SELECT p.id FROM projects p
+                 WHERE LOWER(p.canonical_domain) = LOWER(bing_connections.domain)
+                 ORDER BY p.created_at ASC
+                 LIMIT 1
+              )
+            WHERE created_by_project_id IS NULL`
+        ));
+      }
+    }
   }
 ];
 function isDuplicateColumnError(err) {
@@ -4079,6 +4158,172 @@ function createLogger(module) {
   };
 }
 
+// src/citation-utils.ts
+function domainMatches(domain, canonicalDomain) {
+  const normalized = normalizeProjectDomain(canonicalDomain);
+  const d = normalizeProjectDomain(domain);
+  return d === normalized || d.endsWith(`.${normalized}`);
+}
+function pickProjectCitedDomain(citedDomains, projectDomains) {
+  for (const cited of citedDomains) {
+    if (projectDomains.some((pd) => domainMatches(cited, pd))) return cited;
+  }
+  return void 0;
+}
+function determineCitationState(normalized, domains) {
+  for (const canonicalDomain of domains) {
+    const bareDomain = normalizeProjectDomain(canonicalDomain);
+    if (normalized.citedDomains.some((d) => domainMatches(d, bareDomain))) {
+      return "cited";
+    }
+    const lowerDomain = bareDomain.toLowerCase();
+    for (const source of normalized.groundingSources) {
+      try {
+        const uri = source.uri.toLowerCase();
+        if (lowerDomain.includes(".") && uri.includes(lowerDomain)) {
+          return "cited";
+        }
+      } catch {
+      }
+      if (source.title) {
+        const titleLower = source.title.toLowerCase().replace(/^www\./, "");
+        if (titleLower === lowerDomain || titleLower.endsWith(`.${lowerDomain}`)) {
+          return "cited";
+        }
+      }
+    }
+  }
+  return "not-cited";
+}
+function computeCompetitorOverlap(normalized, competitorDomains) {
+  const overlapSet = /* @__PURE__ */ new Set();
+  for (const d of normalized.citedDomains) {
+    for (const cd of competitorDomains) {
+      if (domainMatches(d, cd)) {
+        overlapSet.add(cd);
+      }
+    }
+  }
+  for (const source of normalized.groundingSources) {
+    const uri = source.uri.toLowerCase();
+    for (const cd of competitorDomains) {
+      if (uri.includes(cd.toLowerCase())) {
+        overlapSet.add(cd);
+      }
+    }
+  }
+  if (normalized.answerText) {
+    const lowerAnswer = normalized.answerText.toLowerCase();
+    for (const cd of competitorDomains) {
+      if (lowerAnswer.includes(cd.toLowerCase())) {
+        overlapSet.add(cd);
+      }
+      const brand = brandLabelFromDomain(cd);
+      if (brand.length >= 4 && new RegExp(`\\b${escapeRegExp(brand)}\\b`, "i").test(lowerAnswer)) {
+        overlapSet.add(cd);
+      }
+    }
+  }
+  return [...overlapSet];
+}
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function extractRecommendedCompetitors(answerText, ownDomains, citedDomains, competitorDomains, ownBrandNames = []) {
+  if (!answerText || answerText.length < 20) return [];
+  const ownBrandKeys = new Set(
+    ownDomains.flatMap((domain) => collectBrandKeysFromDomain(domain))
+  );
+  for (const name of ownBrandNames) {
+    const key = brandKeyFromText(name);
+    if (key.length >= 4) ownBrandKeys.add(key);
+  }
+  const knownCompetitorKeys = new Set(
+    [...citedDomains, ...competitorDomains].flatMap((domain) => collectBrandKeysFromDomain(domain)).filter((key) => !ownBrandKeys.has(key))
+  );
+  if (knownCompetitorKeys.size === 0) return [];
+  const candidatePatterns = [
+    /^\s*(?:[-*]|\d+\.)\s+(?:\*\*)?([A-Z0-9][A-Za-z0-9][\w\s.&',/()-]{1,50}?)(?:\*\*)?\s*[:\u2014\u2013-]/gm,
+    /\*\*([A-Z0-9][A-Za-z0-9][\w\s.&',/()-]{1,50})\*\*/g,
+    /^#{1,4}\s+(?:\d+\.\s+)?(?:\*\*)?([A-Z0-9][A-Za-z0-9][\w\s.&',/()-]{1,50}?)(?:\*\*)?$/gm,
+    /\[([A-Z0-9][A-Za-z0-9][\w\s.&',/()-]{1,50})\]\(https?:\/\/[^\s)]+\)/g
+  ];
+  const genericKeys = /* @__PURE__ */ new Set([
+    "additional",
+    "best",
+    "benefits",
+    "bottomline",
+    "comparison",
+    "conclusion",
+    "directorylisting",
+    "example",
+    "expertise",
+    "features",
+    "finalthoughts",
+    "howitworks",
+    "important",
+    "keybenefits",
+    "keyfeatures",
+    "major",
+    "note",
+    "notable",
+    "option",
+    "other",
+    "overview",
+    "pricing",
+    "pros",
+    "reviews",
+    "step",
+    "summary",
+    "top",
+    "verdict",
+    "whattolookfor",
+    "whyitmatters",
+    "whyitstandsout",
+    "whywechoseit"
+  ]);
+  const seen = /* @__PURE__ */ new Map();
+  for (const pattern of candidatePatterns) {
+    let match;
+    while ((match = pattern.exec(answerText)) !== null) {
+      const candidate = cleanCandidateName(match[1] ?? "");
+      const candidateKey = brandKeyFromText(candidate);
+      if (!candidateKey) continue;
+      if (genericKeys.has(candidateKey)) continue;
+      if (candidate.split(/\s+/).length > 6) continue;
+      if (matchesBrandKey(candidateKey, ownBrandKeys)) continue;
+      if (!matchesBrandKey(candidateKey, knownCompetitorKeys)) continue;
+      if (!seen.has(candidateKey)) seen.set(candidateKey, candidate);
+    }
+  }
+  return [...seen.values()].slice(0, 10);
+}
+function cleanCandidateName(candidate) {
+  return candidate.replace(/^[\s"'`]+|[\s"'`.,:;!?]+$/g, "").replace(/\s+/g, " ").trim();
+}
+function collectBrandKeysFromDomain(domain) {
+  const reg = registrableDomain(domain);
+  if (!reg) {
+    const hostname = normalizeProjectDomain(domain).split("/")[0] ?? "";
+    const fallback = hostname.replace(/[^a-z0-9]/gi, "").toLowerCase();
+    return fallback.length >= 4 ? [fallback] : [];
+  }
+  const keys = /* @__PURE__ */ new Set();
+  const fullKey = reg.replace(/[^a-z0-9]/gi, "").toLowerCase();
+  if (fullKey.length >= 4) keys.add(fullKey);
+  const brand = brandLabelFromDomain(reg).replace(/[^a-z0-9]/gi, "").toLowerCase();
+  if (brand.length >= 4) keys.add(brand);
+  return [...keys];
+}
+function matchesBrandKey(candidateKey, brandKeys) {
+  for (const brandKey of brandKeys) {
+    if (candidateKey === brandKey) return true;
+    if (candidateKey.startsWith(brandKey) || candidateKey.endsWith(brandKey)) return true;
+    if (brandKey.startsWith(candidateKey) || brandKey.endsWith(candidateKey)) return true;
+  }
+  return false;
+}
+
 // src/intelligence-service.ts
 var RECURRENCE_LOOKBACK_RUNS = 5;
 var HISTORY_WINDOW_RUNS = Math.max(PERSISTENT_GAP_THRESHOLD, 5);
@@ -4460,6 +4705,11 @@ var IntelligenceService = class {
     });
   }
   buildRunData(runId, projectId, completedAt, location = null) {
+    const projectDomainRow = this.db.select({ canonicalDomain: projects.canonicalDomain, ownedDomains: projects.ownedDomains }).from(projects).where(eq(projects.id, projectId)).get();
+    const projectDomains = projectDomainRow ? effectiveDomains({
+      canonicalDomain: projectDomainRow.canonicalDomain,
+      ownedDomains: projectDomainRow.ownedDomains
+    }) : [];
     const rows = this.db.select({
       query: queries.query,
       // Denormalized query text persisted by v58 — the fallback when the
@@ -4486,7 +4736,9 @@ var IntelligenceService = class {
         query: resolvedQuery,
         provider: r.provider,
         cited: r.citationState === CitationStates.cited,
-        citationUrl: domains[0] ?? void 0,
+        // The project's OWN cited domain — never a co-cited competitor that
+        // happens to sort first in the full citedDomains set.
+        citationUrl: pickProjectCitedDomain(domains, projectDomains),
         // Snapshots carry their own location for downstream detectors. In
         // practice every snapshot in a single runId shares the run's
         // location; the per-row column is the same value duplicated, but
@@ -4552,6 +4804,9 @@ export {
   groupRunsByCreatedAt,
   pickGroupRepresentative,
   filterTrackedSnapshots,
+  determineCitationState,
+  computeCompetitorOverlap,
+  extractRecommendedCompetitors,
   isBlogShapedQuery,
   buildInventory,
   buildContentTargetRows,