@ainyc/canonry 4.74.0 → 4.75.0

package/assets/assets/{server-traffic-GBmLS3L7.js → server-traffic-BzIFKqGS.js}

@@ -1 +1 @@
-import{c as d,j as i,c4 as S,b_ as l,c5 as v,ay as y,l as t,c6 as m,b$ as a,c7 as T,c8 as h,c9 as p,ca as C}from"./index-DHg9_-PB.js";import{u as c,r as g,n as s,o as u}from"./vendor-tanstack-Dq7p98wZ.js";const w=[["path",{d:"M3 12a9 9 0 0 1 9-9 9.75 9.75 0 0 1 6.74 2.74L21 8",key:"v9h5vc"}],["path",{d:"M21 3v5h-5",key:"1q7to0"}],["path",{d:"M21 12a9 9 0 0 1-9 9 9.75 9.75 0 0 1-6.74-2.74L3 16",key:"3uifl3"}],["path",{d:"M8 16H3v5",key:"1cv678"}]],P=d("refresh-cw",w);function k(e){switch(e){case a.connected:return"positive";case a.paused:return"caution";case a.error:return"negative";case a.archived:return"neutral"}}function q(e){const r={};return e.kind&&e.kind!=="all"&&(r.kind=e.kind),e.sourceId&&(r.sourceId=e.sourceId),e.sinceMinutes!==void 0&&(r.since=new Date(Date.now()-e.sinceMinutes*6e4).toISOString()),e.limit!==void 0&&(r.limit=String(e.limit)),r}function o(e){e.invalidateQueries({predicate:r=>{const n=r.queryKey[0];return typeof n?._id=="string"&&n._id.startsWith("getApiV1ProjectsByNameTraffic")}})}function F(e){return c({...S({client:t,path:{name:e??""}}),enabled:!!e,staleTime:i})}function V(e){return c({...C({client:t,path:{name:e??""}}),enabled:!!e,staleTime:i})}function b(e,r){return c({...l({client:t,path:{name:e??"",id:r??""}}),enabled:!!(e&&r),staleTime:i})}function A(e,r){const n=g.useMemo(()=>q(r),[r.kind,r.sourceId,r.sinceMinutes,r.limit]);return c({...v({client:t,path:{name:e??""},query:n}),enabled:!!e,staleTime:i})}function E(e){const r=s();return u({mutationFn:n=>{if(!e)throw new Error("Project is required to connect a Cloud Run source");return p(e,n)},onSuccess:()=>{e&&o(r)}})}function I(e){const r=s();return u({mutationFn:n=>{if(!e)throw new Error("Project is required to connect a WordPress source");return T(e,n)},onSuccess:()=>{e&&o(r)}})}function Q(e){const r=s();return u({mutationFn:n=>{if(!e)throw new Error("Project is required to connect a Vercel source");return h(e,n)},onSuccess:()=>{e&&o(r)}})}function R(e,r){const n=s();return u({mutationFn:f=>{if(!e||!r)throw new Error("Project and sourceId are required to sync");return m(e,r,f??void 0)},onSuccess:()=>{e&&(o(n),n.invalidateQueries({queryKey:y({client:t})}))}})}export{P as R,I as a,Q as b,E as c,F as d,b as e,A as f,R as g,k as t,V as u};
+import{c as d,j as i,c4 as S,b_ as l,c5 as v,ay as y,l as t,c6 as m,b$ as a,c7 as T,c8 as h,c9 as p,ca as C}from"./index-DYsYdWV8.js";import{u as c,r as g,n as s,o as u}from"./vendor-tanstack-Dq7p98wZ.js";const w=[["path",{d:"M3 12a9 9 0 0 1 9-9 9.75 9.75 0 0 1 6.74 2.74L21 8",key:"v9h5vc"}],["path",{d:"M21 3v5h-5",key:"1q7to0"}],["path",{d:"M21 12a9 9 0 0 1-9 9 9.75 9.75 0 0 1-6.74-2.74L3 16",key:"3uifl3"}],["path",{d:"M8 16H3v5",key:"1cv678"}]],P=d("refresh-cw",w);function k(e){switch(e){case a.connected:return"positive";case a.paused:return"caution";case a.error:return"negative";case a.archived:return"neutral"}}function q(e){const r={};return e.kind&&e.kind!=="all"&&(r.kind=e.kind),e.sourceId&&(r.sourceId=e.sourceId),e.sinceMinutes!==void 0&&(r.since=new Date(Date.now()-e.sinceMinutes*6e4).toISOString()),e.limit!==void 0&&(r.limit=String(e.limit)),r}function o(e){e.invalidateQueries({predicate:r=>{const n=r.queryKey[0];return typeof n?._id=="string"&&n._id.startsWith("getApiV1ProjectsByNameTraffic")}})}function F(e){return c({...S({client:t,path:{name:e??""}}),enabled:!!e,staleTime:i})}function V(e){return c({...C({client:t,path:{name:e??""}}),enabled:!!e,staleTime:i})}function b(e,r){return c({...l({client:t,path:{name:e??"",id:r??""}}),enabled:!!(e&&r),staleTime:i})}function A(e,r){const n=g.useMemo(()=>q(r),[r.kind,r.sourceId,r.sinceMinutes,r.limit]);return c({...v({client:t,path:{name:e??""},query:n}),enabled:!!e,staleTime:i})}function E(e){const r=s();return u({mutationFn:n=>{if(!e)throw new Error("Project is required to connect a Cloud Run source");return p(e,n)},onSuccess:()=>{e&&o(r)}})}function I(e){const r=s();return u({mutationFn:n=>{if(!e)throw new Error("Project is required to connect a WordPress source");return T(e,n)},onSuccess:()=>{e&&o(r)}})}function Q(e){const r=s();return u({mutationFn:n=>{if(!e)throw new Error("Project is required to connect a Vercel source");return h(e,n)},onSuccess:()=>{e&&o(r)}})}function R(e,r){const n=s();return u({mutationFn:f=>{if(!e||!r)throw new Error("Project and sourceId are required to sync");return m(e,r,f??void 0)},onSuccess:()=>{e&&(o(n),n.invalidateQueries({queryKey:y({client:t})}))}})}export{P as R,I as a,Q as b,E as c,F as d,b as e,A as f,R as g,k as t,V as u};

package/assets/assets/{trash-2-Bk7PYGBN.js → trash-2-DKCkbZUb.js}

@@ -1 +1 @@
-import{c}from"./index-DHg9_-PB.js";const a=[["circle",{cx:"12",cy:"12",r:"10",key:"1mglay"}],["path",{d:"m9 12 2 2 4-4",key:"dzmm74"}]],h=c("circle-check",a);const e=[["circle",{cx:"12",cy:"12",r:"10",key:"1mglay"}],["path",{d:"M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3",key:"1u773s"}],["path",{d:"M12 17h.01",key:"p32p05"}]],n=c("circle-question-mark",e);const o=[["path",{d:"M12 15V3",key:"m9g1x1"}],["path",{d:"M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4",key:"ih7n3h"}],["path",{d:"m7 10 5 5 5-5",key:"brsn70"}]],s=c("download",o);const t=[["path",{d:"M10 11v6",key:"nco0om"}],["path",{d:"M14 11v6",key:"outv1u"}],["path",{d:"M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6",key:"miytrc"}],["path",{d:"M3 6h18",key:"d0wm0j"}],["path",{d:"M8 6V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2",key:"e791ji"}]],r=c("trash-2",t);export{h as C,s as D,r as T,n as a};
+import{c}from"./index-DYsYdWV8.js";const a=[["circle",{cx:"12",cy:"12",r:"10",key:"1mglay"}],["path",{d:"m9 12 2 2 4-4",key:"dzmm74"}]],h=c("circle-check",a);const e=[["circle",{cx:"12",cy:"12",r:"10",key:"1mglay"}],["path",{d:"M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3",key:"1u773s"}],["path",{d:"M12 17h.01",key:"p32p05"}]],n=c("circle-question-mark",e);const o=[["path",{d:"M12 15V3",key:"m9g1x1"}],["path",{d:"M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4",key:"ih7n3h"}],["path",{d:"m7 10 5 5 5-5",key:"brsn70"}]],s=c("download",o);const t=[["path",{d:"M10 11v6",key:"nco0om"}],["path",{d:"M14 11v6",key:"outv1u"}],["path",{d:"M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6",key:"miytrc"}],["path",{d:"M3 6h18",key:"d0wm0j"}],["path",{d:"M8 6V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2",key:"e791ji"}]],r=c("trash-2",t);export{h as C,s as D,r as T,n as a};

package/assets/index.html

@@ -12,7 +12,7 @@
     <link rel="icon" type="image/png" sizes="32x32" href="./favicon-32.png" />
     <link rel="apple-touch-icon" href="./apple-touch-icon.png" />
     <title>Canonry</title>
-    <script type="module" crossorigin src="./assets/index-DHg9_-PB.js"></script>
+    <script type="module" crossorigin src="./assets/index-DYsYdWV8.js"></script>
     <link rel="modulepreload" crossorigin href="./assets/vendor-tanstack-Dq7p98wZ.js">
     <link rel="modulepreload" crossorigin href="./assets/vendor-radix-B57xfQbP.js">
     <link rel="modulepreload" crossorigin href="./assets/vendor-recharts-ClRVR6aX.js">

package/dist/{chunk-A7JX3FZB.js → chunk-JNAKRK77.js}

@@ -35,8 +35,8 @@ function notFound(entity, id) {
 function validationError(message, details) {
   return new AppError("VALIDATION_ERROR", message, 400, details);
 }
-function authRequired() {
-  return new AppError("AUTH_REQUIRED", "Authentication required", 401);
+function authRequired(message = "Authentication required") {
+  return new AppError("AUTH_REQUIRED", message, 401);
 }
 function authInvalid() {
   return new AppError("AUTH_INVALID", "Invalid API key", 401);
@@ -4283,6 +4283,11 @@ var AI_PROVIDER_INFRA_DOMAINS = [
   VERTEX_AI_SEARCH_PROXY_DOMAIN
 ];
 
+// ../contracts/src/sql-like.ts
+function escapeLikePattern(value) {
+  return value.replace(/[\\%_]/g, (match) => `\\${match}`);
+}
+
 export {
   __export,
   apiKeyDtoSchema,
@@ -4546,5 +4551,6 @@ export {
   AI_ENGINE_DOMAINS,
   AI_ENGINE_SELF_DOMAINS,
   VERTEX_AI_SEARCH_PROXY_DOMAIN,
-  AI_PROVIDER_INFRA_DOMAINS
+  AI_PROVIDER_INFRA_DOMAINS,
+  escapeLikePattern
 };

package/dist/{chunk-ZRZHIS22.js → chunk-JUWU2DV6.js}

@@ -101,6 +101,7 @@ import {
   effectiveBrandNames,
   effectiveDomains,
   emptyCitationVisibility,
+  escapeLikePattern,
   extractAnswerMentions,
   findDuplicateLocationLabels,
   forbidden,
@@ -229,7 +230,7 @@ import {
   wordpressSchemaDeployResultDtoSchema,
   wordpressSchemaStatusResultDtoSchema,
   wordpressStatusDtoSchema
-} from "./chunk-A7JX3FZB.js";
+} from "./chunk-JNAKRK77.js";
 
 // src/intelligence-service.ts
 import { eq as eq33, desc as desc17, asc as asc4, and as and24, ne as ne5, or as or5, inArray as inArray12, gte as gte6, lte as lte3 } from "drizzle-orm";
@@ -5029,7 +5030,7 @@ var SKIP_PATHS = ["/health"];
 function shouldSkipAuth(url) {
   if (SKIP_PATHS.includes(url)) return true;
   if (url.endsWith("/openapi.json")) return true;
-  if (url.includes("/google/callback")) return true;
+  if (url.endsWith("/google/callback")) return true;
   if (url.endsWith("/session") || url.endsWith("/session/setup")) return true;
   return false;
 }
@@ -7473,10 +7474,10 @@ function computeBuckets(snapshots, projectRuns, bucketDays, queryCreatedAt) {
   const latest = new Date(projectRuns[projectRuns.length - 1].createdAt);
   const buckets = [];
   let start = new Date(earliest);
-  start.setHours(0, 0, 0, 0);
+  start.setUTCHours(0, 0, 0, 0);
   while (start <= latest) {
     const end = new Date(start);
-    end.setDate(end.getDate() + bucketDays);
+    end.setUTCDate(end.getUTCDate() + bucketDays);
     const startISO = start.toISOString();
     const endISO = end.toISOString();
     const inBucket = snapshots.filter((s) => s.createdAt >= startISO && s.createdAt < endISO);
@@ -12575,9 +12576,6 @@ function clampSearchLimit(raw) {
   if (parsed > SEARCH_HIT_HARD_LIMIT) return SEARCH_HIT_HARD_LIMIT;
   return parsed;
 }
-function escapeLikePattern(value) {
-  return value.replace(/[\\%_]/g, (match) => `\\${match}`);
-}
 function summarizeRun(run) {
   return {
     id: run.id,
@@ -19400,8 +19398,8 @@ async function googleRoutes(app, opts) {
     if (startDate) conditions.push(sql8`${gscSearchData.date} >= ${startDate}`);
     else if (cutoffDate) conditions.push(sql8`${gscSearchData.date} >= ${cutoffDate}`);
     if (endDate) conditions.push(sql8`${gscSearchData.date} <= ${endDate}`);
-    if (query) conditions.push(sql8`${gscSearchData.query} LIKE ${"%" + query + "%"}`);
-    if (page) conditions.push(sql8`${gscSearchData.page} LIKE ${"%" + page + "%"}`);
+    if (query) conditions.push(sql8`${gscSearchData.query} LIKE ${"%" + escapeLikePattern(query) + "%"} ESCAPE '\\'`);
+    if (page) conditions.push(sql8`${gscSearchData.page} LIKE ${"%" + escapeLikePattern(page) + "%"} ESCAPE '\\'`);
     const limitVal = Math.max(parseInt(limit ?? "500", 10) || 0, 1);
     const offsetVal = Math.max(parseInt(offset ?? "0", 10) || 0, 0);
     const rows = app.db.select().from(gscSearchData).where(and13(...conditions)).orderBy(desc10(gscSearchData.date)).limit(limitVal).offset(offsetVal).all();
@@ -23015,10 +23013,17 @@ async function withWordpressErrorHandling(handler) {
   }
 }
 async function wordpressRoutes(app, opts) {
+  const allowLoopback = opts.allowLoopbackWebhooks === true;
   function requireStore() {
     if (opts.wordpressConnectionStore) return opts.wordpressConnectionStore;
     throw validationError("WordPress connection storage is not configured for this deployment");
   }
+  async function assertWordpressUrlAllowed(rawUrl, field) {
+    const check = await resolveWebhookTarget(rawUrl, { allowLoopback });
+    if (!check.ok) {
+      throw validationError(`${field} ${check.message.replace(/^"url" /, "")}`);
+    }
+  }
   function requireConnection(store, projectName) {
     const connection = store.getConnection(projectName);
     if (!connection) {
@@ -23038,6 +23043,8 @@ async function wordpressRoutes(app, opts) {
       if (defaultEnv === "staging" && !stagingUrl) {
         throw validationError('defaultEnv "staging" requires stagingUrl');
       }
+      await assertWordpressUrlAllowed(url, "url");
+      if (stagingUrl) await assertWordpressUrlAllowed(stagingUrl, "stagingUrl");
       const now = (/* @__PURE__ */ new Date()).toISOString();
       const existing = store.getConnection(project.name);
       const nextConnection = {
@@ -23366,6 +23373,8 @@ async function wordpressRoutes(app, opts) {
       if (defaultEnv === "staging" && !stagingUrl) {
         throw validationError('defaultEnv "staging" requires stagingUrl');
       }
+      await assertWordpressUrlAllowed(url, "url");
+      if (stagingUrl) await assertWordpressUrlAllowed(stagingUrl, "stagingUrl");
       const steps = [];
       let connection = null;
       let pageUrls = [];
@@ -32107,7 +32116,8 @@ async function apiRoutes(app, opts) {
     });
     await api.register(wordpressRoutes, {
       wordpressConnectionStore: opts.wordpressConnectionStore,
-      routePrefix: opts.routePrefix ?? "/api/v1"
+      routePrefix: opts.routePrefix ?? "/api/v1",
+      allowLoopbackWebhooks: opts.allowLoopbackWebhooks
     });
     await api.register(cdpRoutes, {
       getCdpStatus: opts.getCdpStatus,

package/dist/{chunk-MRC4JMIH.js → chunk-QY5WZWU4.js}

@@ -9,7 +9,7 @@ import {
   loadConfig,
   loadConfigRaw,
   saveConfigPatch
-} from "./chunk-W6GBIRFA.js";
+} from "./chunk-WFMEK34V.js";
 import {
   CC_CACHE_DIR,
   DUCKDB_SPEC,
@@ -97,7 +97,7 @@ import {
   siteAuditPages,
   siteAuditSnapshots,
   usageCounters
-} from "./chunk-ZRZHIS22.js";
+} from "./chunk-JUWU2DV6.js";
 import {
   AGENT_MEMORY_VALUE_MAX_BYTES,
   AGENT_PROVIDER_IDS,
@@ -127,6 +127,7 @@ import {
   agentMemoryDeleteRequestSchema,
   agentMemoryUpsertRequestSchema,
   authInvalid,
+  authRequired,
   buildRunErrorFromMessages,
   classifySkillFile,
   coerceSkillManifest,
@@ -148,7 +149,7 @@ import {
   validationError,
   winnabilityClassLabel,
   withRetry
-} from "./chunk-A7JX3FZB.js";
+} from "./chunk-JNAKRK77.js";
 
 // src/telemetry.ts
 import crypto from "crypto";
@@ -4068,31 +4069,10 @@ import { eq as eq4, and as and4 } from "drizzle-orm";
 var log4 = createLogger("SitemapParser");
 var LOC_REGEX = /<loc>([^<]+)<\/loc>/gi;
 var SITEMAP_TAG_REGEX = /<sitemap>[\s\S]*?<\/sitemap>/gi;
-var PRIVATE_IP_PATTERNS = [
-  /^169\.254\./,
-  // link-local (AWS metadata endpoint etc.)
-  /^10\./,
-  // private class A
-  /^172\.(1[6-9]|2\d|3[01])\./,
-  // private class B
-  /^192\.168\./
-  // private class C
-];
-function validateSitemapUrl(url) {
-  let parsed;
-  try {
-    parsed = new URL(url);
-  } catch {
-    throw new Error(`Invalid sitemap URL: ${url}`);
-  }
-  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-    throw new Error(`Sitemap URL must use http or https protocol: ${url}`);
-  }
-  const host = parsed.hostname.toLowerCase();
-  for (const pattern of PRIVATE_IP_PATTERNS) {
-    if (pattern.test(host)) {
-      throw new Error(`Sitemap URL points to a private or reserved IP range: ${url}`);
-    }
+async function validateSitemapUrl(url) {
+  const check = await resolveWebhookTarget(url, { allowLoopback: true });
+  if (!check.ok) {
+    throw new Error(`Sitemap URL rejected: ${check.message.replace(/^"url" /, "")} (${url})`);
   }
 }
 async function readSitemapBody(res) {
@@ -4122,9 +4102,9 @@ async function parseSitemapRecursive(url, urls, visited, depth, isChild) {
   if (depth > 3) return;
   if (visited.has(url)) return;
   visited.add(url);
-  validateSitemapUrl(url);
   let res;
   try {
+    await validateSitemapUrl(url);
     res = await fetch(url);
   } catch (err) {
     if (!isChild) throw err;
@@ -5176,6 +5156,12 @@ function toHomepageUrl(canonicalDomain) {
   const trimmed = canonicalDomain.trim().replace(/\/+$/, "");
   return /^https?:\/\//i.test(trimmed) ? trimmed : `https://${trimmed}`;
 }
+async function assertSiteAuditUrlAllowed(rawUrl, field) {
+  const check = await resolveWebhookTarget(rawUrl);
+  if (!check.ok) {
+    throw new Error(`${field} ${check.message.replace(/^"url" /, "")}`);
+  }
+}
 function clampSiteAuditLimit(limit) {
   if (limit == null || !Number.isFinite(limit)) return SITE_AUDIT_DEFAULT_PAGE_LIMIT;
   return Math.max(1, Math.min(SITE_AUDIT_MAX_PAGE_LIMIT, Math.floor(limit)));
@@ -5233,6 +5219,8 @@ async function executeSiteAudit(db, runId, projectId, opts = {}) {
     const homepageUrl = toHomepageUrl(project.canonicalDomain);
     const limit = clampSiteAuditLimit(opts.limit);
     log11.info("start", { runId, projectId, homepageUrl, sitemapUrl: opts.sitemapUrl ?? null, limit });
+    await assertSiteAuditUrlAllowed(homepageUrl, "canonicalDomain");
+    if (opts.sitemapUrl) await assertSiteAuditUrlAllowed(opts.sitemapUrl, "sitemapUrl");
     const report = await runSitemapAudit(homepageUrl, { sitemapUrl: opts.sitemapUrl, limit });
     const successCount = report.pages.filter((page) => page.status === "success").length;
     const pagesErrored = report.pages.filter((page) => page.status === "error").length;
@@ -5773,7 +5761,7 @@ function readStoredGroundingSources(rawResponse) {
   return result;
 }
 async function backfillInsightsCommand(project, opts) {
-  const { IntelligenceService: IntelligenceService2 } = await import("./intelligence-service-GPO2VMEC.js");
+  const { IntelligenceService: IntelligenceService2 } = await import("./intelligence-service-L2A5MFB4.js");
   const config = loadConfig();
   const db = createClient(config.database);
   migrate(db);
@@ -9592,6 +9580,13 @@ function applyLegacyCredentials(rows, config) {
     log18.info("credentials.migrated", { type: "ga4", count: migratedGa4 });
   }
 }
+function isLoopbackBindHost(host) {
+  if (host == null || host === "") return true;
+  const normalized = host.trim().toLowerCase().replace(/^\[|\]$/g, "");
+  if (normalized === "localhost" || normalized === "::1") return true;
+  if (/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(normalized)) return true;
+  return false;
+}
 async function createServer(opts) {
   const logger = opts.logger === false ? false : process.stdout.isTTY ? {
     transport: {
@@ -9994,6 +9989,15 @@ async function createServer(opts) {
     }));
     return true;
   };
+  const boundToLoopback = isLoopbackBindHost(opts.host);
+  const requestHasValidApiKey = (request) => {
+    const header = request.headers.authorization;
+    if (!header) return false;
+    const parts = header.split(" ");
+    if (parts.length !== 2 || parts[0] !== "Bearer") return false;
+    const key = opts.db.select().from(apiKeys).where(eq18(apiKeys.keyHash, hashApiKey(parts[1]))).get();
+    return Boolean(key && !key.revokedAt);
+  };
   app.get(apiPrefix + "/session", async (request, reply) => {
     const sessionId = parseCookies(request.headers.cookie)[SESSION_COOKIE_NAME];
     return reply.send({
@@ -10002,6 +10006,10 @@ async function createServer(opts) {
     });
   });
   app.post(apiPrefix + "/session/setup", async (request, reply) => {
+    if (!boundToLoopback && !requestHasValidApiKey(request)) {
+      const err = authRequired("This server is network-reachable; setting the dashboard password requires a valid API key.");
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
     if (opts.config.dashboardPasswordHash) {
       const err = validationError("Dashboard password is already configured");
       return reply.status(err.statusCode).send(err.toJSON());

package/dist/{chunk-W6GBIRFA.js → chunk-WFMEK34V.js}

@@ -22,7 +22,7 @@ import {
   trafficConnectVercelRequestSchema,
   trafficConnectWordpressRequestSchema,
   trafficEventKindSchema
-} from "./chunk-A7JX3FZB.js";
+} from "./chunk-JNAKRK77.js";
 
 // src/config.ts
 import fs from "fs";

package/dist/cli.js

@@ -27,7 +27,7 @@ import {
   setTelemetrySource,
   showFirstRunNotice,
   trackEvent
-} from "./chunk-MRC4JMIH.js";
+} from "./chunk-QY5WZWU4.js";
 import {
   CliError,
   EXIT_SYSTEM_ERROR,
@@ -44,7 +44,7 @@ import {
   saveConfig,
   saveConfigPatch,
   usageError
-} from "./chunk-W6GBIRFA.js";
+} from "./chunk-WFMEK34V.js";
 import {
   apiKeys,
   createClient,
@@ -52,7 +52,7 @@ import {
   projects,
   queries,
   renderReportHtml
-} from "./chunk-ZRZHIS22.js";
+} from "./chunk-JUWU2DV6.js";
 import {
   CcReleaseSyncStatuses,
   CheckScopes,
@@ -72,7 +72,7 @@ import {
   providerQuotaPolicySchema,
   resolveProviderInput,
   winnabilityClassSchema
-} from "./chunk-A7JX3FZB.js";
+} from "./chunk-JNAKRK77.js";
 
 // src/cli.ts
 import { pathToFileURL } from "url";
@@ -10376,7 +10376,7 @@ async function serveCommand(format = "text") {
     process.stderr.write(`warning: ai-referral-paths backfill skipped: ${msg}
 `);
   }
-  const app = await createServer({ config, db });
+  const app = await createServer({ config, db, host });
   let shuttingDown = false;
   const shutdown = (signal) => {
     if (shuttingDown) return;

package/dist/index.d.ts

@@ -196,6 +196,16 @@ declare function createServer(opts: {
     db: DatabaseClient;
     open?: boolean;
     logger?: boolean;
+    /**
+     * The network interface the server will bind to (from `canonry serve`).
+     * Used to gate the unauthenticated first-run dashboard password setup: on a
+     * loopback bind only local processes can reach `/session/setup`, so claiming
+     * the initial password without the API key is safe. On a non-loopback bind
+     * (`0.0.0.0`, a LAN IP) the setup endpoint additionally requires a valid
+     * bearer key so a remote first-visitor cannot mint a full-access session.
+     * Defaults to loopback when unset (programmatic/test callers).
+     */
+    host?: string;
 }): Promise<FastifyInstance>;
 
 export { type CanonryConfig, createServer, loadConfig };

package/dist/index.js

@@ -1,11 +1,11 @@
 import {
   createServer
-} from "./chunk-MRC4JMIH.js";
+} from "./chunk-QY5WZWU4.js";
 import {
   loadConfig
-} from "./chunk-W6GBIRFA.js";
-import "./chunk-ZRZHIS22.js";
-import "./chunk-A7JX3FZB.js";
+} from "./chunk-WFMEK34V.js";
+import "./chunk-JUWU2DV6.js";
+import "./chunk-JNAKRK77.js";
 export {
   createServer,
   loadConfig

package/dist/{intelligence-service-GPO2VMEC.js → intelligence-service-L2A5MFB4.js}

@@ -1,7 +1,7 @@
 import {
   IntelligenceService
-} from "./chunk-ZRZHIS22.js";
-import "./chunk-A7JX3FZB.js";
+} from "./chunk-JUWU2DV6.js";
+import "./chunk-JNAKRK77.js";
 export {
   IntelligenceService
 };

package/dist/mcp.js

@@ -3,8 +3,8 @@ import {
   PACKAGE_VERSION,
   canonryMcpTools,
   createApiClient
-} from "./chunk-W6GBIRFA.js";
-import "./chunk-A7JX3FZB.js";
+} from "./chunk-WFMEK34V.js";
+import "./chunk-JNAKRK77.js";
 
 // src/mcp/cli.ts
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ainyc/canonry",
-  "version": "4.74.0",
+  "version": "4.75.0",
   "type": "module",
   "description": "Agent-first open-source AEO operating platform - track how answer engines cite your domain",
   "license": "FSL-1.1-ALv2",
@@ -63,25 +63,25 @@
     "tsup": "^8.5.1",
     "tsx": "^4.19.0",
     "@ainyc/canonry-api-routes": "0.0.0",
-    "@ainyc/canonry-contracts": "0.0.0",
+    "@ainyc/canonry-config": "0.0.0",
     "@ainyc/canonry-db": "0.0.0",
-    "@ainyc/canonry-integration-cloud-run": "0.0.0",
+    "@ainyc/canonry-contracts": "0.0.0",
     "@ainyc/canonry-integration-bing": "0.0.0",
-    "@ainyc/canonry-config": "0.0.0",
-    "@ainyc/canonry-integration-google": "0.0.0",
+    "@ainyc/canonry-api-client": "0.0.0",
+    "@ainyc/canonry-integration-cloud-run": "0.0.0",
     "@ainyc/canonry-integration-commoncrawl": "0.0.0",
     "@ainyc/canonry-integration-google-business-profile": "0.0.0",
-    "@ainyc/canonry-integration-google-places": "0.0.0",
+    "@ainyc/canonry-integration-google": "0.0.0",
     "@ainyc/canonry-integration-traffic": "0.0.0",
     "@ainyc/canonry-integration-wordpress": "0.0.0",
-    "@ainyc/canonry-provider-cdp": "0.0.0",
     "@ainyc/canonry-intelligence": "0.0.0",
-    "@ainyc/canonry-api-client": "0.0.0",
+    "@ainyc/canonry-provider-cdp": "0.0.0",
+    "@ainyc/canonry-integration-google-places": "0.0.0",
     "@ainyc/canonry-provider-claude": "0.0.0",
-    "@ainyc/canonry-provider-gemini": "0.0.0",
-    "@ainyc/canonry-provider-local": "0.0.0",
     "@ainyc/canonry-provider-openai": "0.0.0",
-    "@ainyc/canonry-provider-perplexity": "0.0.0"
+    "@ainyc/canonry-provider-gemini": "0.0.0",
+    "@ainyc/canonry-provider-perplexity": "0.0.0",
+    "@ainyc/canonry-provider-local": "0.0.0"
   },
   "scripts": {
     "build": "tsx scripts/copy-agent-assets.ts && tsup && tsx build-web.ts",