@ainyc/canonry 4.76.1 → 4.77.0

package/assets/assets/{trash-2-b62WCytM.js → trash-2-B_UtEEm8.js}

@@ -1 +1 @@
-import{c}from"./index-CKbfZ6rA.js";const a=[["circle",{cx:"12",cy:"12",r:"10",key:"1mglay"}],["path",{d:"m9 12 2 2 4-4",key:"dzmm74"}]],h=c("circle-check",a);const e=[["circle",{cx:"12",cy:"12",r:"10",key:"1mglay"}],["path",{d:"M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3",key:"1u773s"}],["path",{d:"M12 17h.01",key:"p32p05"}]],n=c("circle-question-mark",e);const o=[["path",{d:"M12 15V3",key:"m9g1x1"}],["path",{d:"M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4",key:"ih7n3h"}],["path",{d:"m7 10 5 5 5-5",key:"brsn70"}]],s=c("download",o);const t=[["path",{d:"M10 11v6",key:"nco0om"}],["path",{d:"M14 11v6",key:"outv1u"}],["path",{d:"M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6",key:"miytrc"}],["path",{d:"M3 6h18",key:"d0wm0j"}],["path",{d:"M8 6V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2",key:"e791ji"}]],r=c("trash-2",t);export{h as C,s as D,r as T,n as a};
+import{c}from"./index-D9smxU6R.js";const a=[["circle",{cx:"12",cy:"12",r:"10",key:"1mglay"}],["path",{d:"m9 12 2 2 4-4",key:"dzmm74"}]],h=c("circle-check",a);const e=[["circle",{cx:"12",cy:"12",r:"10",key:"1mglay"}],["path",{d:"M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3",key:"1u773s"}],["path",{d:"M12 17h.01",key:"p32p05"}]],n=c("circle-question-mark",e);const o=[["path",{d:"M12 15V3",key:"m9g1x1"}],["path",{d:"M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4",key:"ih7n3h"}],["path",{d:"m7 10 5 5 5-5",key:"brsn70"}]],s=c("download",o);const t=[["path",{d:"M10 11v6",key:"nco0om"}],["path",{d:"M14 11v6",key:"outv1u"}],["path",{d:"M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6",key:"miytrc"}],["path",{d:"M3 6h18",key:"d0wm0j"}],["path",{d:"M8 6V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2",key:"e791ji"}]],r=c("trash-2",t);export{h as C,s as D,r as T,n as a};

package/assets/index.html

@@ -12,12 +12,12 @@
     <link rel="icon" type="image/png" sizes="32x32" href="./favicon-32.png" />
     <link rel="apple-touch-icon" href="./apple-touch-icon.png" />
     <title>Canonry</title>
-    <script type="module" crossorigin src="./assets/index-CKbfZ6rA.js"></script>
+    <script type="module" crossorigin src="./assets/index-D9smxU6R.js"></script>
     <link rel="modulepreload" crossorigin href="./assets/vendor-tanstack-Dq7p98wZ.js">
     <link rel="modulepreload" crossorigin href="./assets/vendor-radix-B57xfQbP.js">
     <link rel="modulepreload" crossorigin href="./assets/vendor-recharts-ClRVR6aX.js">
     <link rel="modulepreload" crossorigin href="./assets/vendor-markdown-DK7fbRNb.js">
-    <link rel="stylesheet" crossorigin href="./assets/index-DRhoqa2-.css">
+    <link rel="stylesheet" crossorigin href="./assets/index-BgWgJE7S.css">
   </head>
   <body>
     <div id="root"></div>

package/dist/{chunk-2FV5GIUB.js → chunk-BPZWX7YI.js}

@@ -11,6 +11,7 @@ import {
   ContentActions,
   DEFAULT_DISCOVERY_PROMOTE_BUCKETS,
   DEFAULT_DISCOVERY_PROMOTE_COMPETITOR_TYPES,
+  DISCOVERY_DEFAULT_DEDUP_THRESHOLD,
   DISCOVERY_PROMOTE_COMPETITOR_CAP,
   DISCOVERY_PROMOTE_COMPETITOR_MIN_HITS,
   DiscoveryBuckets,
@@ -186,6 +187,7 @@ import {
   schedulableRunKindSchema,
   scheduleDtoSchema,
   scheduleUpsertRequestSchema,
+  seedCollapseWarning,
   serializeRunError,
   settingsDtoSchema,
   siteAuditPagesResponseSchema,
@@ -230,7 +232,7 @@ import {
   wordpressSchemaDeployResultDtoSchema,
   wordpressSchemaStatusResultDtoSchema,
   wordpressStatusDtoSchema
-} from "./chunk-JNAKRK77.js";
+} from "./chunk-KPN22EWK.js";
 
 // src/intelligence-service.ts
 import { eq as eq33, desc as desc17, asc as asc4, and as and24, ne as ne5, or as or5, inArray as inArray12, gte as gte6, lte as lte3 } from "drizzle-orm";
@@ -1014,6 +1016,7 @@ var discoverySessions = sqliteTable("discovery_sessions", {
   aspirationalCount: integer("aspirational_count"),
   wastedCount: integer("wasted_count"),
   competitorMap: text("competitor_map", { mode: "json" }).$type().notNull().default([]),
+  warning: text("warning"),
   error: text("error"),
   startedAt: text("started_at"),
   finishedAt: text("finished_at"),
@@ -2863,6 +2866,16 @@ var MIGRATION_VERSIONS = [
       `CREATE INDEX IF NOT EXISTS idx_site_audit_pages_run ON site_audit_pages(run_id)`,
       `CREATE INDEX IF NOT EXISTS idx_site_audit_pages_project_score ON site_audit_pages(project_id, overall_score)`
     ]
+  },
+  {
+    // Non-fatal operator warning on a discovery session (e.g. the seed-dedup
+    // degenerate-collapse guard). The session still completes; the warning
+    // flags that its coverage may be misleading.
+    version: 76,
+    name: "discovery-session-warning",
+    statements: [
+      `ALTER TABLE discovery_sessions ADD COLUMN warning TEXT`
+    ]
   }
 ];
 function isDuplicateColumnError(err) {
@@ -16652,7 +16665,7 @@ var routeCatalog = [
     method: "post",
     path: "/api/v1/projects/{name}/discover/run",
     summary: "Start a tracked-basket discovery session",
-    description: 'Kicks off a discovery session for the project. The pipeline: ICP description \u2192 Gemini grounded seed prompt \u2192 embed + cluster (cosine \u2265 0.85 by default) \u2192 pick canonical representatives \u2192 probe each canonical via Gemini grounding \u2192 classify into cited / aspirational / wasted-surface \u2192 aggregate competitor map. Returns immediately with `{ runId, sessionId, status: "running", consolidated }`; the actual work runs in the background. Poll `GET /projects/{name}/discover/sessions/{id}` until `status` is `completed` or `failed`. Concurrent/duplicate requests for the same (project, ICP) are consolidated onto a single in-flight session: the response carries `consolidated: true` and `200 OK` instead of `201`, and the request\'s `dedupThreshold` / `maxProbes` are ignored (the in-flight session keeps its original config).',
+    description: 'Kicks off a discovery session for the project. The pipeline: ICP description \u2192 Gemini grounded seed prompt \u2192 embed + cluster (cosine \u2265 0.95 by default) \u2192 pick canonical representatives \u2192 probe each canonical via Gemini grounding \u2192 classify into cited / aspirational / wasted-surface \u2192 aggregate competitor map. Returns immediately with `{ runId, sessionId, status: "running", consolidated }`; the actual work runs in the background. Poll `GET /projects/{name}/discover/sessions/{id}` until `status` is `completed` or `failed`. Concurrent/duplicate requests for the same (project, ICP) are consolidated onto a single in-flight session: the response carries `consolidated: true` and `200 OK` instead of `201`, and the request\'s `dedupThreshold` / `maxProbes` are ignored (the in-flight session keeps its original config).',
     tags: ["discovery"],
     parameters: [nameParameter],
     requestBody: {
@@ -16663,7 +16676,7 @@ var routeCatalog = [
             type: "object",
             properties: {
               icpDescription: { type: "string", description: "Free-text ICP. Required if the project does not have spec.icpDescription stored." },
-              dedupThreshold: { type: "number", description: "Cosine similarity threshold for clustering. Defaults to 0.85." },
+              dedupThreshold: { type: "number", description: "Cosine similarity threshold for clustering. Defaults to 0.95." },
               maxProbes: { type: "integer", description: "Max canonical queries to probe in this session. Default 100, hard cap 500." },
               locations: {
                 type: "array",
@@ -19140,6 +19153,68 @@ async function getValidToken(store, domain, connectionType, clientId, clientSecr
     propertyId: conn.propertyId ?? null
   };
 }
+function parseGscApiDisabled(message) {
+  if (!/accessNotConfigured|SERVICE_DISABLED|has not been used in project|is disabled/i.test(message)) {
+    return null;
+  }
+  const projectNumber = message.match(/[?&]project=(\d+)/)?.[1] ?? message.match(/project\s+(\d+)/i)?.[1] ?? null;
+  const base = "https://console.developers.google.com/apis/api";
+  const qs = projectNumber ? `?project=${projectNumber}` : "";
+  return {
+    projectNumber,
+    enableUrl: `${base}/searchconsole.googleapis.com/overview${qs}`,
+    indexingApiUrl: `${base}/indexing.googleapis.com/overview${qs}`
+  };
+}
+function googleAuthErrorStatus(err) {
+  if (err.statusCode != null) return err.statusCode;
+  const match = err.message.match(/failed \((\d{3})\)/);
+  return match ? Number(match[1]) : null;
+}
+function gscErrorToAppError(err, context) {
+  if (err instanceof AppError) return err;
+  if (err instanceof GoogleApiError) {
+    if (err.status === 429) {
+      return quotaExceeded("Google Search Console API (rate limited; retries exhausted)");
+    }
+    if (err.status === 403) {
+      const disabled = parseGscApiDisabled(err.message);
+      if (disabled) {
+        const inProject = disabled.projectNumber ? ` (project ${disabled.projectNumber})` : "";
+        return forbidden(
+          `${context}: the Google Search Console API is not enabled for your Google Cloud project${inProject}. Enable the Search Console API and the Indexing API, wait ~2\u20135 minutes, then retry: ${disabled.enableUrl}`,
+          { reason: "gsc-api-disabled", upstreamStatus: 403, ...disabled }
+        );
+      }
+      return forbidden(
+        `${context}: the connected Google account does not have access to a verified Search Console property for this domain. Connect the account that owns the property.`,
+        { reason: "gsc-no-property-access", upstreamStatus: 403 }
+      );
+    }
+    if (err.status === 401) {
+      return forbidden(
+        `${context}: the Google connection has expired or was revoked. Reconnect Google Search Console.`,
+        { reason: "gsc-reconnect", upstreamStatus: 401 }
+      );
+    }
+    return providerError(`${context}: ${err.message}`, { upstreamStatus: err.status });
+  }
+  if (err instanceof GoogleAuthError) {
+    const status = googleAuthErrorStatus(err);
+    if (status === 429) return quotaExceeded("Google OAuth token refresh (rate limited)");
+    if (status != null && status >= 400 && status < 500) {
+      return forbidden(
+        `${context}: the stored Google credentials are no longer valid (token refresh failed). Reconnect Google Search Console.`,
+        { reason: "gsc-reconnect", upstreamStatus: status }
+      );
+    }
+    return providerError(
+      `${context}: ${err.message}. Reconnect Google Search Console if this persists.`,
+      status != null ? { upstreamStatus: status } : void 0
+    );
+  }
+  return providerError(`${context}: ${err instanceof Error ? err.message : String(err)}`);
+}
 async function googleRoutes(app, opts) {
   if (opts.googleStateSecret === void 0) {
     app.log.warn(
@@ -19362,9 +19437,13 @@ async function googleRoutes(app, opts) {
     }
     const store = requireConnectionStore();
     const project = resolveProject(app.db, request.params.name);
-    const { accessToken } = await getValidToken(store, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
-    const sites = await listSites(accessToken);
-    return { sites };
+    try {
+      const { accessToken } = await getValidToken(store, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
+      const sites = await listSites(accessToken);
+      return { sites };
+    } catch (err) {
+      throw gscErrorToAppError(err, "Failed to list Search Console properties");
+    }
   });
   app.post("/projects/:name/google/gsc/sync", async (request) => {
     const store = requireConnectionStore();
@@ -19457,11 +19536,16 @@ async function googleRoutes(app, opts) {
     if (!url) {
       throw validationError("url is required");
     }
-    const { accessToken, propertyId } = await getValidToken(store, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
-    if (!propertyId) {
-      throw validationError("No GSC property configured for this connection");
+    let result;
+    try {
+      const { accessToken, propertyId } = await getValidToken(store, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
+      if (!propertyId) {
+        throw validationError("No GSC property configured for this connection");
+      }
+      result = await inspectUrl(accessToken, url, propertyId);
+    } catch (err) {
+      throw gscErrorToAppError(err, "Failed to inspect URL in Search Console");
     }
-    const result = await inspectUrl(accessToken, url, propertyId);
     const ir = result.inspectionResult;
     const idx = ir.indexStatusResult;
     const mob = ir.mobileUsabilityResult;
@@ -19669,12 +19753,16 @@ async function googleRoutes(app, opts) {
     }
     const store = requireConnectionStore();
     const project = resolveProject(app.db, request.params.name);
-    const { accessToken, propertyId } = await getValidToken(store, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
-    if (!propertyId) {
-      throw validationError('No GSC property configured for this connection. Set one with "canonry google set-property".');
+    try {
+      const { accessToken, propertyId } = await getValidToken(store, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
+      if (!propertyId) {
+        throw validationError('No GSC property configured for this connection. Set one with "canonry google set-property".');
+      }
+      const sitemaps = await listSitemaps(accessToken, propertyId);
+      return { sitemaps };
+    } catch (err) {
+      throw gscErrorToAppError(err, "Failed to list Search Console sitemaps");
     }
-    const sitemaps = await listSitemaps(accessToken, propertyId);
-    return { sitemaps };
   });
   app.post("/projects/:name/google/gsc/discover-sitemaps", async (request) => {
     const { clientId: googleClientId, clientSecret: googleClientSecret } = getAuthConfig();
@@ -19690,8 +19778,13 @@ async function googleRoutes(app, opts) {
     if (!conn.propertyId) {
       throw validationError("No GSC property configured for this connection");
     }
-    const { accessToken } = await getValidToken(store, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
-    const sitemaps = await listSitemaps(accessToken, conn.propertyId);
+    let sitemaps;
+    try {
+      const { accessToken } = await getValidToken(store, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
+      sitemaps = await listSitemaps(accessToken, conn.propertyId);
+    } catch (err) {
+      throw gscErrorToAppError(err, "Failed to discover Search Console sitemaps");
+    }
     if (sitemaps.length === 0) {
       throw validationError("No sitemaps found for this GSC property. Submit a sitemap in Google Search Console first.");
     }
@@ -31655,6 +31748,7 @@ function serializeSession(row) {
     aspirationalCount: row.aspirationalCount ?? null,
     wastedCount: row.wastedCount ?? null,
     competitorMap: parseCompetitorMap(row.competitorMap),
+    warning: row.warning ?? null,
     error: row.error ?? null,
     startedAt: row.startedAt ?? null,
     finishedAt: row.finishedAt ?? null,
@@ -31690,7 +31784,6 @@ function selectEligibleCompetitors(competitorMap, competitorTypes) {
 // ../api-routes/src/discovery/orchestrate.ts
 import crypto26 from "crypto";
 import { eq as eq31 } from "drizzle-orm";
-var DEFAULT_DEDUP_THRESHOLD = 0.85;
 var DEFAULT_MAX_PROBES = 100;
 var ABSOLUTE_MAX_PROBES = 500;
 function classifyProbeBucket(input) {
@@ -31736,7 +31829,7 @@ async function pickCanonicals(candidates, deps, dedupThreshold) {
   return clusters.map(pickClusterRepresentative);
 }
 async function executeDiscovery(opts) {
-  const dedupThreshold = opts.dedupThreshold ?? DEFAULT_DEDUP_THRESHOLD;
+  const dedupThreshold = opts.dedupThreshold ?? DISCOVERY_DEFAULT_DEDUP_THRESHOLD;
   const requestedMax = opts.maxProbes ?? DEFAULT_MAX_PROBES;
   const maxProbes = Math.min(Math.max(1, requestedMax), ABSOLUTE_MAX_PROBES);
   const startedAt = (/* @__PURE__ */ new Date()).toISOString();
@@ -31757,13 +31850,19 @@ async function executeDiscovery(opts) {
     { embed: opts.deps.embed },
     dedupThreshold
   );
+  const warning = seedCollapseWarning({
+    seedCountRaw,
+    canonicalCount: canonicals.length,
+    dedupThreshold
+  });
   const probedCanonicals = canonicals.slice(0, maxProbes);
   const seedCount = probedCanonicals.length;
   opts.db.update(discoverySessions).set({
     status: DiscoverySessionStatuses.probing,
     seedProvider: seedResult.provider,
     seedCountRaw,
-    seedCount
+    seedCount,
+    warning
   }).where(eq31(discoverySessions.id, opts.sessionId)).run();
   const probeRows = [];
   const buckets = { cited: 0, aspirational: 0, "wasted-surface": 0 };

package/dist/{chunk-5QINOJ26.js → chunk-FB43IMZT.js}

@@ -9,7 +9,7 @@ import {
   loadConfig,
   loadConfigRaw,
   saveConfigPatch
-} from "./chunk-WFMEK34V.js";
+} from "./chunk-XI6YSTGE.js";
 import {
   CC_CACHE_DIR,
   DUCKDB_SPEC,
@@ -97,7 +97,7 @@ import {
   siteAuditPages,
   siteAuditSnapshots,
   usageCounters
-} from "./chunk-2FV5GIUB.js";
+} from "./chunk-BPZWX7YI.js";
 import {
   AGENT_MEMORY_VALUE_MAX_BYTES,
   AGENT_PROVIDER_IDS,
@@ -149,7 +149,7 @@ import {
   validationError,
   winnabilityClassLabel,
   withRetry
-} from "./chunk-JNAKRK77.js";
+} from "./chunk-KPN22EWK.js";
 
 // src/telemetry.ts
 import crypto from "crypto";
@@ -476,15 +476,17 @@ function resolveModel(config) {
   return config.model || DEFAULT_MODEL;
 }
 function createClient2(config) {
+  const httpOptions = config.baseUrl ? { httpOptions: { baseUrl: config.baseUrl } } : {};
   if (isVertexConfig(config)) {
     return new GoogleGenAI({
       vertexai: true,
       project: config.vertexProject,
       location: config.vertexRegion || "us-central1",
-      ...config.vertexCredentials ? { googleAuthOptions: { keyFilename: config.vertexCredentials } } : {}
+      ...config.vertexCredentials ? { googleAuthOptions: { keyFilename: config.vertexCredentials } } : {},
+      ...httpOptions
     });
   }
-  return new GoogleGenAI({ apiKey: config.apiKey });
+  return new GoogleGenAI({ apiKey: config.apiKey, ...httpOptions });
 }
 function validateConfig(config) {
   if ("vertexProject" in config && config.vertexProject !== void 0 && config.vertexProject.trim().length === 0) {
@@ -749,7 +751,7 @@ async function embedQueries(queries2, options) {
   if (!options.apiKey && !options.client) {
     throw new Error("embedQueries: missing apiKey");
   }
-  const client = options.client ?? createGeminiEmbedClient(options.apiKey);
+  const client = options.client ?? createGeminiEmbedClient(options.apiKey, options.baseUrl);
   return client.embedBatch(queries2, {
     model: options.model ?? DEFAULT_EMBED_MODEL,
     taskType: CLUSTERING_TASK_TYPE,
@@ -770,8 +772,11 @@ function extractEmbeddingVectors(response, expectedLength) {
     return e.values;
   });
 }
-function createGeminiEmbedClient(apiKey) {
-  const genai = new GoogleGenAI2({ apiKey });
+function createEmbedGenAI(apiKey, baseUrl) {
+  return new GoogleGenAI2({ apiKey, ...baseUrl ? { httpOptions: { baseUrl } } : {} });
+}
+function createGeminiEmbedClient(apiKey, baseUrl) {
+  const genai = createEmbedGenAI(apiKey, baseUrl);
   return {
     async embedBatch(queries2, opts) {
       const response = await genai.models.embedContent({
@@ -792,6 +797,7 @@ function toGeminiConfig(config) {
   return {
     apiKey: config.apiKey ?? "",
     model: config.model,
+    baseUrl: config.baseUrl,
     quotaPolicy: config.quotaPolicy,
     vertexProject: config.vertexProject,
     vertexRegion: config.vertexRegion,
@@ -895,6 +901,12 @@ async function withRetry3(fn, options = {}) {
 
 // ../provider-openai/src/normalize.ts
 var DEFAULT_MODEL2 = "gpt-5.4";
+function createClient3(config) {
+  return new OpenAI({
+    apiKey: config.apiKey,
+    ...config.baseUrl ? { baseURL: config.baseUrl } : {}
+  });
+}
 function validateConfig2(config) {
   if (!config.apiKey || config.apiKey.length === 0) {
     return { ok: false, provider: "openai", message: "missing api key" };
@@ -910,7 +922,7 @@ async function healthcheck2(config) {
   const validation = validateConfig2(config);
   if (!validation.ok) return validation;
   try {
-    const client = new OpenAI({ apiKey: config.apiKey });
+    const client = createClient3(config);
     const response = await withRetry3(
       () => client.responses.create({
         model: config.model ?? DEFAULT_MODEL2,
@@ -935,7 +947,7 @@ async function healthcheck2(config) {
 }
 async function executeTrackedQuery2(input) {
   const model = input.config.model ?? DEFAULT_MODEL2;
-  const client = new OpenAI({ apiKey: input.config.apiKey });
+  const client = createClient3(input.config);
   const webSearchTool = { type: "web_search" };
   if (input.location) {
     webSearchTool.user_location = {
@@ -1108,7 +1120,7 @@ function extractDomainFromUri2(uri) {
 }
 async function generateText2(prompt, config) {
   const model = config.model ?? DEFAULT_MODEL2;
-  const client = new OpenAI({ apiKey: config.apiKey });
+  const client = createClient3(config);
   const response = await withRetry3(
     () => client.responses.create({
       model,
@@ -1130,6 +1142,7 @@ function toOpenAIConfig(config) {
   return {
     apiKey: config.apiKey ?? "",
     model: config.model,
+    baseUrl: config.baseUrl,
     quotaPolicy: config.quotaPolicy
   };
 }
@@ -4933,7 +4946,7 @@ function buildDefaultDeps(registry) {
     },
     async embed(queries2) {
       if (cfg.apiKey) {
-        return embedQueries(queries2, { apiKey: cfg.apiKey });
+        return embedQueries(queries2, { apiKey: cfg.apiKey, baseUrl: cfg.baseUrl });
       }
       throw new Error("Discovery currently requires a Gemini API key. Vertex-mode embeddings are not yet implemented.");
     },
@@ -5761,7 +5774,7 @@ function readStoredGroundingSources(rawResponse) {
   return result;
 }
 async function backfillInsightsCommand(project, opts) {
-  const { IntelligenceService: IntelligenceService2 } = await import("./intelligence-service-ITD2CTKH.js");
+  const { IntelligenceService: IntelligenceService2 } = await import("./intelligence-service-C76ZRMF5.js");
   const config = loadConfig();
   const db = createClient(config.database);
   migrate(db);
@@ -9452,11 +9465,16 @@ var BROWSER_ADAPTERS = [
 var adapterMap = Object.fromEntries(
   API_ADAPTERS.map((a) => [a.name, a])
 );
-function summarizeProviderConfig(provider, config) {
+function summarizeProviderConfig(config) {
   return {
     configured: Boolean(config?.apiKey || config?.baseUrl),
     model: config?.model ?? null,
-    baseUrl: provider === "local" ? config?.baseUrl ?? null : null,
+    // baseUrl is surfaced for ALL providers, not just local — gemini/openai now
+    // honor a custom endpoint, so repointing one must show in the settings
+    // summary AND produce an audit diff. Omitting it for API providers would let
+    // an endpoint redirect (a credential-exfiltration vector on a box where the
+    // provider key is the carrier) happen with no audit trail.
+    baseUrl: config?.baseUrl ?? null,
     quota: { ...config?.quota ?? DEFAULT_QUOTA }
   };
 }
@@ -10330,7 +10348,7 @@ async function createServer(opts) {
       if (!adapterMap[name]) return null;
       if (!opts.config.providers) opts.config.providers = {};
       const existing = opts.config.providers[name];
-      const beforeConfig = summarizeProviderConfig(name, existing);
+      const beforeConfig = summarizeProviderConfig(existing);
       const mergedQuota = incomingQuota ? { ...existing?.quota ?? DEFAULT_QUOTA, ...incomingQuota } : existing?.quota;
       opts.config.providers[name] = {
         apiKey: apiKey || existing?.apiKey,
@@ -10369,7 +10387,7 @@ async function createServer(opts) {
           entry.vertexConfigured = !!opts.config.providers?.[name]?.vertexProject;
         }
       }
-      const afterConfig = summarizeProviderConfig(name, opts.config.providers[name]);
+      const afterConfig = summarizeProviderConfig(opts.config.providers[name]);
       if (JSON.stringify(beforeConfig) !== JSON.stringify(afterConfig)) {
         const diff = JSON.stringify({
           before: existing ? beforeConfig : null,

package/dist/{chunk-JNAKRK77.js → chunk-KPN22EWK.js}

@@ -41,8 +41,8 @@ function authRequired(message = "Authentication required") {
 function authInvalid() {
   return new AppError("AUTH_INVALID", "Invalid API key", 401);
 }
-function forbidden(message = "Forbidden") {
-  return new AppError("FORBIDDEN", message, 403);
+function forbidden(message = "Forbidden", details) {
+  return new AppError("FORBIDDEN", message, 403, details);
 }
 function quotaExceeded(metric) {
   return new AppError("QUOTA_EXCEEDED", `Quota exceeded for ${metric}`, 429);
@@ -1870,6 +1870,12 @@ var discoverySessionDtoSchema = z17.object({
   aspirationalCount: z17.number().int().nullable().default(null),
   wastedCount: z17.number().int().nullable().default(null),
   competitorMap: z17.array(discoveryCompetitorMapEntrySchema).default([]),
+  /**
+   * Non-fatal operator warning recorded while the session ran (currently the
+   * seed dedup collapse guard). The session still completes; the warning flags
+   * that its coverage may be misleading.
+   */
+  warning: z17.string().nullable().optional(),
   error: z17.string().nullable().optional(),
   startedAt: z17.string().nullable().optional(),
   finishedAt: z17.string().nullable().optional(),
@@ -1879,6 +1885,16 @@ var discoverySessionDetailDtoSchema = discoverySessionDtoSchema.extend({
   probes: z17.array(discoveryProbeDtoSchema).default([])
 });
 var DISCOVERY_MAX_PROBES_CAP = 500;
+var DISCOVERY_DEFAULT_DEDUP_THRESHOLD = 0.95;
+var DISCOVERY_SEED_COLLAPSE_RATIO = 0.2;
+var DISCOVERY_SEED_COLLAPSE_MIN_RAW = 10;
+function seedCollapseWarning(input) {
+  const { seedCountRaw, canonicalCount, dedupThreshold } = input;
+  if (seedCountRaw < DISCOVERY_SEED_COLLAPSE_MIN_RAW) return null;
+  if (canonicalCount / seedCountRaw >= DISCOVERY_SEED_COLLAPSE_RATIO) return null;
+  const noun = canonicalCount === 1 ? "query" : "queries";
+  return `Seed dedup collapsed ${seedCountRaw} raw candidates into ${canonicalCount} canonical ${noun} at threshold ${dedupThreshold}. Distinct intents were likely merged into one cluster; re-run with a higher --dedup-threshold.`;
+}
 var discoveryRunRequestSchema = z17.object({
   icpDescription: z17.string().min(1).optional(),
   dedupThreshold: z17.number().min(0).max(1).optional(),
@@ -4440,6 +4456,8 @@ export {
   discoverySessionDtoSchema,
   discoverySessionDetailDtoSchema,
   DISCOVERY_MAX_PROBES_CAP,
+  DISCOVERY_DEFAULT_DEDUP_THRESHOLD,
+  seedCollapseWarning,
   discoveryRunRequestSchema,
   discoveryPromoteRequestSchema,
   discoveryPromotePreviewSchema,

package/dist/{chunk-WFMEK34V.js → chunk-XI6YSTGE.js}

@@ -22,7 +22,7 @@ import {
   trafficConnectVercelRequestSchema,
   trafficConnectWordpressRequestSchema,
   trafficEventKindSchema
-} from "./chunk-JNAKRK77.js";
+} from "./chunk-KPN22EWK.js";
 
 // src/config.ts
 import fs from "fs";

package/dist/cli.js

@@ -27,7 +27,7 @@ import {
   setTelemetrySource,
   showFirstRunNotice,
   trackEvent
-} from "./chunk-5QINOJ26.js";
+} from "./chunk-FB43IMZT.js";
 import {
   CliError,
   EXIT_SYSTEM_ERROR,
@@ -44,7 +44,7 @@ import {
   saveConfig,
   saveConfigPatch,
   usageError
-} from "./chunk-WFMEK34V.js";
+} from "./chunk-XI6YSTGE.js";
 import {
   apiKeys,
   createClient,
@@ -52,7 +52,7 @@ import {
   projects,
   queries,
   renderReportHtml
-} from "./chunk-2FV5GIUB.js";
+} from "./chunk-BPZWX7YI.js";
 import {
   CcReleaseSyncStatuses,
   CheckScopes,
@@ -72,7 +72,7 @@ import {
   providerQuotaPolicySchema,
   resolveProviderInput,
   winnabilityClassSchema
-} from "./chunk-JNAKRK77.js";
+} from "./chunk-KPN22EWK.js";
 
 // src/cli.ts
 import { pathToFileURL } from "url";
@@ -1797,6 +1797,7 @@ function printSessionDetail(session) {
       console.log(`    - ${c.domain} (${c.hits} hits, ${c.competitorType})`);
     }
   }
+  if (session.warning) console.log(`  Warning:       ${session.warning}`);
   if (session.error) console.log(`  Error:         ${session.error}`);
   if (session.startedAt) console.log(`  Started:       ${session.startedAt}`);
   if (session.finishedAt) console.log(`  Finished:      ${session.finishedAt}`);
@@ -1920,7 +1921,7 @@ Usage: ${usage}`,
 var DISCOVER_CLI_COMMANDS = [
   {
     path: ["discover", "run"],
-    usage: 'canonry discover run <project> [--icp "..."] [--icp-angle "..."] [--locations michigan,florida] [--dedup-threshold 0.85] [--max-probes 100] [--wait] [--format json]',
+    usage: 'canonry discover run <project> [--icp "..."] [--icp-angle "..."] [--locations michigan,florida] [--dedup-threshold 0.95] [--max-probes 100] [--wait] [--format json]',
     options: {
       icp: stringOption(),
       "icp-angle": multiStringOption(),
@@ -1930,7 +1931,7 @@ var DISCOVER_CLI_COMMANDS = [
       wait: { type: "boolean", default: false }
     },
     run: async (input) => {
-      const usage = 'canonry discover run <project> [--icp "..."] [--icp-angle "..."] [--locations michigan,florida] [--dedup-threshold 0.85] [--max-probes 100] [--wait] [--format json]';
+      const usage = 'canonry discover run <project> [--icp "..."] [--icp-angle "..."] [--locations michigan,florida] [--dedup-threshold 0.95] [--max-probes 100] [--wait] [--format json]';
       const project = requireProject(input, "discover.run", usage);
       await discoverRun(project, {
         icp: getString(input.values, "icp"),
@@ -1949,7 +1950,7 @@ var DISCOVER_CLI_COMMANDS = [
   },
   {
     path: ["discover", "seed"],
-    usage: 'canonry discover seed <project> [--icp "..."] [--icp-angle "..."] [--locations michigan,florida] [--dedup-threshold 0.85] [--max-probes 100] [--wait] [--format json]',
+    usage: 'canonry discover seed <project> [--icp "..."] [--icp-angle "..."] [--locations michigan,florida] [--dedup-threshold 0.95] [--max-probes 100] [--wait] [--format json]',
     options: {
       icp: stringOption(),
       "icp-angle": multiStringOption(),
@@ -1959,7 +1960,7 @@ var DISCOVER_CLI_COMMANDS = [
       wait: { type: "boolean", default: false }
     },
     run: async (input) => {
-      const usage = 'canonry discover seed <project> [--icp "..."] [--icp-angle "..."] [--locations michigan,florida] [--dedup-threshold 0.85] [--max-probes 100] [--wait] [--format json]';
+      const usage = 'canonry discover seed <project> [--icp "..."] [--icp-angle "..."] [--locations michigan,florida] [--dedup-threshold 0.95] [--max-probes 100] [--wait] [--format json]';
       const project = requireProject(input, "discover.seed", usage);
       await discoverSeed(project, {
         icp: getString(input.values, "icp"),
@@ -9632,6 +9633,7 @@ var envSchema = z.object({
   // Gemini
   GEMINI_API_KEY: z.string().optional(),
   GEMINI_MODEL: z.string().optional(),
+  GEMINI_BASE_URL: z.string().optional(),
   GEMINI_MAX_CONCURRENCY: z.coerce.number().int().positive().default(2),
   GEMINI_MAX_REQUESTS_PER_MINUTE: z.coerce.number().int().positive().default(10),
   GEMINI_MAX_REQUESTS_PER_DAY: z.coerce.number().int().positive().default(1e3),
@@ -9642,6 +9644,7 @@ var envSchema = z.object({
   // OpenAI
   OPENAI_API_KEY: z.string().optional(),
   OPENAI_MODEL: z.string().optional(),
+  OPENAI_BASE_URL: z.string().optional(),
   OPENAI_MAX_CONCURRENCY: z.coerce.number().int().positive().default(2),
   OPENAI_MAX_REQUESTS_PER_MINUTE: z.coerce.number().int().positive().default(10),
   OPENAI_MAX_REQUESTS_PER_DAY: z.coerce.number().int().positive().default(1e3),
@@ -9668,11 +9671,13 @@ var bootstrapEnvSchema = z.object({
   CANONRY_DATABASE_PATH: z.string().optional(),
   GEMINI_API_KEY: z.string().optional(),
   GEMINI_MODEL: z.string().optional(),
+  GEMINI_BASE_URL: z.string().optional(),
   GEMINI_VERTEX_PROJECT: z.string().optional(),
   GEMINI_VERTEX_REGION: z.string().optional(),
   GEMINI_VERTEX_CREDENTIALS: z.string().optional(),
   OPENAI_API_KEY: z.string().optional(),
   OPENAI_MODEL: z.string().optional(),
+  OPENAI_BASE_URL: z.string().optional(),
   ANTHROPIC_API_KEY: z.string().optional(),
   ANTHROPIC_MODEL: z.string().optional(),
   PERPLEXITY_API_KEY: z.string().optional(),
@@ -9691,6 +9696,7 @@ function getBootstrapEnv(source, overrides) {
     providers.gemini = {
       apiKey: parsed.GEMINI_API_KEY ?? "",
       model: parsed.GEMINI_MODEL || "gemini-2.5-flash",
+      baseUrl: parsed.GEMINI_BASE_URL,
       quota: providerQuotaPolicySchema.parse({
         maxConcurrency: 2,
         maxRequestsPerMinute: 10,
@@ -9705,6 +9711,7 @@ function getBootstrapEnv(source, overrides) {
     providers.openai = {
       apiKey: parsed.OPENAI_API_KEY,
       model: parsed.OPENAI_MODEL || "gpt-5.4",
+      baseUrl: parsed.OPENAI_BASE_URL,
       quota: providerQuotaPolicySchema.parse({
         maxConcurrency: 2,
         maxRequestsPerMinute: 10,

package/dist/index.js

@@ -1,11 +1,11 @@
 import {
   createServer
-} from "./chunk-5QINOJ26.js";
+} from "./chunk-FB43IMZT.js";
 import {
   loadConfig
-} from "./chunk-WFMEK34V.js";
-import "./chunk-2FV5GIUB.js";
-import "./chunk-JNAKRK77.js";
+} from "./chunk-XI6YSTGE.js";
+import "./chunk-BPZWX7YI.js";
+import "./chunk-KPN22EWK.js";
 export {
   createServer,
   loadConfig

package/dist/{intelligence-service-ITD2CTKH.js → intelligence-service-C76ZRMF5.js}

@@ -1,7 +1,7 @@
 import {
   IntelligenceService
-} from "./chunk-2FV5GIUB.js";
-import "./chunk-JNAKRK77.js";
+} from "./chunk-BPZWX7YI.js";
+import "./chunk-KPN22EWK.js";
 export {
   IntelligenceService
 };