@ainyc/canonry 4.81.0 → 4.83.0

package/assets/assets/{trash-2-BQ69cGl0.js → trash-2-6nHJZrvy.js}

@@ -1 +1 @@
-import{c}from"./index-DhdFTQkU.js";const a=[["circle",{cx:"12",cy:"12",r:"10",key:"1mglay"}],["path",{d:"m9 12 2 2 4-4",key:"dzmm74"}]],h=c("circle-check",a);const e=[["circle",{cx:"12",cy:"12",r:"10",key:"1mglay"}],["path",{d:"M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3",key:"1u773s"}],["path",{d:"M12 17h.01",key:"p32p05"}]],n=c("circle-question-mark",e);const o=[["path",{d:"M12 15V3",key:"m9g1x1"}],["path",{d:"M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4",key:"ih7n3h"}],["path",{d:"m7 10 5 5 5-5",key:"brsn70"}]],s=c("download",o);const t=[["path",{d:"M10 11v6",key:"nco0om"}],["path",{d:"M14 11v6",key:"outv1u"}],["path",{d:"M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6",key:"miytrc"}],["path",{d:"M3 6h18",key:"d0wm0j"}],["path",{d:"M8 6V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2",key:"e791ji"}]],r=c("trash-2",t);export{h as C,s as D,r as T,n as a};
+import{c}from"./index-CGlPx_cu.js";const a=[["circle",{cx:"12",cy:"12",r:"10",key:"1mglay"}],["path",{d:"m9 12 2 2 4-4",key:"dzmm74"}]],h=c("circle-check",a);const e=[["circle",{cx:"12",cy:"12",r:"10",key:"1mglay"}],["path",{d:"M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3",key:"1u773s"}],["path",{d:"M12 17h.01",key:"p32p05"}]],n=c("circle-question-mark",e);const o=[["path",{d:"M12 15V3",key:"m9g1x1"}],["path",{d:"M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4",key:"ih7n3h"}],["path",{d:"m7 10 5 5 5-5",key:"brsn70"}]],s=c("download",o);const t=[["path",{d:"M10 11v6",key:"nco0om"}],["path",{d:"M14 11v6",key:"outv1u"}],["path",{d:"M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6",key:"miytrc"}],["path",{d:"M3 6h18",key:"d0wm0j"}],["path",{d:"M8 6V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2",key:"e791ji"}]],r=c("trash-2",t);export{h as C,s as D,r as T,n as a};

package/assets/index.html

@@ -12,7 +12,7 @@
     <link rel="icon" type="image/png" sizes="32x32" href="./favicon-32.png" />
     <link rel="apple-touch-icon" href="./apple-touch-icon.png" />
     <title>Canonry</title>
-    <script type="module" crossorigin src="./assets/index-DhdFTQkU.js"></script>
+    <script type="module" crossorigin src="./assets/index-CGlPx_cu.js"></script>
     <link rel="modulepreload" crossorigin href="./assets/vendor-tanstack-Dq7p98wZ.js">
     <link rel="modulepreload" crossorigin href="./assets/vendor-radix-B57xfQbP.js">
     <link rel="modulepreload" crossorigin href="./assets/vendor-recharts-ClRVR6aX.js">

package/dist/{chunk-GMT3YPLT.js → chunk-BNF3HXBW.js}

@@ -571,6 +571,16 @@ var auditLogEntrySchema = z3.object({
   createdAt: z3.string()
 });
 
+// ../contracts/src/scopes.ts
+var READ_ONLY_SCOPE = "read";
+var WILDCARD_SCOPE = "*";
+function grantsWrite(scope) {
+  return scope === WILDCARD_SCOPE || scope === "write" || scope.endsWith(".write");
+}
+function isReadOnlyKey(scopes) {
+  return scopes.includes(READ_ONLY_SCOPE) && !scopes.some(grantsWrite);
+}
+
 // ../contracts/src/api-keys.ts
 import { z as z4 } from "zod";
 var apiKeyDtoSchema = z4.object({
@@ -579,6 +589,13 @@ var apiKeyDtoSchema = z4.object({
   /** First 9 chars of the raw token (`cnry_` + 4 hex). Safe to display. */
   keyPrefix: z4.string(),
   scopes: z4.array(z4.string()),
+  /**
+   * Server-derived convenience flag: `true` when this key is read-only (carries
+   * the `read` scope and no write-granting scope), in which case the API rejects
+   * every write HTTP method for it. Derived from `scopes` via `isReadOnlyKey`
+   * — surfaces don't recompute it (see the UI/CLI parity rule). Additive field.
+   */
+  readOnly: z4.boolean(),
   createdAt: z4.string(),
   lastUsedAt: z4.string().nullable(),
   revokedAt: z4.string().nullable()
@@ -1855,6 +1872,11 @@ var discoveryProbeDtoSchema = z17.object({
   bucket: discoveryBucketSchema.nullable().default(null),
   citationState: citationStateSchema,
   citedDomains: z17.array(z17.string()).default([]),
+  // Answer-text mention signal, independent of citationState. Tri-state: true
+  // (named in the answer prose), false (probed, not named), null (unknown: a
+  // legacy probe written before the engine computed it). Consumers must treat
+  // null as unknown, never as false.
+  answerMentioned: z17.boolean().nullable().default(null),
   createdAt: z17.string()
 });
 var discoverySessionDtoSchema = z17.object({
@@ -4780,5 +4802,7 @@ export {
   AI_ENGINE_SELF_DOMAINS,
   VERTEX_AI_SEARCH_PROXY_DOMAIN,
   AI_PROVIDER_INFRA_DOMAINS,
-  escapeLikePattern
+  escapeLikePattern,
+  READ_ONLY_SCOPE,
+  isReadOnlyKey
 };

package/dist/{chunk-UAQ42NVJ.js → chunk-GOWH42QV.js}

@@ -156,6 +156,7 @@ import {
   hasLocationLabel,
   indexingRequestResponseDtoSchema,
   internalError,
+  isReadOnlyKey,
   keywordDtoSchema,
   keywordGenerateRequestSchema,
   latestProjectRunDtoSchema,
@@ -245,7 +246,7 @@ import {
   wordpressSchemaDeployResultDtoSchema,
   wordpressSchemaStatusResultDtoSchema,
   wordpressStatusDtoSchema
-} from "./chunk-GMT3YPLT.js";
+} from "./chunk-BNF3HXBW.js";
 
 // src/intelligence-service.ts
 import { eq as eq36, desc as desc17, asc as asc5, and as and26, ne as ne5, or as or5, inArray as inArray13, gte as gte7, lte as lte4 } from "drizzle-orm";
@@ -1054,6 +1055,10 @@ var discoveryProbes = sqliteTable("discovery_probes", {
   query: text("query").notNull(),
   bucket: text("bucket"),
   citationState: text("citation_state").notNull(),
+  // Answer-text mention signal, independent of citationState. Tri-state: true
+  // (named in the answer prose), false (probed, not named), null (legacy rows
+  // written before this column / never computed). Mirrors querySnapshots.answerMentioned.
+  answerMentioned: integer("answer_mentioned", { mode: "boolean" }),
   citedDomains: text("cited_domains", { mode: "json" }).$type().notNull().default([]),
   rawResponse: text("raw_response"),
   createdAt: text("created_at").notNull()
@@ -3074,6 +3079,16 @@ var MIGRATION_VERSIONS = [
     run: (tx) => {
       addBacklinkSourceDiscriminator(tx);
     }
+  },
+  {
+    // Answer-text mention signal on discovery probes (independent of citation).
+    // Nullable: pre-existing rows were written before the column / never had the
+    // mention computed, so they read back as null (unknown) downstream.
+    version: 79,
+    name: "discovery-probes-answer-mentioned",
+    statements: [
+      `ALTER TABLE discovery_probes ADD COLUMN answer_mentioned INTEGER`
+    ]
   }
 ];
 function rebuildBacklinkTableWithSource(tx, table) {
@@ -5290,6 +5305,7 @@ import fs8 from "fs";
 // ../api-routes/src/auth.ts
 import crypto2 from "crypto";
 import { eq } from "drizzle-orm";
+var WRITE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH", "DELETE"]);
 function requireScope(request, scope) {
   const key = request.apiKey;
   if (!key) return;
@@ -5357,6 +5373,9 @@ async function authPlugin(app, opts = {}) {
     app.db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq(apiKeys.id, key.id)).run();
     const scopes = Array.isArray(key.scopes) ? key.scopes : [];
     request.apiKey = { id: key.id, name: key.name, scopes };
+    if (isReadOnlyKey(scopes) && WRITE_METHODS.has(request.method)) {
+      throw forbidden("This API key is read-only and cannot perform write operations.");
+    }
   });
 }
 
@@ -14431,6 +14450,17 @@ var routeCatalog = [
       200: jsonResponse("Keys returned.", "ApiKeyListDto")
     }
   },
+  {
+    method: "get",
+    path: "/api/v1/keys/self",
+    summary: "Introspect the current API key",
+    description: "Returns SAFE metadata for the key that authenticated this request, including the derived `readOnly` flag. Lets a caller (or the MCP adapter at startup) discover whether its configured key is read-only without listing every key on the instance. Ungated read \u2014 a read-only key can call it.",
+    tags: ["keys"],
+    responses: {
+      200: jsonResponse("Current key returned.", "ApiKeyDto"),
+      404: errorResponse("No key on the request (auth skipped).")
+    }
+  },
   {
     method: "post",
     path: "/api/v1/keys",
@@ -17586,11 +17616,13 @@ import crypto12 from "crypto";
 import { desc as desc9, eq as eq17 } from "drizzle-orm";
 var KEYS_WRITE_SCOPE = "keys.write";
 function toApiKeyDto(row) {
+  const scopes = Array.isArray(row.scopes) ? row.scopes : [];
   return {
     id: row.id,
     name: row.name,
     keyPrefix: row.keyPrefix,
-    scopes: Array.isArray(row.scopes) ? row.scopes : [],
+    scopes,
+    readOnly: isReadOnlyKey(scopes),
     createdAt: row.createdAt,
     lastUsedAt: row.lastUsedAt ?? null,
     revokedAt: row.revokedAt ?? null
@@ -17601,6 +17633,17 @@ async function keysRoutes(app) {
     const rows = app.db.select().from(apiKeys).orderBy(desc9(apiKeys.createdAt)).all();
     return { keys: rows.map(toApiKeyDto) };
   });
+  app.get("/keys/self", async (request) => {
+    const id = request.apiKey?.id;
+    if (!id) {
+      throw notFound("API key", "self");
+    }
+    const row = app.db.select().from(apiKeys).where(eq17(apiKeys.id, id)).get();
+    if (!row) {
+      throw notFound("API key", id);
+    }
+    return toApiKeyDto(row);
+  });
   app.post("/keys", async (request) => {
     requireScope(request, KEYS_WRITE_SCOPE);
     const parsed = createApiKeyRequestSchema.safeParse(request.body);
@@ -17636,6 +17679,7 @@ async function keysRoutes(app) {
       name,
       keyPrefix,
       scopes: effectiveScopes,
+      readOnly: isReadOnlyKey(effectiveScopes),
       createdAt: now,
       lastUsedAt: null,
       revokedAt: null,
@@ -32749,6 +32793,9 @@ function serializeProbe(row) {
     bucket: bucketParsed?.success ? bucketParsed.data : null,
     citationState: stateParsed.success ? stateParsed.data : "not-cited",
     citedDomains: row.citedDomains,
+    // Boolean-mode column already reads back as boolean | null; a legacy row
+    // written before the column is null (unknown), never coerced to false.
+    answerMentioned: row.answerMentioned ?? null,
     createdAt: row.createdAt
   };
 }
@@ -32865,6 +32912,7 @@ async function executeDiscovery(opts) {
       query,
       bucket,
       citationState: probe.citationState,
+      answerMentioned: probe.answerMentioned,
       citedDomains: probe.citedDomains,
       rawResponse: JSON.stringify(probe.rawResponse),
       createdAt: (/* @__PURE__ */ new Date()).toISOString()

package/dist/{chunk-VX5C7DK7.js → chunk-NRACXNI7.js}

@@ -9,7 +9,7 @@ import {
   loadConfig,
   loadConfigRaw,
   saveConfigPatch
-} from "./chunk-6XOZSS3Y.js";
+} from "./chunk-Y3O3HBMN.js";
 import {
   CC_CACHE_DIR,
   DUCKDB_SPEC,
@@ -104,7 +104,7 @@ import {
   siteAuditPages,
   siteAuditSnapshots,
   usageCounters
-} from "./chunk-UAQ42NVJ.js";
+} from "./chunk-GOWH42QV.js";
 import {
   AGENT_MEMORY_VALUE_MAX_BYTES,
   AGENT_PROVIDER_IDS,
@@ -160,7 +160,7 @@ import {
   validationError,
   winnabilityClassLabel,
   withRetry
-} from "./chunk-GMT3YPLT.js";
+} from "./chunk-BNF3HXBW.js";
 
 // src/telemetry.ts
 import crypto from "crypto";
@@ -5376,9 +5376,14 @@ async function executeDiscoveryRun(opts) {
       canonicalDomain: projectRow.canonicalDomain,
       ownedDomains: projectRow.ownedDomains
     });
+    const brandNames = effectiveBrandNames({
+      displayName: projectRow.displayName,
+      aliases: projectRow.aliases
+    });
     const project = {
       id: projectRow.id,
       name: projectRow.name,
+      brandNames,
       canonicalDomains,
       competitorDomains: projectCompetitors
     };
@@ -5466,9 +5471,15 @@ function buildDefaultDeps(registry) {
       const normalized = adapter.normalizeResult(raw);
       const canonical = new Set(input.project.canonicalDomains.map((d) => d.toLowerCase()));
       const isCited = normalized.citedDomains.some((d) => canonical.has(d.toLowerCase()));
+      const answerMentioned = determineAnswerMentioned(
+        normalized.answerText,
+        input.project.brandNames ?? [],
+        input.project.canonicalDomains
+      );
       return {
         citationState: isCited ? "cited" : "not-cited",
         citedDomains: normalized.citedDomains,
+        answerMentioned,
         rawResponse: raw.rawResponse
       };
     },
@@ -6278,7 +6289,7 @@ function readStoredGroundingSources(rawResponse) {
   return result;
 }
 async function backfillInsightsCommand(project, opts) {
-  const { IntelligenceService: IntelligenceService2 } = await import("./intelligence-service-CAAQAKPN.js");
+  const { IntelligenceService: IntelligenceService2 } = await import("./intelligence-service-FHQM7YMA.js");
   const config = loadConfig();
   const db = createClient(config.database);
   migrate(db);

package/dist/{chunk-6XOZSS3Y.js → chunk-Y3O3HBMN.js}

@@ -23,7 +23,7 @@ import {
   trafficConnectVercelRequestSchema,
   trafficConnectWordpressRequestSchema,
   trafficEventKindSchema
-} from "./chunk-GMT3YPLT.js";
+} from "./chunk-BNF3HXBW.js";
 
 // src/config.ts
 import fs from "fs";
@@ -1606,6 +1606,18 @@ var postApiV1Keys = (options) => {
     }
   });
 };
+var getApiV1KeysSelf = (options) => {
+  return (options?.client ?? client).get({
+    security: [
+      {
+        scheme: "bearer",
+        type: "http"
+      }
+    ],
+    url: "/api/v1/keys/self",
+    ...options
+  });
+};
 var postApiV1KeysByIdRevoke = (options) => {
   return (options.client ?? client).post({
     security: [
@@ -4042,6 +4054,10 @@ var ApiClient = class {
   async listApiKeys() {
     return this.invoke(() => getApiV1Keys({ client: this.heyClient }));
   }
+  /** Introspect the CURRENT key (the one this client authenticates with). */
+  async getApiKeySelf() {
+    return this.invoke(() => getApiV1KeysSelf({ client: this.heyClient }));
+  }
   async createApiKey(body) {
     return this.invoke(() => postApiV1Keys({ client: this.heyClient, body }));
   }

package/dist/cli.js

@@ -27,7 +27,7 @@ import {
   setTelemetrySource,
   showFirstRunNotice,
   trackEvent
-} from "./chunk-VX5C7DK7.js";
+} from "./chunk-NRACXNI7.js";
 import {
   CliError,
   EXIT_SYSTEM_ERROR,
@@ -44,7 +44,7 @@ import {
   saveConfig,
   saveConfigPatch,
   usageError
-} from "./chunk-6XOZSS3Y.js";
+} from "./chunk-Y3O3HBMN.js";
 import {
   apiKeys,
   createClient,
@@ -52,13 +52,14 @@ import {
   projects,
   queries,
   renderReportHtml
-} from "./chunk-UAQ42NVJ.js";
+} from "./chunk-GOWH42QV.js";
 import {
   BacklinkSources,
   CcReleaseSyncStatuses,
   CheckScopes,
   CheckStatuses,
   CitationStates,
+  READ_ONLY_SCOPE,
   RunStatuses,
   TrafficEventKinds,
   backlinkSourceSchema,
@@ -75,7 +76,7 @@ import {
   providerQuotaPolicySchema,
   resolveProviderInput,
   winnabilityClassSchema
-} from "./chunk-GMT3YPLT.js";
+} from "./chunk-BNF3HXBW.js";
 
 // src/cli.ts
 import { pathToFileURL } from "url";
@@ -1901,11 +1902,12 @@ function printSessionDetail(session) {
   if (session.probes && session.probes.length > 0) {
     const sorted = [...session.probes].sort((a, b) => (a.bucket ?? "").localeCompare(b.bucket ?? ""));
     console.log(`
-  Probes (${session.probes.length}):`);
+  Probes (${session.probes.length}):  (cell = [citation][mention];  C=cited c=not, M=mentioned m=not, \u2013=no data)`);
     for (const p of sorted) {
       const bucket = (p.bucket ?? "\u2013").padEnd(15);
-      const cit = p.citationState === "cited" ? "C" : "c";
-      console.log(`    [${cit}]  ${bucket}  ${p.query}`);
+      const citationGlyph = p.citationState === CitationStates.cited ? "C" : "c";
+      const mentionGlyph = typeof p.answerMentioned === "boolean" ? p.answerMentioned ? "M" : "m" : "\u2013";
+      console.log(`    [${citationGlyph}${mentionGlyph}]  ${bucket}  ${p.query}`);
     }
   }
 }
@@ -5640,9 +5642,18 @@ async function listApiKeys(format) {
   }
 }
 async function createApiKey(opts) {
+  const explicitScopes = opts.scopes && opts.scopes.length > 0 ? opts.scopes : void 0;
+  if (opts.readOnly && explicitScopes) {
+    throw new CliError({
+      code: "CLI_USAGE_ERROR",
+      message: "--read-only cannot be combined with --scope",
+      displayMessage: 'Error: --read-only cannot be combined with --scope (it already implies the "read" scope).'
+    });
+  }
   const client = getClient11();
   const body = { name: opts.name };
-  if (opts.scopes && opts.scopes.length > 0) body.scopes = opts.scopes;
+  const scopes = opts.readOnly ? [READ_ONLY_SCOPE] : explicitScopes;
+  if (scopes) body.scopes = scopes;
   const created = await client.createApiKey(body);
   if (isMachineFormat(opts.format)) {
     console.log(JSON.stringify(created, null, 2));
@@ -5650,11 +5661,24 @@ async function createApiKey(opts) {
   }
   console.log(`API key "${created.name}" created.
 `);
-  console.log(`  Key:     ${created.key}`);
-  console.log(`  Prefix:  ${created.keyPrefix}`);
-  console.log(`  Scopes:  ${created.scopes.join(", ")}`);
+  console.log(`  Key:       ${created.key}`);
+  console.log(`  Prefix:    ${created.keyPrefix}`);
+  console.log(`  Scopes:    ${created.scopes.join(", ")}`);
+  console.log(`  Read-only: ${created.readOnly ? "yes" : "no"}`);
   console.log("\nSave this now \u2014 it will not be shown again.");
 }
+async function showApiKeySelf(format) {
+  const client = getClient11();
+  const key = await client.getApiKeySelf();
+  if (isMachineFormat(format)) {
+    console.log(JSON.stringify(key, null, 2));
+    return;
+  }
+  console.log(`API key "${key.name}" (${key.keyPrefix})`);
+  console.log(`  Scopes:    ${key.scopes.join(", ")}`);
+  console.log(`  Read-only: ${key.readOnly ? "yes" : "no"}`);
+  console.log(`  Status:    ${keyStatus(key)}`);
+}
 async function revokeApiKey(id, format) {
   const client = getClient11();
   const key = await client.revokeApiKey(id);
@@ -5676,15 +5700,16 @@ var KEYS_CLI_COMMANDS = [
   },
   {
     path: ["key", "create"],
-    usage: "canonry key create --name <name> [--scope <s> ...] [--format json]",
+    usage: "canonry key create --name <name> [--read-only | --scope <s> ...] [--format json]",
     options: {
       name: stringOption(),
-      scope: multiStringOption()
+      scope: multiStringOption(),
+      "read-only": { type: "boolean" }
     },
     run: async (input) => {
       const name = requireStringOption(input, "name", {
         command: "key.create",
-        usage: "canonry key create --name <name> [--scope <s> ...] [--format json]",
+        usage: "canonry key create --name <name> [--read-only | --scope <s> ...] [--format json]",
         message: "--name is required"
       });
       const raw = getStringArray(input.values, "scope") ?? [];
@@ -5692,10 +5717,18 @@ var KEYS_CLI_COMMANDS = [
       await createApiKey({
         name,
         scopes: scopes.length > 0 ? scopes : void 0,
+        readOnly: getBoolean(input.values, "read-only"),
         format: input.format
       });
     }
   },
+  {
+    path: ["key", "whoami"],
+    usage: "canonry key whoami [--format json]",
+    run: async (input) => {
+      await showApiKeySelf(input.format);
+    }
+  },
   {
     path: ["key", "revoke"],
     usage: "canonry key revoke <id> [--format json]",
@@ -5710,12 +5743,12 @@ var KEYS_CLI_COMMANDS = [
   },
   {
     path: ["key"],
-    usage: "canonry key <list|create|revoke>",
+    usage: "canonry key <list|create|revoke|whoami>",
     run: async (input) => {
       unknownSubcommand(input.positionals[0], {
         command: "key",
-        usage: "canonry key <list|create|revoke>",
-        available: ["list", "create", "revoke"]
+        usage: "canonry key <list|create|revoke|whoami>",
+        available: ["list", "create", "revoke", "whoami"]
       });
     }
   }

package/dist/index.js

@@ -1,11 +1,11 @@
 import {
   createServer
-} from "./chunk-VX5C7DK7.js";
+} from "./chunk-NRACXNI7.js";
 import {
   loadConfig
-} from "./chunk-6XOZSS3Y.js";
-import "./chunk-UAQ42NVJ.js";
-import "./chunk-GMT3YPLT.js";
+} from "./chunk-Y3O3HBMN.js";
+import "./chunk-GOWH42QV.js";
+import "./chunk-BNF3HXBW.js";
 export {
   createServer,
   loadConfig

package/dist/{intelligence-service-CAAQAKPN.js → intelligence-service-FHQM7YMA.js}

@@ -1,7 +1,7 @@
 import {
   IntelligenceService
-} from "./chunk-UAQ42NVJ.js";
-import "./chunk-GMT3YPLT.js";
+} from "./chunk-GOWH42QV.js";
+import "./chunk-BNF3HXBW.js";
 export {
   IntelligenceService
 };

package/dist/mcp.js

@@ -3,8 +3,10 @@ import {
   PACKAGE_VERSION,
   canonryMcpTools,
   createApiClient
-} from "./chunk-6XOZSS3Y.js";
-import "./chunk-GMT3YPLT.js";
+} from "./chunk-Y3O3HBMN.js";
+import {
+  isReadOnlyKey
+} from "./chunk-BNF3HXBW.js";
 
 // src/mcp/cli.ts
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
@@ -363,9 +365,25 @@ async function main(argv = process.argv.slice(2)) {
     }
     throw error;
   }
-  const server = createCanonryMcpServer({ scope: options.scope, eager: options.eager });
+  const client = createApiClient();
+  const scope = await resolveEffectiveScope(client, options.scope);
+  const server = createCanonryMcpServer({ scope, eager: options.eager, clientFactory: () => client });
   await server.connect(new StdioServerTransport());
 }
+async function resolveEffectiveScope(client, flagScope) {
+  if (flagScope === "read-only") return "read-only";
+  try {
+    const self = await client.getApiKeySelf();
+    if (isReadOnlyKey(self.scopes)) {
+      process.stderr.write(
+        "canonry-mcp: configured API key is read-only \u2014 restricting to read tools.\n"
+      );
+      return "read-only";
+    }
+  } catch {
+  }
+  return flagScope;
+}
 function parseCliOptions(argv, env = process.env) {
   if (argv.includes("--help") || argv.includes("-h")) {
     throw new HelpRequested();
@@ -419,5 +437,6 @@ export {
   HELP_TEXT,
   HelpRequested,
   main,
-  parseCliOptions
+  parseCliOptions,
+  resolveEffectiveScope
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ainyc/canonry",
-  "version": "4.81.0",
+  "version": "4.83.0",
   "type": "module",
   "description": "Agent-first open-source AEO operating platform - track how answer engines cite your domain",
   "license": "FSL-1.1-ALv2",
@@ -62,19 +62,19 @@
     "@types/node-cron": "^3.0.11",
     "tsup": "^8.5.1",
     "tsx": "^4.19.0",
+    "@ainyc/canonry-config": "0.0.0",
     "@ainyc/canonry-api-client": "0.0.0",
     "@ainyc/canonry-api-routes": "0.0.0",
-    "@ainyc/canonry-config": "0.0.0",
     "@ainyc/canonry-contracts": "0.0.0",
     "@ainyc/canonry-db": "0.0.0",
-    "@ainyc/canonry-integration-bing": "0.0.0",
     "@ainyc/canonry-integration-openai-ads": "0.0.0",
-    "@ainyc/canonry-integration-commoncrawl": "0.0.0",
     "@ainyc/canonry-integration-cloud-run": "0.0.0",
+    "@ainyc/canonry-integration-bing": "0.0.0",
+    "@ainyc/canonry-integration-commoncrawl": "0.0.0",
     "@ainyc/canonry-integration-google": "0.0.0",
+    "@ainyc/canonry-integration-google-places": "0.0.0",
     "@ainyc/canonry-integration-google-business-profile": "0.0.0",
     "@ainyc/canonry-integration-traffic": "0.0.0",
-    "@ainyc/canonry-integration-google-places": "0.0.0",
     "@ainyc/canonry-integration-wordpress": "0.0.0",
     "@ainyc/canonry-provider-cdp": "0.0.0",
     "@ainyc/canonry-provider-claude": "0.0.0",