@jayfarei/lazyanalytics 0.1.0 → 0.3.0

package/CHANGELOG.md

@@ -4,6 +4,38 @@ All notable changes to this project are documented here. The format is based on
 [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres
 to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.3.0] - 2026-06-13
+
+### Added
+
+- Bounce rate and average session duration endpoints/CLI commands backed by salted fixed-window session hashes and best-effort dwell beacons.
+- Scheduled R2 aggregate rollups and blended `/api/history` / `lazyanalytics history` reads for ranges beyond Analytics Engine's live retention.
+- Setup flags for archive configuration, including `--no-archive` and `--archive-bucket`.
+
+### Changed
+
+- Tracker now sends one pagehide/hidden dwell beacon while staying below 2KB.
+- Query responses document sampled bounce as unreliable by returning `bounce_rate: null` plus a warning.
+
+### Fixed
+
+- `/api/history` queried the live (≤90d) window with one Analytics Engine subrequest per day, exceeding the Workers per-invocation subrequest limit on large ranges; it now aggregates the whole live span in a single query.
+- The scheduled rollup backfilled 88 days oldest-first in one run (far over the subrequest limit); it now rolls up newest-first within a bounded window, capped per invocation, and self-heals across daily runs.
+
+## [0.2.0] - 2026-06-13
+
+### Added
+
+- `/api/active` and `lazyanalytics active` for current active visitors.
+- `/api/crawlers` and `lazyanalytics crawlers` for opt-in JS-executing AI crawler/agent analytics.
+- `/api/channels` and `lazyanalytics channels` for pageview-scoped acquisition channels.
+- Shared `traffic_class` and `event_type` filters in `buildWhereClause`, so existing human pageview endpoints exclude AI crawler rows and dwell rows.
+
+### Changed
+
+- Beacon writes now include the 16-blob slot map for traffic class, channel, session, crawler metadata, and event type.
+- CLI API fetching/table formatting is shared across base commands and dedicated commands.
+
 ## [0.1.0] - 2026-06-12
 
 Initial public release.

package/README.md

@@ -37,6 +37,33 @@ echo "<read-only-token>" | CLOUDFLARE_API_TOKEN=<token> CLOUDFLARE_ACCOUNT_ID=<a
 
 The script is <2KB, sets no cookies, strips query strings and fragments in the browser, sends only the referrer *domain*, and tracks SPA navigations. `data-site-id` must match a site in the worker's `ALLOWED_SITES`. Print snippets anytime with `lazyanalytics snippet [--site example.com]`.
 
+### Installing it (prompt for a coding agent)
+
+Copy this into the coding agent for the site you want to track (replace `YOUR_SITE` and the worker URL — `lazyanalytics snippet --site YOUR_SITE` prints the exact tag):
+
+```text
+Add the lazyanalytics tracking snippet to this site so it loads on every page.
+
+Insert this tag, exactly once, into the global <head> (Astro: the base layout's
+<head>; Next.js App Router: app/layout.tsx; Next.js Pages: pages/_document.tsx
+<Head>; plain HTML: the shared header/partial):
+
+  <script defer id="analytics" data-site-id="YOUR_SITE"
+    src="https://lazyanalytics.YOUR-SUBDOMAIN.workers.dev/tracker.js"></script>
+
+Rules:
+- It must appear once per page, site-wide. If a script with id="analytics"
+  already exists, leave it as-is.
+- Do NOT add a cookie/consent banner for it — it sets no cookies and collects
+  no personal data.
+- data-site-id must exactly match the site registered in the worker's
+  ALLOWED_SITES (otherwise beacons are rejected).
+- The script is async/defer, <2KB, and tracks SPA route changes automatically.
+
+After it ships, confirm a page load was recorded:
+  npx @jayfarei/lazyanalytics stats --site YOUR_SITE --period today
+```
+
 ## CLI reference
 
 Install globally (`npm i -g @jayfarei/lazyanalytics`) or use `npx @jayfarei/lazyanalytics`.
@@ -45,7 +72,7 @@ Install globally (`npm i -g @jayfarei/lazyanalytics`) or use `npx @jayfarei/lazy
 
 | Command | What it does |
 | ------- | ------------ |
-| `setup` | Deploy the worker and configure the CLI. Flags: `--sites <csv>`, `--account-id <id>`, `--name <worker-name>` (default `lazyanalytics`), `--rotate-secrets`, `-y/--yes`. Needs `CLOUDFLARE_API_TOKEN` (env or hidden prompt). |
+| `setup` | Deploy the worker and configure the CLI. Flags: `--sites <csv>`, `--account-id <id>`, `--name <worker-name>` (default `lazyanalytics`), `--track-ai-crawlers`, `--no-archive`, `--rotate-secrets`, `-y/--yes`. Needs `CLOUDFLARE_API_TOKEN` (env or hidden prompt). |
 | `sites list` | List tracked sites via the worker's `/api/sites` endpoint. |
 | `sites add <domain>` | Add a site to `ALLOWED_SITES` in the scaffolded `wrangler.toml` and redeploy. Needs `CLOUDFLARE_API_TOKEN`. |
 | `sites remove <domain>` | Remove a site and redeploy (refuses to remove the last site). |
@@ -58,9 +85,15 @@ Install globally (`npm i -g @jayfarei/lazyanalytics`) or use `npx @jayfarei/lazy
 
 ```bash
 lazyanalytics stats      --site example.com --period 7d
+lazyanalytics active     --site example.com --window 5
 lazyanalytics pages      --site example.com --period 30d --limit 5
 lazyanalytics referrers  --site example.com
 lazyanalytics geo        --site example.com --period 30d
+lazyanalytics channels   --site example.com
+lazyanalytics crawlers   --site example.com --type operator
+lazyanalytics bounce     --site example.com --period 30d
+lazyanalytics duration   --site example.com --period 30d
+lazyanalytics history    --site example.com --dimension pages --days 180
 lazyanalytics browsers   --site example.com --type os        # browser | os | device
 lazyanalytics timeseries --site example.com --unit day       # hour | day
 ```
@@ -73,7 +106,7 @@ lazyanalytics timeseries --site example.com --unit day       # hour | day
 | `--json` | | default | JSON output (for agents) |
 | `--table` | | | Human-readable table |
 
-Exit codes: `0` data returned, `1` error, `2` success but empty, `3` config/auth error.
+Exit codes: `0` data returned, `1` error, `2` success but empty, `3` config/auth error. `active` returns `0` on a successful 200 even when `active_visitors` is `0`.
 
 ## HTTP API reference
 
@@ -82,16 +115,22 @@ All `/api/*` endpoints require `Authorization: Bearer <API_SECRET>` (constant-ti
 | Endpoint | Auth | Description |
 | -------- | ---- | ----------- |
 | `GET /api/stats` | yes | Pageviews, approximate daily visitors, avg screen width. Params: `site` (required), `period`. |
+| `GET /api/active` | yes | Active visitors and recent pageviews in the last N minutes. Params: `site`, `window` (1-60, default 5). |
 | `GET /api/pages` | yes | Top pages. Params: `site`, `period`, `limit`. |
 | `GET /api/referrers` | yes | Top external referrer domains. Params: `site`, `period`, `limit`. |
 | `GET /api/geo` | yes | Country breakdown. Params: `site`, `period`, `limit`. |
+| `GET /api/channels` | yes | Pageview-scoped acquisition channels. Params: `site`, `period`. |
+| `GET /api/crawlers` | yes | JS-executing AI crawler/agent breakdown. Params: `site`, `period`, `limit`, `type` (`name`\|`operator`\|`class`). Requires `TRACK_AI_CRAWLERS=true` to collect rows. |
+| `GET /api/bounce` | yes | Approximate session bounce rate. Params: `site`, `period`. Returns `bounce_rate: null` with a warning when sampled. |
+| `GET /api/duration` | yes | Average session duration in seconds. Params: `site`, `period`. Uses best-effort pagehide dwell beacons. |
+| `GET /api/history` | yes | Long-term stats from live AE plus R2 daily rollups. Params: `site`, `dimension`, `days` or `from`+`to`. |
 | `GET /api/browsers` | yes | Browser/OS/device breakdown. Params: `site`, `period`, `limit`, `type` (`browser`\|`os`\|`device`). |
 | `GET /api/timeseries` | yes | Pageviews over time. Params: `site`, `period`, `unit` (`hour`\|`day`). |
 | `GET /api/sites` | yes | Tracked sites: `{ "data": [{"site": "example.com"}], "meta": {"count": 1} }`. |
-| `POST /collect` | no | Beacon ingest. Body: `{ "sid", "url", "ref?", "sw?", "us?", "um?" }`. Returns 204. Bots get 204 but are not recorded; beacons are dropped (204) if the worker has no `ALLOWED_SITES` or `HASH_SALT` configured; unknown `sid` returns 400. CORS-enabled. |
+| `POST /collect` | no | Beacon ingest. Body: `{ "sid", "url", "ref?", "sw?", "us?", "um?", "t?", "em?" }`. Returns 204. Bots get 204 but are not recorded; AI crawler beacons are recorded only when enabled; beacons are dropped (204) if the worker has no `ALLOWED_SITES` or `HASH_SALT` configured; unknown `sid` returns 400. CORS-enabled. |
 | `GET /tracker.js` | no | Serves the tracking script. |
 | `GET /dashboard` | no (page) | Built-in dashboard UI. The page is public, but data loads only after you enter the API token in-page; the token is kept in `sessionStorage` (cleared when the tab closes). You can hand off a session via `https://.../dashboard#token=<API_SECRET>`; the fragment is consumed and immediately stripped from the URL. |
-| `GET /health` | no | `{ "status": "ok", "version": "0.1.0", "timestamp": "..." }`. |
+| `GET /health` | no | `{ "status": "ok", "version": "0.3.0", "timestamp": "..." }`. |
 
 Example:
 
@@ -120,6 +159,11 @@ curl -H "Authorization: Bearer $ANALYTICS_API_TOKEN" \
   ┌──────────▼───────────────────────────┐
   │     Cloudflare Analytics Engine      │
   │     (ClickHouse-backed, 90-day)      │
+  └──────────────────────────────────────┘
+        │  daily aggregate rollups
+        ▼
+  ┌──────────────────────────────────────┐
+  │       R2 archive (optional)          │
   └──────────────────────────────────────┘
         ▲
         │  HTTPS + bearer token
@@ -129,9 +173,10 @@ curl -H "Authorization: Bearer $ANALYTICS_API_TOKEN" \
   └────────────────────────┘
 ```
 
-1. **Collection**: the tracker sends a beacon on page load and SPA navigations with the page URL (already stripped), referrer domain, screen width, and UTM source/medium.
-2. **Processing**: the worker filters bots, parses the UA, computes a salted daily visitor hash, and writes one data point to Analytics Engine.
+1. **Collection**: the tracker sends a beacon on page load and SPA navigations with the page URL (already stripped), referrer domain, screen width, and UTM source/medium; it also sends one best-effort dwell beacon when the page is hidden or unloaded.
+2. **Processing**: the worker filters generic bots, optionally classifies JS-executing AI agents, classifies acquisition channel server-side, computes salted daily visitor and 30-minute session hashes, and writes one data point to Analytics Engine.
 3. **Querying**: `/api/*` translates HTTP params into sampling-aware SQL (`SUM(_sample_interval)`, never `COUNT(*)`).
+4. **Archiving**: the scheduled handler writes daily aggregate JSON rollups to R2 so `/api/history` can blend archive days with live Analytics Engine days.
 
 ## Data model
 
@@ -146,10 +191,24 @@ One Analytics Engine data point per pageview:
 | `blob4` | Country code (`CF-IPCountry`) | `US` |
 | `blob5` / `blob6` / `blob7` | Browser / OS / device | `Chrome` / `macOS` / `desktop` |
 | `blob8` / `blob9` | UTM source / medium | `twitter` / `social` |
+| `blob10` | Traffic class: empty string for human, `ai` for tracked AI agents | `ai` |
+| `blob11` | Pageview-scoped channel | `Organic Search` |
+| `blob12` | Session hash: salted 30-minute fixed-window hash | `8bd4...` |
+| `blob13` / `blob14` / `blob15` | AI crawler name / operator / class | `ChatGPT-User` / `OpenAI` / `user` |
+| `blob16` | Event type: `pv` pageview or `eng` dwell beacon | `pv` |
 | `double1` | Count (always 1) | `1` |
 | `double2` | Screen width | `1440` |
+| `double4` | Engagement milliseconds from the dwell beacon | `2500` |
+
+**Sampling note**: Analytics Engine downsamples high-volume data. All count queries use `SUM(_sample_interval)` for correct estimates, and `meta.sampled` tells you when an answer is an estimate rather than an exact count. Bounce rate returns `null` when sampled because single-page session detection becomes biased.
+
+**Metric caveats**:
 
-**Sampling note**: Analytics Engine downsamples high-volume data. All queries use `SUM(_sample_interval)` for correct estimates, and `meta.sampled` tells you when an answer is an estimate rather than an exact count. Data is retained for 90 days.
+- Active visitors can lag by seconds to minutes because Analytics Engine is eventually consistent.
+- Channels are pageview-scoped, not session-scoped. SPA navigations without an external referrer can inflate Direct compared with GA4/Plausible.
+- AI crawler analytics only covers agents that execute JavaScript and send `/collect` beacons. Raw non-JS crawlers such as many training bots are invisible.
+- Sessions use fixed 30-minute slots, not sliding inactivity windows. A long visit crossing a slot boundary can split into two sessions and inflate bounce rate.
+- Long-range history sums daily approximate visitors from archived rollups; it is not a cross-day unique visitor count.
 
 ## Privacy
 
@@ -200,9 +259,8 @@ The repo contains a `cli/bin/analytics` bash wrapper that routes requests throug
 
 ## Limitations
 
-- 90-day retention (Analytics Engine), no per-visitor deletion.
+- Analytics Engine data point retention is 90 days; optional R2 history stores daily aggregate rollups only.
 - Visitor counts are approximations (NAT/VPN undercounts, shared devices overcount).
-- No bounce rate or session duration (Analytics Engine has no JOINs).
 - Data points can take seconds to minutes to become queryable.
 
 ## Contributing & license

package/cli/dist/commands/active.d.ts

@@ -0,0 +1,2 @@
+import { Command } from 'commander';
+export declare function activeCommand(): Command;

package/cli/dist/commands/active.js

@@ -0,0 +1,30 @@
+import { Command } from 'commander';
+import { fetchApi, formatTable } from '../lib/api.js';
+export function activeCommand() {
+    const cmd = new Command('active');
+    cmd
+        .description('Current active visitors in the last N minutes')
+        .requiredOption('-s, --site <site>', 'Site to query (e.g., example.com)')
+        .option('-w, --window <minutes>', 'Active window in minutes, clamped server-side to 1-60', '5')
+        .option('--json', 'Output as JSON (default)', true)
+        .option('--table', 'Output as human-readable table')
+        .action(async (opts) => {
+        try {
+            const result = await fetchApi('active', { site: opts.site, window: opts.window });
+            if (opts.table) {
+                console.log(formatTable([result.data]));
+                if (result.meta.sampled) {
+                    console.log('\n(data may be sampled)');
+                }
+            }
+            else {
+                console.log(JSON.stringify(result, null, 2));
+            }
+        }
+        catch (e) {
+            console.error(`Error: ${e instanceof Error ? e.message : 'Unknown error'}`);
+            process.exit(1);
+        }
+    });
+    return cmd;
+}

package/cli/dist/commands/base.js

@@ -1,87 +1,5 @@
 import { Command } from 'commander';
-import { readFileSync, existsSync } from 'node:fs';
-import { resolve } from 'node:path';
-import tls from 'node:tls';
-import { loadEnv } from '../lib/env.js';
-// Advanced/experimental: trust an extra proxy CA cert at runtime.
-// Opt-in only via ANALYTICS_PROXY_CA=<path> — never loaded implicitly from
-// the working directory. NODE_EXTRA_CA_CERTS must be set before Node boots,
-// so we patch the secure context here instead.
-function loadProxyCA(path) {
-    if (!existsSync(path))
-        return;
-    try {
-        const cert = readFileSync(path, 'utf-8');
-        const origCreateSecureContext = tls.createSecureContext;
-        tls.createSecureContext = function (options = {}) {
-            const ctx = origCreateSecureContext.call(this, options);
-            ctx.context.addCACert(cert);
-            return ctx;
-        };
-    }
-    catch { /* ignore */ }
-}
-if (process.env.HTTPS_PROXY && process.env.ANALYTICS_PROXY_CA) {
-    loadProxyCA(resolve(process.env.ANALYTICS_PROXY_CA));
-}
-function getConfig() {
-    loadEnv();
-    const apiUrl = process.env.ANALYTICS_API_URL;
-    const apiToken = process.env.ANALYTICS_API_TOKEN;
-    const proxyMode = !!process.env.HTTPS_PROXY;
-    if (!apiUrl) {
-        console.error('Error: ANALYTICS_API_URL is not configured.');
-        console.error('Example: https://lazyanalytics.YOUR-SUBDOMAIN.workers.dev');
-        console.error('');
-        console.error('Run "lazyanalytics setup" to deploy and configure, or set');
-        console.error('ANALYTICS_API_URL and ANALYTICS_API_TOKEN in the environment.');
-        process.exit(3);
-    }
-    // In proxy mode (HTTPS_PROXY set), the proxy injects the Authorization header.
-    if (!apiToken && !proxyMode) {
-        console.error('Error: No authentication configured.');
-        console.error('');
-        console.error('Set ANALYTICS_API_TOKEN in the environment, or run');
-        console.error('"lazyanalytics setup" to write it to ~/.config/lazyanalytics/.env.');
-        process.exit(3);
-    }
-    return { apiUrl: apiUrl.replace(/\/$/, ''), apiToken: apiToken || '', proxyMode };
-}
-async function fetchApi(endpoint, params) {
-    const { apiUrl, apiToken, proxyMode } = getConfig();
-    const url = new URL(`${apiUrl}/api/${endpoint}`);
-    for (const [k, v] of Object.entries(params)) {
-        if (v)
-            url.searchParams.set(k, v);
-    }
-    // In proxy mode, the credential proxy injects the Authorization header.
-    // In direct mode, we add it ourselves.
-    const headers = {};
-    if (!proxyMode && apiToken) {
-        headers.Authorization = `Bearer ${apiToken}`;
-    }
-    const response = await fetch(url.toString(), { headers });
-    if (response.status === 401) {
-        console.error('Error: Authentication failed. Check your ANALYTICS_API_TOKEN.');
-        process.exit(3);
-    }
-    if (!response.ok) {
-        const body = await response.text();
-        console.error(`Error: API returned ${response.status}: ${body}`);
-        process.exit(1);
-    }
-    return response.json();
-}
-function formatTable(data) {
-    if (data.length === 0)
-        return '(no data)';
-    const keys = Object.keys(data[0]);
-    const widths = keys.map((k) => Math.max(k.length, ...data.map((row) => String(row[k] ?? '').length)));
-    const header = keys.map((k, i) => k.padEnd(widths[i])).join('  ');
-    const sep = widths.map((w) => '-'.repeat(w)).join('  ');
-    const rows = data.map((row) => keys.map((k, i) => String(row[k] ?? '').padEnd(widths[i])).join('  '));
-    return [header, sep, ...rows].join('\n');
-}
+import { fetchApi, formatTable } from '../lib/api.js';
 export function makeCommand(name, description) {
     const cmd = new Command(name);
     cmd
@@ -103,6 +21,14 @@ export function makeCommand(name, description) {
                 params.type = opts.type;
             if (opts.unit)
                 params.unit = opts.unit;
+            if (opts.dimension)
+                params.dimension = opts.dimension;
+            if (opts.days)
+                params.days = opts.days;
+            if (opts.from)
+                params.from = opts.from;
+            if (opts.to)
+                params.to = opts.to;
             const result = await fetchApi(name, params);
             if (opts.table) {
                 const arr = Array.isArray(result.data) ? result.data : [result.data];

package/cli/dist/commands/setup.js

@@ -6,7 +6,7 @@ import { CONFIG_ENV_PATH, WORKER_SCAFFOLD_DIR, loadEnv, readEnvFile, writeEnvFil
 import { packagedWorkerBundle, packagedWranglerTemplate } from '../lib/paths.js';
 import { isValidDomain, prompt, promptHidden, trackingSnippet } from '../lib/prompt.js';
 import { readAllowedSites } from '../lib/scaffold.js';
-import { parseWorkersDevUrl, wranglerDeploy, wranglerSecretPut } from '../lib/wrangler.js';
+import { parseWorkersDevUrl, wranglerDeploy, wranglerR2BucketCreate, wranglerSecretPut } from '../lib/wrangler.js';
 function fail(message) {
     console.error(`Error: ${message}`);
     // Exit 3 = missing/invalid configuration, matching the other commands.
@@ -35,6 +35,10 @@ export function setupCommand() {
         .option('--sites <sites>', 'Comma-separated list of site domains to track')
         .option('--account-id <id>', 'Cloudflare account ID (32-char hex)')
         .option('--name <name>', 'Worker name', 'lazyanalytics')
+        .option('--track-ai-crawlers', 'Store JS-executing AI crawler beacons separately')
+        .option('--archive', 'Enable daily R2 rollups for history beyond Analytics Engine retention', true)
+        .option('--no-archive', 'Do not create or bind the R2 archive bucket')
+        .option('--archive-bucket <name>', 'R2 bucket name for daily rollups', 'lazyanalytics-archive')
         .option('--rotate-secrets', 'Regenerate API_SECRET and HASH_SALT instead of reusing them')
         .option('-y, --yes', 'Non-interactive mode: never prompt, fail if input is missing')
         .action(async (opts) => {
@@ -87,13 +91,22 @@ export function setupCommand() {
         const templatePath = packagedWranglerTemplate();
         if (!existsSync(templatePath))
             fail(`wrangler.toml template not found at ${templatePath}`);
+        const archiveConfig = opts.archive === false
+            ? ''
+            : `[[r2_buckets]]\nbinding = "ARCHIVE"\nbucket_name = "${opts.archiveBucket}"\n\n[triggers]\ncrons = ["5 1 * * *"]\n`;
         const toml = readFileSync(templatePath, 'utf-8')
             .replace(/__WORKER_NAME__/g, opts.name)
-            .replace(/__ALLOWED_SITES__/g, sites.join(','));
+            .replace(/__ALLOWED_SITES__/g, sites.join(','))
+            .replace(/__TRACK_AI_CRAWLERS__/g, opts.trackAiCrawlers ? 'true' : 'false')
+            .replace(/__ARCHIVE_CONFIG__/g, archiveConfig);
         writeFileSync(wranglerTomlPath, toml);
         console.log(`Scaffolded worker in ${WORKER_SCAFFOLD_DIR}`);
         // --- Deploy ---
         const wranglerEnv = { CLOUDFLARE_API_TOKEN: apiToken, CLOUDFLARE_ACCOUNT_ID: accountId };
+        if (opts.archive !== false) {
+            console.log('\nEnsuring R2 archive bucket exists...');
+            await wranglerR2BucketCreate(WORKER_SCAFFOLD_DIR, wranglerEnv, opts.archiveBucket);
+        }
         console.log('\nDeploying worker with wrangler...');
         const deployOutput = await wranglerDeploy(WORKER_SCAFFOLD_DIR, wranglerEnv);
         let workerUrl = parseWorkersDevUrl(deployOutput);

package/cli/dist/index.js

@@ -7,6 +7,7 @@ import { sitesCommand } from './commands/sites.js';
 import { snippetCommand } from './commands/snippet.js';
 import { skillCommand } from './commands/skill.js';
 import { configCommand } from './commands/config.js';
+import { activeCommand } from './commands/active.js';
 import { packageVersion } from './lib/paths.js';
 const program = new Command();
 program
@@ -17,9 +18,19 @@ program
     'programmatic consumption.')
     .version(packageVersion());
 program.addCommand(makeCommand('stats', 'Aggregate statistics (pageviews, approx visitors, avg screen width)'));
+program.addCommand(activeCommand());
 program.addCommand(makeCommand('pages', 'Top pages by view count'));
 program.addCommand(makeCommand('referrers', 'Top referrer domains'));
 program.addCommand(makeCommand('geo', 'Geographic breakdown by country'));
+program.addCommand(makeCommand('channels', 'Acquisition channel breakdown (pageview-scoped)'));
+program.addCommand(makeCommand('bounce', 'Bounce rate (% single-pageview sessions)'));
+program.addCommand(makeCommand('duration', 'Average session duration in seconds'));
+program.addCommand(makeCommand('history', 'Long-term stats blending live AE (<=90d) with R2 archives (>90d)')
+    .option('--dimension <dimension>', 'Dimension: totals, pages, referrers, geo, browsers', 'totals')
+    .option('--days <days>', 'Lookback days, can exceed 90')
+    .option('--from <date>', 'Start date YYYY-MM-DD')
+    .option('--to <date>', 'End date YYYY-MM-DD'));
+program.addCommand(makeCommand('crawlers', 'AI agent breakdown (training, search, user-triggered)').option('--type <type>', 'Breakdown type: name, operator, class', 'name'));
 program.addCommand(makeCommand('browsers', 'Browser, OS, or device breakdown').option('--type <type>', 'Breakdown type: browser, os, device', 'browser'));
 program.addCommand(makeCommand('timeseries', 'Pageview timeseries').option('--unit <unit>', 'Time bucket: hour, day', 'day'));
 program.addCommand(usageCommand());

package/cli/dist/lib/api.d.ts

@@ -3,7 +3,17 @@ export interface ApiConfig {
     apiToken: string;
     proxyMode: boolean;
 }
+export interface ApiResponse {
+    data: unknown;
+    meta: {
+        site: string;
+        period: string;
+        sampled: boolean;
+    };
+}
 /** Resolve API URL + token from env/config. Returns null if not configured. */
 export declare function getApiConfig(): ApiConfig | null;
+export declare function fetchApi(endpoint: string, params: Record<string, string>): Promise<ApiResponse>;
+export declare function formatTable(data: Record<string, unknown>[]): string;
 /** Fetch the list of tracked sites from the worker's /api/sites endpoint. */
 export declare function fetchSites(config: ApiConfig): Promise<string[]>;

package/cli/dist/lib/api.js

@@ -1,4 +1,28 @@
 import { loadEnv } from './env.js';
+import { readFileSync, existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+import tls from 'node:tls';
+// Advanced/experimental: trust an extra proxy CA cert at runtime.
+// Opt-in only via ANALYTICS_PROXY_CA=<path>.
+function loadProxyCA(path) {
+    if (!existsSync(path))
+        return;
+    try {
+        const cert = readFileSync(path, 'utf-8');
+        const origCreateSecureContext = tls.createSecureContext;
+        tls.createSecureContext = function (options = {}) {
+            const ctx = origCreateSecureContext.call(this, options);
+            ctx.context.addCACert(cert);
+            return ctx;
+        };
+    }
+    catch {
+        /* ignore */
+    }
+}
+if (process.env.HTTPS_PROXY && process.env.ANALYTICS_PROXY_CA) {
+    loadProxyCA(resolve(process.env.ANALYTICS_PROXY_CA));
+}
 /** Resolve API URL + token from env/config. Returns null if not configured. */
 export function getApiConfig() {
     loadEnv();
@@ -9,13 +33,64 @@ export function getApiConfig() {
         return null;
     return { apiUrl: apiUrl.replace(/\/$/, ''), apiToken, proxyMode };
 }
-/** Fetch the list of tracked sites from the worker's /api/sites endpoint. */
-export async function fetchSites(config) {
+function requireApiConfig() {
+    const config = getApiConfig();
+    if (!config) {
+        console.error('Error: ANALYTICS_API_URL is not configured.');
+        console.error('Example: https://lazyanalytics.YOUR-SUBDOMAIN.workers.dev');
+        console.error('');
+        console.error('Run "lazyanalytics setup" to deploy and configure, or set');
+        console.error('ANALYTICS_API_URL and ANALYTICS_API_TOKEN in the environment.');
+        process.exit(3);
+    }
+    return config;
+}
+function authHeaders(config) {
     const headers = {};
     if (!config.proxyMode && config.apiToken) {
         headers.Authorization = `Bearer ${config.apiToken}`;
     }
-    const res = await fetch(`${config.apiUrl}/api/sites`, { headers });
+    return headers;
+}
+export async function fetchApi(endpoint, params) {
+    const config = requireApiConfig();
+    if (!config.apiToken && !config.proxyMode) {
+        console.error('Error: No authentication configured.');
+        console.error('');
+        console.error('Set ANALYTICS_API_TOKEN in the environment, or run');
+        console.error('"lazyanalytics setup" to write it to ~/.config/lazyanalytics/.env.');
+        process.exit(3);
+    }
+    const url = new URL(`${config.apiUrl}/api/${endpoint}`);
+    for (const [k, v] of Object.entries(params)) {
+        if (v)
+            url.searchParams.set(k, v);
+    }
+    const response = await fetch(url.toString(), { headers: authHeaders(config) });
+    if (response.status === 401) {
+        console.error('Error: Authentication failed. Check your ANALYTICS_API_TOKEN.');
+        process.exit(3);
+    }
+    if (!response.ok) {
+        const body = await response.text();
+        console.error(`Error: API returned ${response.status}: ${body}`);
+        process.exit(1);
+    }
+    return response.json();
+}
+export function formatTable(data) {
+    if (data.length === 0)
+        return '(no data)';
+    const keys = Object.keys(data[0]);
+    const widths = keys.map((k) => Math.max(k.length, ...data.map((row) => String(row[k] ?? '').length)));
+    const header = keys.map((k, i) => k.padEnd(widths[i])).join('  ');
+    const sep = widths.map((w) => '-'.repeat(w)).join('  ');
+    const rows = data.map((row) => keys.map((k, i) => String(row[k] ?? '').padEnd(widths[i])).join('  '));
+    return [header, sep, ...rows].join('\n');
+}
+/** Fetch the list of tracked sites from the worker's /api/sites endpoint. */
+export async function fetchSites(config) {
+    const res = await fetch(`${config.apiUrl}/api/sites`, { headers: authHeaders(config) });
     if (res.status === 401) {
         throw new Error('Authentication failed. Check your ANALYTICS_API_TOKEN.');
     }

package/cli/dist/lib/wrangler.d.ts

@@ -13,5 +13,7 @@ export declare function wranglerDeploy(cwd: string, env: WranglerEnv): Promise<s
  * via stdin. The value is never echoed or logged.
  */
 export declare function wranglerSecretPut(cwd: string, env: WranglerEnv, name: string, value: string): Promise<void>;
+/** Create an R2 bucket if it does not already exist. */
+export declare function wranglerR2BucketCreate(cwd: string, env: WranglerEnv, bucket: string): Promise<void>;
 /** Parse the workers.dev URL from wrangler deploy output. Returns null if absent. */
 export declare function parseWorkersDevUrl(deployOutput: string): string | null;

package/cli/dist/lib/wrangler.js

@@ -58,6 +58,32 @@ export function wranglerSecretPut(cwd, env, name, value) {
         });
     });
 }
+/** Create an R2 bucket if it does not already exist. */
+export function wranglerR2BucketCreate(cwd, env, bucket) {
+    return new Promise((resolvePromise, reject) => {
+        const child = spawn(NPX, ['wrangler@4', 'r2', 'bucket', 'create', bucket], {
+            cwd,
+            env: wranglerProcessEnv(env),
+            stdio: ['ignore', 'pipe', 'pipe'],
+        });
+        let output = '';
+        child.stdout.on('data', (chunk) => {
+            output += chunk.toString();
+            process.stderr.write(chunk);
+        });
+        child.stderr.on('data', (chunk) => {
+            output += chunk.toString();
+            process.stderr.write(chunk);
+        });
+        child.on('error', reject);
+        child.on('close', (code) => {
+            if (code === 0 || /already exists/i.test(output))
+                resolvePromise();
+            else
+                reject(new Error(`wrangler r2 bucket create ${bucket} exited with code ${code}`));
+        });
+    });
+}
 /** Parse the workers.dev URL from wrangler deploy output. Returns null if absent. */
 export function parseWorkersDevUrl(deployOutput) {
     const match = deployOutput.match(/https:\/\/[a-z0-9-]+(\.[a-z0-9-]+)*\.workers\.dev/i);