tokentracker-cli 0.23.0 → 0.23.2

package/dashboard/dist/assets/{use-limits-display-prefs-B5TQdyrf.js → use-limits-display-prefs-DZ9hgvef.js}

@@ -1 +1 @@
-import{r as a}from"./main-D7f_DoMp.js";const d=["claude","codex","cursor","gemini","kimi","kiro","copilot","antigravity"],S={claude:"Claude",codex:"Codex",cursor:"Cursor",gemini:"Gemini",kimi:"Kimi",kiro:"Kiro",copilot:"GitHub Copilot",antigravity:"Antigravity"},v={claude:"/brand-logos/claude-code.svg",codex:"/brand-logos/codex.svg",cursor:"/brand-logos/cursor.svg",gemini:"/brand-logos/gemini.svg",kimi:"/brand-logos/kimi.svg",kiro:"/brand-logos/kiro.svg",copilot:"/brand-logos/copilot.svg",antigravity:"/brand-logos/antigravity.svg"},l="tt.limits.providerOrder",g="tt.limits.providerVisibility";function w(){if(typeof window>"u")return[...d];try{const i=window.localStorage.getItem(l);if(!i)return[...d];const s=JSON.parse(i);if(!Array.isArray(s))return[...d];const r=s.filter(c=>d.includes(c));for(const c of d)r.includes(c)||r.push(c);return r}catch{return[...d]}}function y(){const i=Object.fromEntries(d.map(s=>[s,!0]));if(typeof window>"u")return i;try{const s=window.localStorage.getItem(g);if(!s)return i;const r=JSON.parse(s);if(!r||typeof r!="object")return i;const c={...i};for(const u of d)typeof r[u]=="boolean"&&(c[u]=r[u]);return c}catch{return i}}function C(){const[i,s]=a.useState(w),[r,c]=a.useState(y);a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(l,JSON.stringify(i))}catch{}},[i]),a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(g,JSON.stringify(r))}catch{}},[r]),a.useEffect(()=>{if(typeof window>"u")return;const o=t=>{t.key===l&&s(w()),t.key===g&&c(y())};return window.addEventListener("storage",o),()=>window.removeEventListener("storage",o)},[]);const u=a.useCallback(o=>{c(t=>({...t,[o]:!t[o]}))},[]),b=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<=0)return t;const n=[...t];return[n[e-1],n[e]]=[n[e],n[e-1]],n})},[]),p=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<0||e>=t.length-1)return t;const n=[...t];return[n[e],n[e+1]]=[n[e+1],n[e]],n})},[]),O=a.useCallback((o,t)=>{o!==t&&s(e=>{const n=e.indexOf(o),m=e.indexOf(t);if(n<0||m<0)return e;const f=[...e],[I]=f.splice(n,1);return f.splice(m,0,I),f})},[]),k=a.useCallback(()=>{s([...d]),c(Object.fromEntries(d.map(o=>[o,!0])))},[]),x=a.useMemo(()=>i.filter(o=>r[o]!==!1),[i,r]);return{order:i,visibility:r,visibleOrdered:x,toggle:u,moveUp:b,moveDown:p,moveToward:O,reset:k}}export{v as L,S as a,C as u};
+import{r as a}from"./main-Cb6vMAZa.js";const d=["claude","codex","cursor","gemini","kimi","kiro","copilot","antigravity"],S={claude:"Claude",codex:"Codex",cursor:"Cursor",gemini:"Gemini",kimi:"Kimi",kiro:"Kiro",copilot:"GitHub Copilot",antigravity:"Antigravity"},v={claude:"/brand-logos/claude-code.svg",codex:"/brand-logos/codex.svg",cursor:"/brand-logos/cursor.svg",gemini:"/brand-logos/gemini.svg",kimi:"/brand-logos/kimi.svg",kiro:"/brand-logos/kiro.svg",copilot:"/brand-logos/copilot.svg",antigravity:"/brand-logos/antigravity.svg"},l="tt.limits.providerOrder",g="tt.limits.providerVisibility";function w(){if(typeof window>"u")return[...d];try{const i=window.localStorage.getItem(l);if(!i)return[...d];const s=JSON.parse(i);if(!Array.isArray(s))return[...d];const r=s.filter(c=>d.includes(c));for(const c of d)r.includes(c)||r.push(c);return r}catch{return[...d]}}function y(){const i=Object.fromEntries(d.map(s=>[s,!0]));if(typeof window>"u")return i;try{const s=window.localStorage.getItem(g);if(!s)return i;const r=JSON.parse(s);if(!r||typeof r!="object")return i;const c={...i};for(const u of d)typeof r[u]=="boolean"&&(c[u]=r[u]);return c}catch{return i}}function C(){const[i,s]=a.useState(w),[r,c]=a.useState(y);a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(l,JSON.stringify(i))}catch{}},[i]),a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(g,JSON.stringify(r))}catch{}},[r]),a.useEffect(()=>{if(typeof window>"u")return;const o=t=>{t.key===l&&s(w()),t.key===g&&c(y())};return window.addEventListener("storage",o),()=>window.removeEventListener("storage",o)},[]);const u=a.useCallback(o=>{c(t=>({...t,[o]:!t[o]}))},[]),b=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<=0)return t;const n=[...t];return[n[e-1],n[e]]=[n[e],n[e-1]],n})},[]),p=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<0||e>=t.length-1)return t;const n=[...t];return[n[e],n[e+1]]=[n[e+1],n[e]],n})},[]),O=a.useCallback((o,t)=>{o!==t&&s(e=>{const n=e.indexOf(o),m=e.indexOf(t);if(n<0||m<0)return e;const f=[...e],[I]=f.splice(n,1);return f.splice(m,0,I),f})},[]),k=a.useCallback(()=>{s([...d]),c(Object.fromEntries(d.map(o=>[o,!0])))},[]),x=a.useMemo(()=>i.filter(o=>r[o]!==!1),[i,r]);return{order:i,visibility:r,visibleOrdered:x,toggle:u,moveUp:b,moveDown:p,moveToward:O,reset:k}}export{v as L,S as a,C as u};

package/dashboard/dist/assets/{use-native-settings-CSxKG_Na.js → use-native-settings-DS1TfSil.js}

@@ -1 +1 @@
-import{C as a,a5 as x,r as n,aC as g,aD as m,aE as b,aF as u,aG as f,aA as h}from"./main-D7f_DoMp.js";import{C as y}from"./Card-BgXt23Ak.js";function p({checked:s,onChange:t,disabled:e,ariaLabel:i}){return a.jsx("button",{type:"button",role:"switch","aria-checked":s,"aria-label":i,onClick:t,disabled:e,className:x("relative inline-flex h-5 w-9 shrink-0 items-center rounded-full transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-oai-brand-500 disabled:opacity-50 disabled:cursor-not-allowed",s?"bg-oai-brand-500":"bg-oai-gray-300 dark:bg-oai-gray-700"),children:a.jsx("span",{className:x("inline-block h-3.5 w-3.5 rounded-full bg-white transition-transform",s?"translate-x-[18px]":"translate-x-[3px]")})})}function j({label:s,hint:t,control:e}){return a.jsxs("div",{className:"flex items-center justify-between gap-4 py-3",children:[a.jsxs("div",{className:"min-w-0 flex-1",children:[a.jsx("div",{className:"text-sm text-oai-gray-900 dark:text-oai-gray-200",children:s}),t?a.jsx("div",{className:"mt-0.5 text-xs text-oai-gray-500 dark:text-oai-gray-400",children:t}):null]}),a.jsx("div",{className:"shrink-0",children:e})]})}function N({title:s,subtitle:t,action:e,children:i}){return a.jsxs(y,{children:[a.jsxs("div",{className:"mb-3 flex items-start justify-between gap-4",children:[a.jsxs("div",{className:"min-w-0 flex-1",children:[a.jsx("h2",{className:"text-sm font-medium text-oai-gray-500 dark:text-oai-gray-300 uppercase tracking-wide",children:s}),t?a.jsx("p",{className:"mt-1 truncate text-xs text-oai-gray-500 dark:text-oai-gray-400",children:t}):null]}),e?a.jsx("div",{className:"shrink-0",children:e}):null]}),a.jsx("div",{className:"-mb-3 divide-y divide-oai-gray-200/60 dark:divide-oai-gray-800/60",children:i})]})}function w({options:s,value:t,onChange:e}){return a.jsx("div",{className:"inline-flex items-center rounded-lg border border-oai-gray-200 bg-oai-gray-50 p-0.5 dark:border-oai-gray-800 dark:bg-oai-gray-900",children:s.map(({value:i,label:d,Icon:l})=>{const r=t===i;return a.jsxs("button",{type:"button",onClick:()=>e(i),"aria-pressed":r,className:x("inline-flex items-center gap-1.5 rounded-md px-3 py-1.5 text-xs font-medium transition-colors",r?"bg-white text-oai-black shadow-sm dark:bg-oai-gray-800 dark:text-white":"text-oai-gray-500 hover:text-oai-black dark:text-oai-gray-400 dark:hover:text-white"),children:[l?a.jsx(l,{className:"h-3.5 w-3.5","aria-hidden":!0}):null,a.jsx("span",{children:d})]},i)})})}function S(){const[s,t]=n.useState(null),e=g()&&m();n.useEffect(()=>{if(!e)return;const r=b(o=>t(o));return u(),r},[e]);const i=n.useCallback((r,o)=>{e&&(t(c=>c&&{...c,[r]:o}),f(r,o))},[e]),d=n.useCallback(r=>{e&&h(r)},[e]),l=n.useCallback(()=>{e&&u()},[e]);return{available:e,settings:s,setSetting:i,runAction:d,refresh:l}}export{N as S,p as T,j as a,w as b,S as u};
+import{C as a,a7 as x,r as n,aH as g,aI as m,aJ as b,aK as u,aL as f,aF as h}from"./main-Cb6vMAZa.js";import{C as y}from"./Card-WqeqJCTJ.js";function p({checked:s,onChange:t,disabled:e,ariaLabel:i}){return a.jsx("button",{type:"button",role:"switch","aria-checked":s,"aria-label":i,onClick:t,disabled:e,className:x("relative inline-flex h-5 w-9 shrink-0 items-center rounded-full transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-oai-brand-500 disabled:opacity-50 disabled:cursor-not-allowed",s?"bg-oai-brand-500":"bg-oai-gray-300 dark:bg-oai-gray-700"),children:a.jsx("span",{className:x("inline-block h-3.5 w-3.5 rounded-full bg-white transition-transform",s?"translate-x-[18px]":"translate-x-[3px]")})})}function j({label:s,hint:t,control:e}){return a.jsxs("div",{className:"flex items-center justify-between gap-4 py-3",children:[a.jsxs("div",{className:"min-w-0 flex-1",children:[a.jsx("div",{className:"text-sm text-oai-gray-900 dark:text-oai-gray-200",children:s}),t?a.jsx("div",{className:"mt-0.5 text-xs text-oai-gray-500 dark:text-oai-gray-400",children:t}):null]}),a.jsx("div",{className:"shrink-0",children:e})]})}function N({title:s,subtitle:t,action:e,children:i}){return a.jsxs(y,{children:[a.jsxs("div",{className:"mb-3 flex items-start justify-between gap-4",children:[a.jsxs("div",{className:"min-w-0 flex-1",children:[a.jsx("h2",{className:"text-sm font-medium text-oai-gray-500 dark:text-oai-gray-300 uppercase tracking-wide",children:s}),t?a.jsx("p",{className:"mt-1 truncate text-xs text-oai-gray-500 dark:text-oai-gray-400",children:t}):null]}),e?a.jsx("div",{className:"shrink-0",children:e}):null]}),a.jsx("div",{className:"-mb-3 divide-y divide-oai-gray-200/60 dark:divide-oai-gray-800/60",children:i})]})}function w({options:s,value:t,onChange:e}){return a.jsx("div",{className:"inline-flex items-center rounded-lg border border-oai-gray-200 bg-oai-gray-50 p-0.5 dark:border-oai-gray-800 dark:bg-oai-gray-900",children:s.map(({value:i,label:d,Icon:l})=>{const r=t===i;return a.jsxs("button",{type:"button",onClick:()=>e(i),"aria-pressed":r,className:x("inline-flex items-center gap-1.5 rounded-md px-3 py-1.5 text-xs font-medium transition-colors",r?"bg-white text-oai-black shadow-sm dark:bg-oai-gray-800 dark:text-white":"text-oai-gray-500 hover:text-oai-black dark:text-oai-gray-400 dark:hover:text-white"),children:[l?a.jsx(l,{className:"h-3.5 w-3.5","aria-hidden":!0}):null,a.jsx("span",{children:d})]},i)})})}function S(){const[s,t]=n.useState(null),e=g()&&m();n.useEffect(()=>{if(!e)return;const r=b(o=>t(o));return u(),r},[e]);const i=n.useCallback((r,o)=>{e&&(t(c=>c&&{...c,[r]:o}),f(r,o))},[e]),d=n.useCallback(r=>{e&&h(r)},[e]),l=n.useCallback(()=>{e&&u()},[e]);return{available:e,settings:s,setSetting:i,runAction:d,refresh:l}}export{N as S,p as T,j as a,w as b,S as u};

package/dashboard/dist/assets/{use-reduced-motion-C9rLBEnX.js → use-reduced-motion-D82galUK.js}

@@ -1 +1 @@
-import{aH as t,aI as o,r,aJ as s}from"./main-D7f_DoMp.js";function u(){!t.current&&o();const[e]=r.useState(s.current);return e}export{u};
+import{aM as t,aN as o,r,aO as s}from"./main-Cb6vMAZa.js";function u(){!t.current&&o();const[e]=r.useState(s.current);return e}export{u};

package/dashboard/dist/assets/{use-usage-limits-Bmok4oKO.js → use-usage-limits-B-svr8YY.js}

@@ -1 +1 @@
-import{r,aj as l}from"./main-D7f_DoMp.js";function y(i){const[o,a]=r.useState(null),[u,s]=r.useState(null),[c,f]=r.useState(!0),n=!!i?.initialRefresh,g=r.useCallback(async()=>{try{const e=await l({refresh:!0});a(e&&typeof e=="object"?e:null),s(null)}catch(e){s(e?.message||String(e))}},[]);return r.useEffect(()=>{let e=!1;return(async()=>{try{const t=await l(n?{refresh:!0}:{});if(e)return;a(t&&typeof t=="object"?t:null),s(null)}catch(t){if(e)return;s(t?.message||String(t))}finally{e||f(!1)}})(),()=>{e=!0}},[n]),{data:o,error:u,isLoading:c,refresh:g}}export{y as u};
+import{r,al as l}from"./main-Cb6vMAZa.js";function y(i){const[o,a]=r.useState(null),[u,s]=r.useState(null),[c,f]=r.useState(!0),n=!!i?.initialRefresh,g=r.useCallback(async()=>{try{const e=await l({refresh:!0});a(e&&typeof e=="object"?e:null),s(null)}catch(e){s(e?.message||String(e))}},[]);return r.useEffect(()=>{let e=!1;return(async()=>{try{const t=await l(n?{refresh:!0}:{});if(e)return;a(t&&typeof t=="object"?t:null),s(null)}catch(t){if(e)return;s(t?.message||String(t))}finally{e||f(!1)}})(),()=>{e=!0}},[n]),{data:o,error:u,isLoading:c,refresh:g}}export{y as u};

package/dashboard/dist/assets/useCurrency-uA9QPua4.js

@@ -0,0 +1 @@
+import{r as e,aA as t,aB as r,I as c}from"./main-Cb6vMAZa.js";const a=Object.freeze({currency:c,rate:1,symbol:"$",rates:{...r},rateSource:"default",rateFetchedAt:null,setCurrency:()=>{}});function u(){return e.useContext(t)??a}export{u};

package/dashboard/dist/index.html

@@ -210,7 +210,7 @@
         ]
       }
     </script>
-    <script type="module" crossorigin src="/assets/main-D7f_DoMp.js"></script>
+    <script type="module" crossorigin src="/assets/main-Cb6vMAZa.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/main-0bSXJNLn.css">
   </head>
   <body>

package/dashboard/dist/share.html

@@ -51,7 +51,7 @@
         "description": "Shareable Token Tracker dashboard snapshot."
       }
     </script>
-    <script type="module" crossorigin src="/assets/main-D7f_DoMp.js"></script>
+    <script type="module" crossorigin src="/assets/main-Cb6vMAZa.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/main-0bSXJNLn.css">
   </head>
   <body>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tokentracker-cli",
-  "version": "0.23.0",
+  "version": "0.23.2",
   "description": "Token usage tracker for AI agent CLIs (Claude Code, Codex, Cursor, Gemini, Kiro, OpenCode, OpenClaw, Every Code, Hermes, GitHub Copilot, Kimi Code, CodeBuddy, Grok Build, oh-my-pi, pi, Craft Agents, Kilo CLI, Kilo Code, Roo Code, Zed Agent, Goose)",
   "main": "src/cli.js",
   "bin": {

package/src/cli.js

@@ -63,7 +63,7 @@ function printHelp() {
       "",
       "Usage:",
       "  npx tokentracker                                         Open local dashboard",
-      "  npx tokentracker [--debug] serve [--port 7680] [--no-open] [--no-sync]",
+      "  npx tokentracker [--debug] serve [--port 7680] [--allowed-hosts <host[,host...]>] [--no-open] [--no-sync]",
       "  npx tokentracker [--debug] init [--yes] [--dry-run] [--no-open] [--link-code <code>]",
       "  npx tokentracker [--debug] sync [--auto] [--drain] [--from-openclaw]",
       "  npx tokentracker [--debug] status [--probe-keychain] [--probe-keychain-details]",
@@ -82,6 +82,7 @@ function printHelp() {
       "  - OpenClaw hook auto-links when OpenClaw is installed (requires gateway restart).",
       "  - auto sync waits for a device token.",
       "  - optional: --dashboard-url for hosted landing.",
+      "  - serve: --allowed-hosts marks extra hostnames as local-dashboard auth proxy origins (for tunnels/previews).",
       "  - sync parses ~/.codex/sessions/**/rollout-*.jsonl and ~/.code/sessions/**/rollout-*.jsonl, then uploads token deltas.",
       "  - --from-openclaw marks sync runs triggered by OpenClaw hooks.",
       "  - --debug shows original backend errors.",

package/src/commands/serve.js

@@ -87,7 +87,7 @@ async function cmdServe(argv) {
   }
 
   // 3. Create handler
-  const handleApi = createLocalApiHandler({ queuePath });
+  const handleApi = createLocalApiHandler({ queuePath, allowedHosts: opts.allowedHosts });
 
   const server = http.createServer(async (req, res) => {
     try {
@@ -104,6 +104,11 @@ async function cmdServe(argv) {
       }
 
       // API routes
+      if (url.pathname === "/api/dashboard-config") {
+        serveDashboardConfig(res, { allowedHosts: opts.allowedHosts });
+        return;
+      }
+
       if (
         url.pathname.startsWith("/functions/")
         || url.pathname.startsWith("/api/")
@@ -224,19 +229,66 @@ function resolveDashboardDir() {
   return null;
 }
 
+function splitHostList(value) {
+  if (Array.isArray(value)) return value.flatMap(splitHostList);
+  if (typeof value !== "string") return [];
+  return value.split(",").map((entry) => entry.trim()).filter(Boolean);
+}
+
+function normalizeAllowedHost(value) {
+  if (typeof value !== "string") return null;
+  const raw = value.trim();
+  if (!raw || raw.includes("*") || /\s/.test(raw)) return null;
+  try {
+    const withScheme = /^[a-z][a-z0-9+.-]*:\/\//i.test(raw) ? raw : `http://${raw}`;
+    const url = new URL(withScheme);
+    if (!url.hostname || url.username || url.password) return null;
+    return url.hostname.toLowerCase();
+  } catch (_e) {
+    return null;
+  }
+}
+
+function normalizeAllowedHosts(values) {
+  const out = [];
+  const seen = new Set();
+  for (const item of splitHostList(values)) {
+    const host = normalizeAllowedHost(item);
+    if (!host || seen.has(host)) continue;
+    seen.add(host);
+    out.push(host);
+  }
+  return out;
+}
+
+function serveDashboardConfig(res, { allowedHosts } = {}) {
+  const body = Buffer.from(JSON.stringify({ allowedHosts: normalizeAllowedHosts(allowedHosts) }), "utf8");
+  res.writeHead(200, {
+    "Content-Type": "application/json; charset=utf-8",
+    "Content-Length": body.length,
+    "Cache-Control": "no-store",
+  });
+  res.end(body);
+}
+
 function parseArgs(argv) {
-  const opts = { port: DEFAULT_PORT, open: true, sync: true };
+  const opts = { port: DEFAULT_PORT, open: true, sync: true, allowedHosts: [] };
   for (let i = 0; i < argv.length; i++) {
     const arg = argv[i];
     if (arg === "--port" && i + 1 < argv.length) {
       const n = parseInt(argv[++i], 10);
       if (Number.isFinite(n) && n > 0 && n < 65536) opts.port = n;
+    } else if (arg === "--allowed-hosts" && i + 1 < argv.length && !argv[i + 1].startsWith("-")) {
+      opts.allowedHosts.push(...normalizeAllowedHosts(argv[++i]));
+    } else if (arg.startsWith("--allowed-hosts=")) {
+      opts.allowedHosts.push(...normalizeAllowedHosts(arg.slice("--allowed-hosts=".length)));
     } else if (arg === "--no-open") {
       opts.open = false;
     } else if (arg === "--no-sync") {
       opts.sync = false;
     }
   }
+  opts.allowedHosts = normalizeAllowedHosts(opts.allowedHosts);
   return opts;
 }
 
@@ -246,4 +298,7 @@ module.exports = {
   NPM_PACKAGE_NAME,
   LOCAL_BIND_HOST,
   getLocalServerUrl,
+  parseArgs,
+  normalizeAllowedHosts,
+  serveDashboardConfig,
 };

package/src/lib/local-api.js

@@ -457,13 +457,45 @@ function isLoopbackHostname(hostname) {
   return hostname === "127.0.0.1" || hostname === "localhost" || hostname === "::1" || hostname === "[::1]";
 }
 
-function hasAllowedLoopbackOrigin(headers = {}) {
+function normalizeAllowedHost(value) {
+  if (typeof value !== "string") return null;
+  const raw = value.trim();
+  if (!raw || raw.includes("*") || /\s/.test(raw)) return null;
+  try {
+    const withScheme = /^[a-z][a-z0-9+.-]*:\/\//i.test(raw) ? raw : `http://${raw}`;
+    const url = new URL(withScheme);
+    if (!url.hostname || url.username || url.password) return null;
+    return url.hostname.toLowerCase();
+  } catch (_e) {
+    return null;
+  }
+}
+
+function normalizeAllowedHosts(values) {
+  const raw = Array.isArray(values) ? values : [values];
+  const out = [];
+  const seen = new Set();
+  for (const item of raw) {
+    const host = normalizeAllowedHost(item);
+    if (!host || seen.has(host)) continue;
+    seen.add(host);
+    out.push(host);
+  }
+  return out;
+}
+
+function hasAllowedLoopbackOrigin(headers = {}, allowedHosts = []) {
+  const allowed = new Set(normalizeAllowedHosts(allowedHosts));
   const candidates = [headers.origin, headers.referer];
   for (const raw of candidates) {
     if (raw == null || raw === "") continue;
     try {
       const url = new URL(String(raw));
-      if (url.protocol !== "http:" || !isLoopbackHostname(url.hostname)) return false;
+      if (!["http:", "https:"].includes(url.protocol)) return false;
+      const host = url.hostname.toLowerCase();
+      if (url.protocol === "http:" && isLoopbackHostname(host)) continue;
+      if (allowed.has(host)) continue;
+      return false;
     } catch (_e) {
       return false;
     }
@@ -668,8 +700,9 @@ function rewriteIpCheckHtml(html) {
 // Main handler factory
 // ---------------------------------------------------------------------------
 
-function createLocalApiHandler({ queuePath }) {
+function createLocalApiHandler({ queuePath, allowedHosts = [] } = {}) {
   const qp = queuePath || resolveQueuePath();
+  const allowedLocalOriginHosts = normalizeAllowedHosts(allowedHosts);
 
   // Server-side cookie relay: captures auth cookies from InsForge cloud responses
   // so that both browser and WKWebView share the same login session via the proxy.
@@ -804,9 +837,10 @@ function createLocalApiHandler({ queuePath }) {
     return typeof value === "string" ? value : "";
   }
 
-  function buildRelayCookieHeader(clientCookieHeader) {
+  function buildRelayCookieHeader(clientCookieHeader, { relayPrecedenceNames = [] } = {}) {
     const normalizedClientCookieHeader = normalizeCookieHeader(clientCookieHeader);
     if (relayCookies.size === 0) return normalizedClientCookieHeader;
+    const relayPrecedence = new Set(relayPrecedenceNames);
     const clientPairs = new Map();
     if (normalizedClientCookieHeader) {
       for (const part of normalizedClientCookieHeader.split(";")) {
@@ -816,9 +850,10 @@ function createLocalApiHandler({ queuePath }) {
         if (n) clientPairs.set(n, part.trim());
       }
     }
-    // Merge relay cookies (client takes precedence)
+    // Merge relay cookies. Normal requests keep client precedence; refresh
+    // recovery can opt relay cookies into precedence over stale WebView cookies.
     for (const [name, raw] of relayCookies) {
-      if (clientPairs.has(name)) continue;
+      if (clientPairs.has(name) && !relayPrecedence.has(name)) continue;
       const scIdx = raw.indexOf(";");
       const pair = scIdx > 0 ? raw.substring(0, scIdx).trim() : raw;
       clientPairs.set(name, pair);
@@ -839,7 +874,7 @@ function createLocalApiHandler({ queuePath }) {
       ? headerToken.trim()
       : cookieToken || "";
     if (!token || token !== localAuthToken) return false;
-    return hasAllowedLoopbackOrigin(req?.headers || {});
+    return hasAllowedLoopbackOrigin(req?.headers || {}, allowedLocalOriginHosts);
   }
 
   return async function handleLocalApi(req, res, url) {
@@ -897,7 +932,7 @@ function createLocalApiHandler({ queuePath }) {
         const hasClientCookie = normalizeCookieHeader(proxyHeaders["cookie"]).trim().length > 0;
         const hasCsrfHeader = typeof proxyHeaders["x-csrf-token"] === "string" && proxyHeaders["x-csrf-token"].trim().length > 0;
         const relayCsrfToken = getRelayCookieValue(csrfRelayCookieName);
-        if (p === "/api/auth/refresh" && !hasCsrfHeader && relayCsrfToken) {
+        if (p === "/api/auth/refresh" && relayCsrfToken) {
           proxyHeaders["x-csrf-token"] = relayCsrfToken;
         }
         const hasEffectiveCsrfHeader =
@@ -918,7 +953,11 @@ function createLocalApiHandler({ queuePath }) {
         // Invalid CSRF errors on startup.
         const originalCookieHeader = normalizeCookieHeader(proxyHeaders["cookie"]);
         const mergedCookie = shouldInjectRelayCookies
-          ? buildRelayCookieHeader(originalCookieHeader)
+          ? buildRelayCookieHeader(originalCookieHeader, {
+              relayPrecedenceNames: p === "/api/auth/refresh"
+                ? [csrfRelayCookieName, "insforge_refresh_token"]
+                : [],
+            })
           : originalCookieHeader;
         const injectedRelayCookies =
           shouldInjectRelayCookies && relayCookies.size > 0 && mergedCookie !== originalCookieHeader;