tokentracker-cli 0.23.1 → 0.24.0

package/dashboard/dist/assets/{use-limits-display-prefs-DtRFIKBE.js → use-limits-display-prefs-BVawA_Rp.js}

@@ -1 +1 @@
-import{r as a}from"./main-uV9_FTHb.js";const d=["claude","codex","cursor","gemini","kimi","kiro","copilot","antigravity"],S={claude:"Claude",codex:"Codex",cursor:"Cursor",gemini:"Gemini",kimi:"Kimi",kiro:"Kiro",copilot:"GitHub Copilot",antigravity:"Antigravity"},v={claude:"/brand-logos/claude-code.svg",codex:"/brand-logos/codex.svg",cursor:"/brand-logos/cursor.svg",gemini:"/brand-logos/gemini.svg",kimi:"/brand-logos/kimi.svg",kiro:"/brand-logos/kiro.svg",copilot:"/brand-logos/copilot.svg",antigravity:"/brand-logos/antigravity.svg"},l="tt.limits.providerOrder",g="tt.limits.providerVisibility";function w(){if(typeof window>"u")return[...d];try{const i=window.localStorage.getItem(l);if(!i)return[...d];const s=JSON.parse(i);if(!Array.isArray(s))return[...d];const r=s.filter(c=>d.includes(c));for(const c of d)r.includes(c)||r.push(c);return r}catch{return[...d]}}function y(){const i=Object.fromEntries(d.map(s=>[s,!0]));if(typeof window>"u")return i;try{const s=window.localStorage.getItem(g);if(!s)return i;const r=JSON.parse(s);if(!r||typeof r!="object")return i;const c={...i};for(const u of d)typeof r[u]=="boolean"&&(c[u]=r[u]);return c}catch{return i}}function C(){const[i,s]=a.useState(w),[r,c]=a.useState(y);a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(l,JSON.stringify(i))}catch{}},[i]),a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(g,JSON.stringify(r))}catch{}},[r]),a.useEffect(()=>{if(typeof window>"u")return;const o=t=>{t.key===l&&s(w()),t.key===g&&c(y())};return window.addEventListener("storage",o),()=>window.removeEventListener("storage",o)},[]);const u=a.useCallback(o=>{c(t=>({...t,[o]:!t[o]}))},[]),b=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<=0)return t;const n=[...t];return[n[e-1],n[e]]=[n[e],n[e-1]],n})},[]),p=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<0||e>=t.length-1)return t;const n=[...t];return[n[e],n[e+1]]=[n[e+1],n[e]],n})},[]),O=a.useCallback((o,t)=>{o!==t&&s(e=>{const n=e.indexOf(o),m=e.indexOf(t);if(n<0||m<0)return e;const f=[...e],[I]=f.splice(n,1);return f.splice(m,0,I),f})},[]),k=a.useCallback(()=>{s([...d]),c(Object.fromEntries(d.map(o=>[o,!0])))},[]),x=a.useMemo(()=>i.filter(o=>r[o]!==!1),[i,r]);return{order:i,visibility:r,visibleOrdered:x,toggle:u,moveUp:b,moveDown:p,moveToward:O,reset:k}}export{v as L,S as a,C as u};
+import{r as a}from"./main-uaLO1Ae7.js";const d=["claude","codex","cursor","gemini","kimi","kiro","copilot","antigravity"],S={claude:"Claude",codex:"Codex",cursor:"Cursor",gemini:"Gemini",kimi:"Kimi",kiro:"Kiro",copilot:"GitHub Copilot",antigravity:"Antigravity"},v={claude:"/brand-logos/claude-code.svg",codex:"/brand-logos/codex.svg",cursor:"/brand-logos/cursor.svg",gemini:"/brand-logos/gemini.svg",kimi:"/brand-logos/kimi.svg",kiro:"/brand-logos/kiro.svg",copilot:"/brand-logos/copilot.svg",antigravity:"/brand-logos/antigravity.svg"},l="tt.limits.providerOrder",g="tt.limits.providerVisibility";function w(){if(typeof window>"u")return[...d];try{const i=window.localStorage.getItem(l);if(!i)return[...d];const s=JSON.parse(i);if(!Array.isArray(s))return[...d];const r=s.filter(c=>d.includes(c));for(const c of d)r.includes(c)||r.push(c);return r}catch{return[...d]}}function y(){const i=Object.fromEntries(d.map(s=>[s,!0]));if(typeof window>"u")return i;try{const s=window.localStorage.getItem(g);if(!s)return i;const r=JSON.parse(s);if(!r||typeof r!="object")return i;const c={...i};for(const u of d)typeof r[u]=="boolean"&&(c[u]=r[u]);return c}catch{return i}}function C(){const[i,s]=a.useState(w),[r,c]=a.useState(y);a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(l,JSON.stringify(i))}catch{}},[i]),a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(g,JSON.stringify(r))}catch{}},[r]),a.useEffect(()=>{if(typeof window>"u")return;const o=t=>{t.key===l&&s(w()),t.key===g&&c(y())};return window.addEventListener("storage",o),()=>window.removeEventListener("storage",o)},[]);const u=a.useCallback(o=>{c(t=>({...t,[o]:!t[o]}))},[]),b=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<=0)return t;const n=[...t];return[n[e-1],n[e]]=[n[e],n[e-1]],n})},[]),p=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<0||e>=t.length-1)return t;const n=[...t];return[n[e],n[e+1]]=[n[e+1],n[e]],n})},[]),O=a.useCallback((o,t)=>{o!==t&&s(e=>{const n=e.indexOf(o),m=e.indexOf(t);if(n<0||m<0)return e;const f=[...e],[I]=f.splice(n,1);return f.splice(m,0,I),f})},[]),k=a.useCallback(()=>{s([...d]),c(Object.fromEntries(d.map(o=>[o,!0])))},[]),x=a.useMemo(()=>i.filter(o=>r[o]!==!1),[i,r]);return{order:i,visibility:r,visibleOrdered:x,toggle:u,moveUp:b,moveDown:p,moveToward:O,reset:k}}export{v as L,S as a,C as u};

package/dashboard/dist/assets/{use-native-settings-BRDZatug.js → use-native-settings-DHtj5DnD.js}

@@ -1 +1 @@
-import{C as a,a7 as x,r as n,aH as g,aI as m,aJ as b,aK as u,aL as f,aF as h}from"./main-uV9_FTHb.js";import{C as y}from"./Card-CQ4ezOtn.js";function p({checked:s,onChange:t,disabled:e,ariaLabel:i}){return a.jsx("button",{type:"button",role:"switch","aria-checked":s,"aria-label":i,onClick:t,disabled:e,className:x("relative inline-flex h-5 w-9 shrink-0 items-center rounded-full transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-oai-brand-500 disabled:opacity-50 disabled:cursor-not-allowed",s?"bg-oai-brand-500":"bg-oai-gray-300 dark:bg-oai-gray-700"),children:a.jsx("span",{className:x("inline-block h-3.5 w-3.5 rounded-full bg-white transition-transform",s?"translate-x-[18px]":"translate-x-[3px]")})})}function j({label:s,hint:t,control:e}){return a.jsxs("div",{className:"flex items-center justify-between gap-4 py-3",children:[a.jsxs("div",{className:"min-w-0 flex-1",children:[a.jsx("div",{className:"text-sm text-oai-gray-900 dark:text-oai-gray-200",children:s}),t?a.jsx("div",{className:"mt-0.5 text-xs text-oai-gray-500 dark:text-oai-gray-400",children:t}):null]}),a.jsx("div",{className:"shrink-0",children:e})]})}function N({title:s,subtitle:t,action:e,children:i}){return a.jsxs(y,{children:[a.jsxs("div",{className:"mb-3 flex items-start justify-between gap-4",children:[a.jsxs("div",{className:"min-w-0 flex-1",children:[a.jsx("h2",{className:"text-sm font-medium text-oai-gray-500 dark:text-oai-gray-300 uppercase tracking-wide",children:s}),t?a.jsx("p",{className:"mt-1 truncate text-xs text-oai-gray-500 dark:text-oai-gray-400",children:t}):null]}),e?a.jsx("div",{className:"shrink-0",children:e}):null]}),a.jsx("div",{className:"-mb-3 divide-y divide-oai-gray-200/60 dark:divide-oai-gray-800/60",children:i})]})}function w({options:s,value:t,onChange:e}){return a.jsx("div",{className:"inline-flex items-center rounded-lg border border-oai-gray-200 bg-oai-gray-50 p-0.5 dark:border-oai-gray-800 dark:bg-oai-gray-900",children:s.map(({value:i,label:d,Icon:l})=>{const r=t===i;return a.jsxs("button",{type:"button",onClick:()=>e(i),"aria-pressed":r,className:x("inline-flex items-center gap-1.5 rounded-md px-3 py-1.5 text-xs font-medium transition-colors",r?"bg-white text-oai-black shadow-sm dark:bg-oai-gray-800 dark:text-white":"text-oai-gray-500 hover:text-oai-black dark:text-oai-gray-400 dark:hover:text-white"),children:[l?a.jsx(l,{className:"h-3.5 w-3.5","aria-hidden":!0}):null,a.jsx("span",{children:d})]},i)})})}function S(){const[s,t]=n.useState(null),e=g()&&m();n.useEffect(()=>{if(!e)return;const r=b(o=>t(o));return u(),r},[e]);const i=n.useCallback((r,o)=>{e&&(t(c=>c&&{...c,[r]:o}),f(r,o))},[e]),d=n.useCallback(r=>{e&&h(r)},[e]),l=n.useCallback(()=>{e&&u()},[e]);return{available:e,settings:s,setSetting:i,runAction:d,refresh:l}}export{N as S,p as T,j as a,w as b,S as u};
+import{C as a,a7 as x,r as n,aH as g,aI as m,aJ as b,aK as u,aL as f,aF as h}from"./main-uaLO1Ae7.js";import{C as y}from"./Card-C22jvaH-.js";function p({checked:s,onChange:t,disabled:e,ariaLabel:i}){return a.jsx("button",{type:"button",role:"switch","aria-checked":s,"aria-label":i,onClick:t,disabled:e,className:x("relative inline-flex h-5 w-9 shrink-0 items-center rounded-full transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-oai-brand-500 disabled:opacity-50 disabled:cursor-not-allowed",s?"bg-oai-brand-500":"bg-oai-gray-300 dark:bg-oai-gray-700"),children:a.jsx("span",{className:x("inline-block h-3.5 w-3.5 rounded-full bg-white transition-transform",s?"translate-x-[18px]":"translate-x-[3px]")})})}function j({label:s,hint:t,control:e}){return a.jsxs("div",{className:"flex items-center justify-between gap-4 py-3",children:[a.jsxs("div",{className:"min-w-0 flex-1",children:[a.jsx("div",{className:"text-sm text-oai-gray-900 dark:text-oai-gray-200",children:s}),t?a.jsx("div",{className:"mt-0.5 text-xs text-oai-gray-500 dark:text-oai-gray-400",children:t}):null]}),a.jsx("div",{className:"shrink-0",children:e})]})}function N({title:s,subtitle:t,action:e,children:i}){return a.jsxs(y,{children:[a.jsxs("div",{className:"mb-3 flex items-start justify-between gap-4",children:[a.jsxs("div",{className:"min-w-0 flex-1",children:[a.jsx("h2",{className:"text-sm font-medium text-oai-gray-500 dark:text-oai-gray-300 uppercase tracking-wide",children:s}),t?a.jsx("p",{className:"mt-1 truncate text-xs text-oai-gray-500 dark:text-oai-gray-400",children:t}):null]}),e?a.jsx("div",{className:"shrink-0",children:e}):null]}),a.jsx("div",{className:"-mb-3 divide-y divide-oai-gray-200/60 dark:divide-oai-gray-800/60",children:i})]})}function w({options:s,value:t,onChange:e}){return a.jsx("div",{className:"inline-flex items-center rounded-lg border border-oai-gray-200 bg-oai-gray-50 p-0.5 dark:border-oai-gray-800 dark:bg-oai-gray-900",children:s.map(({value:i,label:d,Icon:l})=>{const r=t===i;return a.jsxs("button",{type:"button",onClick:()=>e(i),"aria-pressed":r,className:x("inline-flex items-center gap-1.5 rounded-md px-3 py-1.5 text-xs font-medium transition-colors",r?"bg-white text-oai-black shadow-sm dark:bg-oai-gray-800 dark:text-white":"text-oai-gray-500 hover:text-oai-black dark:text-oai-gray-400 dark:hover:text-white"),children:[l?a.jsx(l,{className:"h-3.5 w-3.5","aria-hidden":!0}):null,a.jsx("span",{children:d})]},i)})})}function S(){const[s,t]=n.useState(null),e=g()&&m();n.useEffect(()=>{if(!e)return;const r=b(o=>t(o));return u(),r},[e]);const i=n.useCallback((r,o)=>{e&&(t(c=>c&&{...c,[r]:o}),f(r,o))},[e]),d=n.useCallback(r=>{e&&h(r)},[e]),l=n.useCallback(()=>{e&&u()},[e]);return{available:e,settings:s,setSetting:i,runAction:d,refresh:l}}export{N as S,p as T,j as a,w as b,S as u};

package/dashboard/dist/assets/{use-reduced-motion-CYXeA5H_.js → use-reduced-motion-8tbVQBYw.js}

@@ -1 +1 @@
-import{aM as t,aN as o,r,aO as s}from"./main-uV9_FTHb.js";function u(){!t.current&&o();const[e]=r.useState(s.current);return e}export{u};
+import{aM as t,aN as o,r,aO as s}from"./main-uaLO1Ae7.js";function u(){!t.current&&o();const[e]=r.useState(s.current);return e}export{u};

package/dashboard/dist/assets/{use-usage-limits-RfcCMHky.js → use-usage-limits-SwQjCSa8.js}

@@ -1 +1 @@
-import{r,al as l}from"./main-uV9_FTHb.js";function y(i){const[o,a]=r.useState(null),[u,s]=r.useState(null),[c,f]=r.useState(!0),n=!!i?.initialRefresh,g=r.useCallback(async()=>{try{const e=await l({refresh:!0});a(e&&typeof e=="object"?e:null),s(null)}catch(e){s(e?.message||String(e))}},[]);return r.useEffect(()=>{let e=!1;return(async()=>{try{const t=await l(n?{refresh:!0}:{});if(e)return;a(t&&typeof t=="object"?t:null),s(null)}catch(t){if(e)return;s(t?.message||String(t))}finally{e||f(!1)}})(),()=>{e=!0}},[n]),{data:o,error:u,isLoading:c,refresh:g}}export{y as u};
+import{r,al as l}from"./main-uaLO1Ae7.js";function y(i){const[o,a]=r.useState(null),[u,s]=r.useState(null),[c,f]=r.useState(!0),n=!!i?.initialRefresh,g=r.useCallback(async()=>{try{const e=await l({refresh:!0});a(e&&typeof e=="object"?e:null),s(null)}catch(e){s(e?.message||String(e))}},[]);return r.useEffect(()=>{let e=!1;return(async()=>{try{const t=await l(n?{refresh:!0}:{});if(e)return;a(t&&typeof t=="object"?t:null),s(null)}catch(t){if(e)return;s(t?.message||String(t))}finally{e||f(!1)}})(),()=>{e=!0}},[n]),{data:o,error:u,isLoading:c,refresh:g}}export{y as u};

package/dashboard/dist/assets/{useCurrency-B0LcQvSj.js → useCurrency-Bc8I7sE1.js}

@@ -1 +1 @@
-import{r as e,aA as t,aB as r,I as c}from"./main-uV9_FTHb.js";const a=Object.freeze({currency:c,rate:1,symbol:"$",rates:{...r},rateSource:"default",rateFetchedAt:null,setCurrency:()=>{}});function u(){return e.useContext(t)??a}export{u};
+import{r as e,aA as t,aB as r,I as c}from"./main-uaLO1Ae7.js";const a=Object.freeze({currency:c,rate:1,symbol:"$",rates:{...r},rateSource:"default",rateFetchedAt:null,setCurrency:()=>{}});function u(){return e.useContext(t)??a}export{u};

package/dashboard/dist/index.html

@@ -210,8 +210,8 @@
         ]
       }
     </script>
-    <script type="module" crossorigin src="/assets/main-uV9_FTHb.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/main-0bSXJNLn.css">
+    <script type="module" crossorigin src="/assets/main-uaLO1Ae7.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/main-JP_EYeq-.css">
   </head>
   <body>
     <main class="aeo-seed-content" aria-label="Token Tracker AI-readable summary">

package/dashboard/dist/share.html

@@ -51,8 +51,8 @@
         "description": "Shareable Token Tracker dashboard snapshot."
       }
     </script>
-    <script type="module" crossorigin src="/assets/main-uV9_FTHb.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/main-0bSXJNLn.css">
+    <script type="module" crossorigin src="/assets/main-uaLO1Ae7.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/main-JP_EYeq-.css">
   </head>
   <body>
     <main class="aeo-seed-content" aria-label="Token Tracker share page summary">

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tokentracker-cli",
-  "version": "0.23.1",
+  "version": "0.24.0",
   "description": "Token usage tracker for AI agent CLIs (Claude Code, Codex, Cursor, Gemini, Kiro, OpenCode, OpenClaw, Every Code, Hermes, GitHub Copilot, Kimi Code, CodeBuddy, Grok Build, oh-my-pi, pi, Craft Agents, Kilo CLI, Kilo Code, Roo Code, Zed Agent, Goose)",
   "main": "src/cli.js",
   "bin": {

package/src/cli.js

@@ -63,7 +63,7 @@ function printHelp() {
       "",
       "Usage:",
       "  npx tokentracker                                         Open local dashboard",
-      "  npx tokentracker [--debug] serve [--port 7680] [--no-open] [--no-sync]",
+      "  npx tokentracker [--debug] serve [--port 7680] [--allowed-hosts <host[,host...]>] [--no-open] [--no-sync]",
       "  npx tokentracker [--debug] init [--yes] [--dry-run] [--no-open] [--link-code <code>]",
       "  npx tokentracker [--debug] sync [--auto] [--drain] [--from-openclaw]",
       "  npx tokentracker [--debug] status [--probe-keychain] [--probe-keychain-details]",
@@ -82,6 +82,7 @@ function printHelp() {
       "  - OpenClaw hook auto-links when OpenClaw is installed (requires gateway restart).",
       "  - auto sync waits for a device token.",
       "  - optional: --dashboard-url for hosted landing.",
+      "  - serve: --allowed-hosts marks extra hostnames as local-dashboard auth proxy origins (for tunnels/previews).",
       "  - sync parses ~/.codex/sessions/**/rollout-*.jsonl and ~/.code/sessions/**/rollout-*.jsonl, then uploads token deltas.",
       "  - --from-openclaw marks sync runs triggered by OpenClaw hooks.",
       "  - --debug shows original backend errors.",

package/src/commands/serve.js

@@ -87,7 +87,7 @@ async function cmdServe(argv) {
   }
 
   // 3. Create handler
-  const handleApi = createLocalApiHandler({ queuePath });
+  const handleApi = createLocalApiHandler({ queuePath, allowedHosts: opts.allowedHosts });
 
   const server = http.createServer(async (req, res) => {
     try {
@@ -104,6 +104,11 @@ async function cmdServe(argv) {
       }
 
       // API routes
+      if (url.pathname === "/api/dashboard-config") {
+        serveDashboardConfig(res, { allowedHosts: opts.allowedHosts });
+        return;
+      }
+
       if (
         url.pathname.startsWith("/functions/")
         || url.pathname.startsWith("/api/")
@@ -224,19 +229,66 @@ function resolveDashboardDir() {
   return null;
 }
 
+function splitHostList(value) {
+  if (Array.isArray(value)) return value.flatMap(splitHostList);
+  if (typeof value !== "string") return [];
+  return value.split(",").map((entry) => entry.trim()).filter(Boolean);
+}
+
+function normalizeAllowedHost(value) {
+  if (typeof value !== "string") return null;
+  const raw = value.trim();
+  if (!raw || raw.includes("*") || /\s/.test(raw)) return null;
+  try {
+    const withScheme = /^[a-z][a-z0-9+.-]*:\/\//i.test(raw) ? raw : `http://${raw}`;
+    const url = new URL(withScheme);
+    if (!url.hostname || url.username || url.password) return null;
+    return url.hostname.toLowerCase();
+  } catch (_e) {
+    return null;
+  }
+}
+
+function normalizeAllowedHosts(values) {
+  const out = [];
+  const seen = new Set();
+  for (const item of splitHostList(values)) {
+    const host = normalizeAllowedHost(item);
+    if (!host || seen.has(host)) continue;
+    seen.add(host);
+    out.push(host);
+  }
+  return out;
+}
+
+function serveDashboardConfig(res, { allowedHosts } = {}) {
+  const body = Buffer.from(JSON.stringify({ allowedHosts: normalizeAllowedHosts(allowedHosts) }), "utf8");
+  res.writeHead(200, {
+    "Content-Type": "application/json; charset=utf-8",
+    "Content-Length": body.length,
+    "Cache-Control": "no-store",
+  });
+  res.end(body);
+}
+
 function parseArgs(argv) {
-  const opts = { port: DEFAULT_PORT, open: true, sync: true };
+  const opts = { port: DEFAULT_PORT, open: true, sync: true, allowedHosts: [] };
   for (let i = 0; i < argv.length; i++) {
     const arg = argv[i];
     if (arg === "--port" && i + 1 < argv.length) {
       const n = parseInt(argv[++i], 10);
       if (Number.isFinite(n) && n > 0 && n < 65536) opts.port = n;
+    } else if (arg === "--allowed-hosts" && i + 1 < argv.length && !argv[i + 1].startsWith("-")) {
+      opts.allowedHosts.push(...normalizeAllowedHosts(argv[++i]));
+    } else if (arg.startsWith("--allowed-hosts=")) {
+      opts.allowedHosts.push(...normalizeAllowedHosts(arg.slice("--allowed-hosts=".length)));
     } else if (arg === "--no-open") {
       opts.open = false;
     } else if (arg === "--no-sync") {
       opts.sync = false;
     }
   }
+  opts.allowedHosts = normalizeAllowedHosts(opts.allowedHosts);
   return opts;
 }
 
@@ -246,4 +298,7 @@ module.exports = {
   NPM_PACKAGE_NAME,
   LOCAL_BIND_HOST,
   getLocalServerUrl,
+  parseArgs,
+  normalizeAllowedHosts,
+  serveDashboardConfig,
 };

package/src/lib/local-api.js

@@ -457,13 +457,45 @@ function isLoopbackHostname(hostname) {
   return hostname === "127.0.0.1" || hostname === "localhost" || hostname === "::1" || hostname === "[::1]";
 }
 
-function hasAllowedLoopbackOrigin(headers = {}) {
+function normalizeAllowedHost(value) {
+  if (typeof value !== "string") return null;
+  const raw = value.trim();
+  if (!raw || raw.includes("*") || /\s/.test(raw)) return null;
+  try {
+    const withScheme = /^[a-z][a-z0-9+.-]*:\/\//i.test(raw) ? raw : `http://${raw}`;
+    const url = new URL(withScheme);
+    if (!url.hostname || url.username || url.password) return null;
+    return url.hostname.toLowerCase();
+  } catch (_e) {
+    return null;
+  }
+}
+
+function normalizeAllowedHosts(values) {
+  const raw = Array.isArray(values) ? values : [values];
+  const out = [];
+  const seen = new Set();
+  for (const item of raw) {
+    const host = normalizeAllowedHost(item);
+    if (!host || seen.has(host)) continue;
+    seen.add(host);
+    out.push(host);
+  }
+  return out;
+}
+
+function hasAllowedLoopbackOrigin(headers = {}, allowedHosts = []) {
+  const allowed = new Set(normalizeAllowedHosts(allowedHosts));
   const candidates = [headers.origin, headers.referer];
   for (const raw of candidates) {
     if (raw == null || raw === "") continue;
     try {
       const url = new URL(String(raw));
-      if (url.protocol !== "http:" || !isLoopbackHostname(url.hostname)) return false;
+      if (!["http:", "https:"].includes(url.protocol)) return false;
+      const host = url.hostname.toLowerCase();
+      if (url.protocol === "http:" && isLoopbackHostname(host)) continue;
+      if (allowed.has(host)) continue;
+      return false;
     } catch (_e) {
       return false;
     }
@@ -641,35 +673,25 @@ function json(res, data, status) {
 }
 
 // ---------------------------------------------------------------------------
-// IP check proxy (issue #81): ip.net.coffee/claude/ sets X-Frame-Options:
-// SAMEORIGIN so the dashboard iframe is blocked. We reverse-proxy through
-// /proxy/ipcheck/* so requests stay same-origin to 127.0.0.1, then strip the
-// embedding-hostile headers and rewrite root-relative URLs in HTML so the
-// page's own /api/* and /claude/* fetches route back through us.
+// IP check API proxy: dashboard/src/pages/IpCheckPage.jsx is a native React
+// page that calls ip.net.coffee's data endpoints (/api/iprisk, /api/geoip,
+// /api/dns/result, /favicons, /claude/status.json). Browser-side fetch can't
+// hit them cross-origin from the dashboard, so we reverse-proxy /proxy/ipcheck/*
+// to https://ip.net.coffee/* and strip embedding-hostile headers.
+// (Previously this proxy also served the upstream HTML page for an iframe;
+// the iframe and its HTML-rewrite path have been removed.)
 // ---------------------------------------------------------------------------
 
 const IP_CHECK_PROXY_PREFIX = "/proxy/ipcheck";
 const IP_CHECK_TARGET = "https://ip.net.coffee";
 
-function rewriteIpCheckHtml(html) {
-  const prefix = IP_CHECK_PROXY_PREFIX;
-  return html
-    .replace(
-      /(\s(?:href|src|action)\s*=\s*["'])\/(?!\/|proxy\/ipcheck\/)/g,
-      `$1${prefix}/`,
-    )
-    .replace(
-      /(fetch\s*\(\s*["'`])\/(?!\/|proxy\/ipcheck\/)/g,
-      `$1${prefix}/`,
-    );
-}
-
 // ---------------------------------------------------------------------------
 // Main handler factory
 // ---------------------------------------------------------------------------
 
-function createLocalApiHandler({ queuePath }) {
+function createLocalApiHandler({ queuePath, allowedHosts = [] } = {}) {
   const qp = queuePath || resolveQueuePath();
+  const allowedLocalOriginHosts = normalizeAllowedHosts(allowedHosts);
 
   // Server-side cookie relay: captures auth cookies from InsForge cloud responses
   // so that both browser and WKWebView share the same login session via the proxy.
@@ -804,9 +826,10 @@ function createLocalApiHandler({ queuePath }) {
     return typeof value === "string" ? value : "";
   }
 
-  function buildRelayCookieHeader(clientCookieHeader) {
+  function buildRelayCookieHeader(clientCookieHeader, { relayPrecedenceNames = [] } = {}) {
     const normalizedClientCookieHeader = normalizeCookieHeader(clientCookieHeader);
     if (relayCookies.size === 0) return normalizedClientCookieHeader;
+    const relayPrecedence = new Set(relayPrecedenceNames);
     const clientPairs = new Map();
     if (normalizedClientCookieHeader) {
       for (const part of normalizedClientCookieHeader.split(";")) {
@@ -816,9 +839,10 @@ function createLocalApiHandler({ queuePath }) {
         if (n) clientPairs.set(n, part.trim());
       }
     }
-    // Merge relay cookies (client takes precedence)
+    // Merge relay cookies. Normal requests keep client precedence; refresh
+    // recovery can opt relay cookies into precedence over stale WebView cookies.
     for (const [name, raw] of relayCookies) {
-      if (clientPairs.has(name)) continue;
+      if (clientPairs.has(name) && !relayPrecedence.has(name)) continue;
       const scIdx = raw.indexOf(";");
       const pair = scIdx > 0 ? raw.substring(0, scIdx).trim() : raw;
       clientPairs.set(name, pair);
@@ -839,7 +863,7 @@ function createLocalApiHandler({ queuePath }) {
       ? headerToken.trim()
       : cookieToken || "";
     if (!token || token !== localAuthToken) return false;
-    return hasAllowedLoopbackOrigin(req?.headers || {});
+    return hasAllowedLoopbackOrigin(req?.headers || {}, allowedLocalOriginHosts);
   }
 
   return async function handleLocalApi(req, res, url) {
@@ -897,7 +921,7 @@ function createLocalApiHandler({ queuePath }) {
         const hasClientCookie = normalizeCookieHeader(proxyHeaders["cookie"]).trim().length > 0;
         const hasCsrfHeader = typeof proxyHeaders["x-csrf-token"] === "string" && proxyHeaders["x-csrf-token"].trim().length > 0;
         const relayCsrfToken = getRelayCookieValue(csrfRelayCookieName);
-        if (p === "/api/auth/refresh" && !hasCsrfHeader && relayCsrfToken) {
+        if (p === "/api/auth/refresh" && relayCsrfToken) {
           proxyHeaders["x-csrf-token"] = relayCsrfToken;
         }
         const hasEffectiveCsrfHeader =
@@ -918,7 +942,11 @@ function createLocalApiHandler({ queuePath }) {
         // Invalid CSRF errors on startup.
         const originalCookieHeader = normalizeCookieHeader(proxyHeaders["cookie"]);
         const mergedCookie = shouldInjectRelayCookies
-          ? buildRelayCookieHeader(originalCookieHeader)
+          ? buildRelayCookieHeader(originalCookieHeader, {
+              relayPrecedenceNames: p === "/api/auth/refresh"
+                ? [csrfRelayCookieName, "insforge_refresh_token"]
+                : [],
+            })
           : originalCookieHeader;
         const injectedRelayCookies =
           shouldInjectRelayCookies && relayCookies.size > 0 && mergedCookie !== originalCookieHeader;
@@ -976,34 +1004,49 @@ function createLocalApiHandler({ queuePath }) {
       return true;
     }
 
-    // --- ip-check proxy: reverse-proxy ip.net.coffee/claude/ (issue #81) ---
+    // --- ip-check proxy: reverse-proxy ip.net.coffee (issue #81) ---
+    // Lock-down: GET/HEAD only, restricted path prefixes, do not forward
+    // browser credentials or fingerprintable headers. Without these limits
+    // /proxy/ipcheck is an open reverse-proxy any local process can abuse
+    // (exfiltrate dashboard cookies, anonymously POST through user IP).
     if (p.startsWith(`${IP_CHECK_PROXY_PREFIX}/`) || p === IP_CHECK_PROXY_PREFIX) {
+      const method = String(req.method || "GET").toUpperCase();
+      if (method !== "GET" && method !== "HEAD") {
+        json(res, { error: "Method Not Allowed" }, 405);
+        return true;
+      }
       const targetPath = p === IP_CHECK_PROXY_PREFIX
         ? "/"
         : p.slice(IP_CHECK_PROXY_PREFIX.length) || "/";
+      const ALLOWED_PREFIXES = [
+        "/api/geoip/",
+        "/api/geoip-batch",
+        "/api/iprisk/",
+        "/api/dns/result/",
+        "/claude/status.json",
+        "/favicons/",
+        "/ip/",
+      ];
+      if (!ALLOWED_PREFIXES.some((prefix) => targetPath.startsWith(prefix))) {
+        json(res, { error: "Path not allowed" }, 403);
+        return true;
+      }
       const targetUrl = `${IP_CHECK_TARGET}${targetPath}${url.search || ""}`;
       try {
-        const proxyHeaders = {};
-        for (const [key, value] of Object.entries(req.headers)) {
-          const lk = key.toLowerCase();
-          if (["host", "connection", "referer", "origin"].includes(lk)) continue;
-          proxyHeaders[key] = value;
-        }
-        proxyHeaders["host"] = "ip.net.coffee";
-        proxyHeaders["referer"] = `${IP_CHECK_TARGET}${targetPath}`;
-
-        const method = String(req.method || "GET").toUpperCase();
-        let body;
-        if (method !== "GET" && method !== "HEAD") {
-          const chunks = [];
-          for await (const chunk of req) chunks.push(chunk);
-          if (chunks.length > 0) body = Buffer.concat(chunks);
-        }
+        // Whitelist forwarded headers — no cookies, no auth, no fingerprintable
+        // identity. Only what the upstream needs to negotiate content.
+        const proxyHeaders = {
+          host: "ip.net.coffee",
+          accept: req.headers["accept"] || "*/*",
+          "accept-language": req.headers["accept-language"] || "en",
+          "accept-encoding": req.headers["accept-encoding"] || "gzip",
+          "user-agent": "TokenTracker/IPCheck (https://www.tokentracker.cc)",
+          referer: `${IP_CHECK_TARGET}${targetPath}`,
+        };
 
         const proxyRes = await fetch(targetUrl, {
           method,
           headers: proxyHeaders,
-          body,
           redirect: "manual",
         });
 
@@ -1022,12 +1065,7 @@ function createLocalApiHandler({ queuePath }) {
           ([k]) => !stripped.has(k.toLowerCase()),
         );
 
-        const contentType = proxyRes.headers.get("content-type") || "";
-        let resBody = Buffer.from(await proxyRes.arrayBuffer());
-        if (contentType.toLowerCase().includes("text/html")) {
-          resBody = Buffer.from(rewriteIpCheckHtml(resBody.toString("utf8")), "utf8");
-        }
-
+        const resBody = Buffer.from(await proxyRes.arrayBuffer());
         res.writeHead(proxyRes.status, Object.fromEntries(responseHeaders));
         res.end(resBody);
       } catch (e) {