npm - tokentracker-cli - Versions diffs - 0.24.0 → 0.24.1 - Mend

tokentracker-cli 0.24.0 → 0.24.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

package/dashboard/dist/assets/{use-limits-display-prefs-BVawA_Rp.js → use-limits-display-prefs-CTnU4ZMo.js} RENAMED Viewed

	@@ -1 +1 @@
1	- import{r as a}from"./main-~~uaLO1Ae7~~.js";const d=["claude","codex","cursor","gemini","kimi","kiro","copilot","antigravity"],S={claude:"Claude",codex:"Codex",cursor:"Cursor",gemini:"Gemini",kimi:"Kimi",kiro:"Kiro",copilot:"GitHub Copilot",antigravity:"Antigravity"},v={claude:"/brand-logos/claude-code.svg",codex:"/brand-logos/codex.svg",cursor:"/brand-logos/cursor.svg",gemini:"/brand-logos/gemini.svg",kimi:"/brand-logos/kimi.svg",kiro:"/brand-logos/kiro.svg",copilot:"/brand-logos/copilot.svg",antigravity:"/brand-logos/antigravity.svg"},l="tt.limits.providerOrder",g="tt.limits.providerVisibility";function w(){if(typeof window>"u")return[...d];try{const i=window.localStorage.getItem(l);if(!i)return[...d];const s=JSON.parse(i);if(!Array.isArray(s))return[...d];const r=s.filter(c=>d.includes(c));for(const c of d)r.includes(c)\|\|r.push(c);return r}catch{return[...d]}}function y(){const i=Object.fromEntries(d.map(s=>[s,!0]));if(typeof window>"u")return i;try{const s=window.localStorage.getItem(g);if(!s)return i;const r=JSON.parse(s);if(!r\|\|typeof r!="object")return i;const c={...i};for(const u of d)typeof r[u]=="boolean"&&(c[u]=r[u]);return c}catch{return i}}function C(){const[i,s]=a.useState(w),[r,c]=a.useState(y);a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(l,JSON.stringify(i))}catch{}},[i]),a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(g,JSON.stringify(r))}catch{}},[r]),a.useEffect(()=>{if(typeof window>"u")return;const o=t=>{t.key===l&&s(w()),t.key===g&&c(y())};return window.addEventListener("storage",o),()=>window.removeEventListener("storage",o)},[]);const u=a.useCallback(o=>{c(t=>({...t,[o]:!t[o]}))},[]),b=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<=0)return t;const n=[...t];return[n[e-1],n[e]]=[n[e],n[e-1]],n})},[]),p=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<0\|\|e>=t.length-1)return t;const n=[...t];return[n[e],n[e+1]]=[n[e+1],n[e]],n})},[]),O=a.useCallback((o,t)=>{o!==t&&s(e=>{const n=e.indexOf(o),m=e.indexOf(t);if(n<0\|\|m<0)return e;const f=[...e],[I]=f.splice(n,1);return f.splice(m,0,I),f})},[]),k=a.useCallback(()=>{s([...d]),c(Object.fromEntries(d.map(o=>[o,!0])))},[]),x=a.useMemo(()=>i.filter(o=>r[o]!==!1),[i,r]);return{order:i,visibility:r,visibleOrdered:x,toggle:u,moveUp:b,moveDown:p,moveToward:O,reset:k}}export{v as L,S as a,C as u};
1	+ import{r as a}from"./main-C1bPtjN7.js";const d=["claude","codex","cursor","gemini","kimi","kiro","copilot","antigravity"],S={claude:"Claude",codex:"Codex",cursor:"Cursor",gemini:"Gemini",kimi:"Kimi",kiro:"Kiro",copilot:"GitHub Copilot",antigravity:"Antigravity"},v={claude:"/brand-logos/claude-code.svg",codex:"/brand-logos/codex.svg",cursor:"/brand-logos/cursor.svg",gemini:"/brand-logos/gemini.svg",kimi:"/brand-logos/kimi.svg",kiro:"/brand-logos/kiro.svg",copilot:"/brand-logos/copilot.svg",antigravity:"/brand-logos/antigravity.svg"},l="tt.limits.providerOrder",g="tt.limits.providerVisibility";function w(){if(typeof window>"u")return[...d];try{const i=window.localStorage.getItem(l);if(!i)return[...d];const s=JSON.parse(i);if(!Array.isArray(s))return[...d];const r=s.filter(c=>d.includes(c));for(const c of d)r.includes(c)\|\|r.push(c);return r}catch{return[...d]}}function y(){const i=Object.fromEntries(d.map(s=>[s,!0]));if(typeof window>"u")return i;try{const s=window.localStorage.getItem(g);if(!s)return i;const r=JSON.parse(s);if(!r\|\|typeof r!="object")return i;const c={...i};for(const u of d)typeof r[u]=="boolean"&&(c[u]=r[u]);return c}catch{return i}}function C(){const[i,s]=a.useState(w),[r,c]=a.useState(y);a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(l,JSON.stringify(i))}catch{}},[i]),a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(g,JSON.stringify(r))}catch{}},[r]),a.useEffect(()=>{if(typeof window>"u")return;const o=t=>{t.key===l&&s(w()),t.key===g&&c(y())};return window.addEventListener("storage",o),()=>window.removeEventListener("storage",o)},[]);const u=a.useCallback(o=>{c(t=>({...t,[o]:!t[o]}))},[]),b=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<=0)return t;const n=[...t];return[n[e-1],n[e]]=[n[e],n[e-1]],n})},[]),p=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<0\|\|e>=t.length-1)return t;const n=[...t];return[n[e],n[e+1]]=[n[e+1],n[e]],n})},[]),O=a.useCallback((o,t)=>{o!==t&&s(e=>{const n=e.indexOf(o),m=e.indexOf(t);if(n<0\|\|m<0)return e;const f=[...e],[I]=f.splice(n,1);return f.splice(m,0,I),f})},[]),k=a.useCallback(()=>{s([...d]),c(Object.fromEntries(d.map(o=>[o,!0])))},[]),x=a.useMemo(()=>i.filter(o=>r[o]!==!1),[i,r]);return{order:i,visibility:r,visibleOrdered:x,toggle:u,moveUp:b,moveDown:p,moveToward:O,reset:k}}export{v as L,S as a,C as u};

package/dashboard/dist/assets/{use-native-settings-DHtj5DnD.js → use-native-settings-DkTJDNZG.js} RENAMED Viewed

	@@ -1 +1 @@
1	- import{C as a,a7 as x,r as n,aH as g,aI as m,aJ as b,aK as u,aL as f,aF as h}from"./main-~~uaLO1Ae7~~.js";import{C as y}from"./Card-~~C22jvaH-.~~js";function p({checked:s,onChange:t,disabled:e,ariaLabel:i}){return a.jsx("button",{type:"button",role:"switch","aria-checked":s,"aria-label":i,onClick:t,disabled:e,className:x("relative inline-flex h-5 w-9 shrink-0 items-center rounded-full transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-oai-brand-500 disabled:opacity-50 disabled:cursor-not-allowed",s?"bg-oai-brand-500":"bg-oai-gray-300 dark:bg-oai-gray-700"),children:a.jsx("span",{className:x("inline-block h-3.5 w-3.5 rounded-full bg-white transition-transform",s?"translate-x-[18px]":"translate-x-[3px]")})})}function j({label:s,hint:t,control:e}){return a.jsxs("div",{className:"flex items-center justify-between gap-4 py-3",children:[a.jsxs("div",{className:"min-w-0 flex-1",children:[a.jsx("div",{className:"text-sm text-oai-gray-900 dark:text-oai-gray-200",children:s}),t?a.jsx("div",{className:"mt-0.5 text-xs text-oai-gray-500 dark:text-oai-gray-400",children:t}):null]}),a.jsx("div",{className:"shrink-0",children:e})]})}function N({title:s,subtitle:t,action:e,children:i}){return a.jsxs(y,{children:[a.jsxs("div",{className:"mb-3 flex items-start justify-between gap-4",children:[a.jsxs("div",{className:"min-w-0 flex-1",children:[a.jsx("h2",{className:"text-sm font-medium text-oai-gray-500 dark:text-oai-gray-300 uppercase tracking-wide",children:s}),t?a.jsx("p",{className:"mt-1 truncate text-xs text-oai-gray-500 dark:text-oai-gray-400",children:t}):null]}),e?a.jsx("div",{className:"shrink-0",children:e}):null]}),a.jsx("div",{className:"-mb-3 divide-y divide-oai-gray-200/60 dark:divide-oai-gray-800/60",children:i})]})}function w({options:s,value:t,onChange:e}){return a.jsx("div",{className:"inline-flex items-center rounded-lg border border-oai-gray-200 bg-oai-gray-50 p-0.5 dark:border-oai-gray-800 dark:bg-oai-gray-900",children:s.map(({value:i,label:d,Icon:l})=>{const r=t===i;return a.jsxs("button",{type:"button",onClick:()=>e(i),"aria-pressed":r,className:x("inline-flex items-center gap-1.5 rounded-md px-3 py-1.5 text-xs font-medium transition-colors",r?"bg-white text-oai-black shadow-sm dark:bg-oai-gray-800 dark:text-white":"text-oai-gray-500 hover:text-oai-black dark:text-oai-gray-400 dark:hover:text-white"),children:[l?a.jsx(l,{className:"h-3.5 w-3.5","aria-hidden":!0}):null,a.jsx("span",{children:d})]},i)})})}function S(){const[s,t]=n.useState(null),e=g()&&m();n.useEffect(()=>{if(!e)return;const r=b(o=>t(o));return u(),r},[e]);const i=n.useCallback((r,o)=>{e&&(t(c=>c&&{...c,[r]:o}),f(r,o))},[e]),d=n.useCallback(r=>{e&&h(r)},[e]),l=n.useCallback(()=>{e&&u()},[e]);return{available:e,settings:s,setSetting:i,runAction:d,refresh:l}}export{N as S,p as T,j as a,w as b,S as u};
1	+ import{C as a,a7 as x,r as n,aH as g,aI as m,aJ as b,aK as u,aL as f,aF as h}from"./main-C1bPtjN7.js";import{C as y}from"./Card-B3zit51o.js";function p({checked:s,onChange:t,disabled:e,ariaLabel:i}){return a.jsx("button",{type:"button",role:"switch","aria-checked":s,"aria-label":i,onClick:t,disabled:e,className:x("relative inline-flex h-5 w-9 shrink-0 items-center rounded-full transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-oai-brand-500 disabled:opacity-50 disabled:cursor-not-allowed",s?"bg-oai-brand-500":"bg-oai-gray-300 dark:bg-oai-gray-700"),children:a.jsx("span",{className:x("inline-block h-3.5 w-3.5 rounded-full bg-white transition-transform",s?"translate-x-[18px]":"translate-x-[3px]")})})}function j({label:s,hint:t,control:e}){return a.jsxs("div",{className:"flex items-center justify-between gap-4 py-3",children:[a.jsxs("div",{className:"min-w-0 flex-1",children:[a.jsx("div",{className:"text-sm text-oai-gray-900 dark:text-oai-gray-200",children:s}),t?a.jsx("div",{className:"mt-0.5 text-xs text-oai-gray-500 dark:text-oai-gray-400",children:t}):null]}),a.jsx("div",{className:"shrink-0",children:e})]})}function N({title:s,subtitle:t,action:e,children:i}){return a.jsxs(y,{children:[a.jsxs("div",{className:"mb-3 flex items-start justify-between gap-4",children:[a.jsxs("div",{className:"min-w-0 flex-1",children:[a.jsx("h2",{className:"text-sm font-medium text-oai-gray-500 dark:text-oai-gray-300 uppercase tracking-wide",children:s}),t?a.jsx("p",{className:"mt-1 truncate text-xs text-oai-gray-500 dark:text-oai-gray-400",children:t}):null]}),e?a.jsx("div",{className:"shrink-0",children:e}):null]}),a.jsx("div",{className:"-mb-3 divide-y divide-oai-gray-200/60 dark:divide-oai-gray-800/60",children:i})]})}function w({options:s,value:t,onChange:e}){return a.jsx("div",{className:"inline-flex items-center rounded-lg border border-oai-gray-200 bg-oai-gray-50 p-0.5 dark:border-oai-gray-800 dark:bg-oai-gray-900",children:s.map(({value:i,label:d,Icon:l})=>{const r=t===i;return a.jsxs("button",{type:"button",onClick:()=>e(i),"aria-pressed":r,className:x("inline-flex items-center gap-1.5 rounded-md px-3 py-1.5 text-xs font-medium transition-colors",r?"bg-white text-oai-black shadow-sm dark:bg-oai-gray-800 dark:text-white":"text-oai-gray-500 hover:text-oai-black dark:text-oai-gray-400 dark:hover:text-white"),children:[l?a.jsx(l,{className:"h-3.5 w-3.5","aria-hidden":!0}):null,a.jsx("span",{children:d})]},i)})})}function S(){const[s,t]=n.useState(null),e=g()&&m();n.useEffect(()=>{if(!e)return;const r=b(o=>t(o));return u(),r},[e]);const i=n.useCallback((r,o)=>{e&&(t(c=>c&&{...c,[r]:o}),f(r,o))},[e]),d=n.useCallback(r=>{e&&h(r)},[e]),l=n.useCallback(()=>{e&&u()},[e]);return{available:e,settings:s,setSetting:i,runAction:d,refresh:l}}export{N as S,p as T,j as a,w as b,S as u};

package/dashboard/dist/assets/{use-reduced-motion-8tbVQBYw.js → use-reduced-motion-DJE4Frme.js} RENAMED Viewed

	@@ -1 +1 @@
1	- import{aM as t,aN as o,r,aO as s}from"./main-~~uaLO1Ae7~~.js";function u(){!t.current&&o();const[e]=r.useState(s.current);return e}export{u};
1	+ import{aM as t,aN as o,r,aO as s}from"./main-C1bPtjN7.js";function u(){!t.current&&o();const[e]=r.useState(s.current);return e}export{u};

package/dashboard/dist/assets/{use-usage-limits-SwQjCSa8.js → use-usage-limits-OjbraegI.js} RENAMED Viewed

	@@ -1 +1 @@
1	- import{r,al as l}from"./main-~~uaLO1Ae7~~.js";function y(i){const[o,a]=r.useState(null),[u,s]=r.useState(null),[c,f]=r.useState(!0),n=!!i?.initialRefresh,g=r.useCallback(async()=>{try{const e=await l({refresh:!0});a(e&&typeof e=="object"?e:null),s(null)}catch(e){s(e?.message\|\|String(e))}},[]);return r.useEffect(()=>{let e=!1;return(async()=>{try{const t=await l(n?{refresh:!0}:{});if(e)return;a(t&&typeof t=="object"?t:null),s(null)}catch(t){if(e)return;s(t?.message\|\|String(t))}finally{e\|\|f(!1)}})(),()=>{e=!0}},[n]),{data:o,error:u,isLoading:c,refresh:g}}export{y as u};
1	+ import{r,al as l}from"./main-C1bPtjN7.js";function y(i){const[o,a]=r.useState(null),[u,s]=r.useState(null),[c,f]=r.useState(!0),n=!!i?.initialRefresh,g=r.useCallback(async()=>{try{const e=await l({refresh:!0});a(e&&typeof e=="object"?e:null),s(null)}catch(e){s(e?.message\|\|String(e))}},[]);return r.useEffect(()=>{let e=!1;return(async()=>{try{const t=await l(n?{refresh:!0}:{});if(e)return;a(t&&typeof t=="object"?t:null),s(null)}catch(t){if(e)return;s(t?.message\|\|String(t))}finally{e\|\|f(!1)}})(),()=>{e=!0}},[n]),{data:o,error:u,isLoading:c,refresh:g}}export{y as u};

package/dashboard/dist/assets/{useCurrency-Bc8I7sE1.js → useCurrency-DJA7tRVi.js} RENAMED Viewed

	@@ -1 +1 @@
1	- import{r as e,aA as t,aB as r,I as c}from"./main-~~uaLO1Ae7~~.js";const a=Object.freeze({currency:c,rate:1,symbol:"$",rates:{...r},rateSource:"default",rateFetchedAt:null,setCurrency:()=>{}});function u(){return e.useContext(t)??a}export{u};
1	+ import{r as e,aA as t,aB as r,I as c}from"./main-C1bPtjN7.js";const a=Object.freeze({currency:c,rate:1,symbol:"$",rates:{...r},rateSource:"default",rateFetchedAt:null,setCurrency:()=>{}});function u(){return e.useContext(t)??a}export{u};

package/dashboard/dist/index.html CHANGED Viewed

@@ -210,7 +210,7 @@
         ]
       }
     </script>
-    <script type="module" crossorigin src="/assets/main-uaLO1Ae7.js"></script>
+    <script type="module" crossorigin src="/assets/main-C1bPtjN7.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/main-JP_EYeq-.css">
   </head>
   <body>

package/dashboard/dist/share.html CHANGED Viewed

@@ -51,7 +51,7 @@
         "description": "Shareable Token Tracker dashboard snapshot."
       }
     </script>
-    <script type="module" crossorigin src="/assets/main-uaLO1Ae7.js"></script>
+    <script type="module" crossorigin src="/assets/main-C1bPtjN7.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/main-JP_EYeq-.css">
   </head>
   <body>

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "tokentracker-cli",
-  "version": "0.24.0",
+  "version": "0.24.1",
   "description": "Token usage tracker for AI agent CLIs (Claude Code, Codex, Cursor, Gemini, Kiro, OpenCode, OpenClaw, Every Code, Hermes, GitHub Copilot, Kimi Code, CodeBuddy, Grok Build, oh-my-pi, pi, Craft Agents, Kilo CLI, Kilo Code, Roo Code, Zed Agent, Goose)",
   "main": "src/cli.js",
   "bin": {

package/src/cli.js CHANGED Viewed

@@ -63,7 +63,7 @@ function printHelp() {
       "",
       "Usage:",
       "  npx tokentracker                                         Open local dashboard",
-      "  npx tokentracker [--debug] serve [--port 7680] [--allowed-hosts <host[,host...]>] [--no-open] [--no-sync]",
+      "  npx tokentracker [--debug] serve [--port 7680] [--no-open] [--no-sync]",
       "  npx tokentracker [--debug] init [--yes] [--dry-run] [--no-open] [--link-code <code>]",
       "  npx tokentracker [--debug] sync [--auto] [--drain] [--from-openclaw]",
       "  npx tokentracker [--debug] status [--probe-keychain] [--probe-keychain-details]",
@@ -82,7 +82,6 @@ function printHelp() {
       "  - OpenClaw hook auto-links when OpenClaw is installed (requires gateway restart).",
       "  - auto sync waits for a device token.",
       "  - optional: --dashboard-url for hosted landing.",
-      "  - serve: --allowed-hosts marks extra hostnames as local-dashboard auth proxy origins (for tunnels/previews).",
       "  - sync parses ~/.codex/sessions/**/rollout-*.jsonl and ~/.code/sessions/**/rollout-*.jsonl, then uploads token deltas.",
       "  - --from-openclaw marks sync runs triggered by OpenClaw hooks.",
       "  - --debug shows original backend errors.",

package/src/commands/serve.js CHANGED Viewed

@@ -87,7 +87,7 @@ async function cmdServe(argv) {
   }
   // 3. Create handler
-  const handleApi = createLocalApiHandler({ queuePath, allowedHosts: opts.allowedHosts });
+  const handleApi = createLocalApiHandler({ queuePath });
   const server = http.createServer(async (req, res) => {
     try {
@@ -104,11 +104,6 @@ async function cmdServe(argv) {
       }
       // API routes
-      if (url.pathname === "/api/dashboard-config") {
-        serveDashboardConfig(res, { allowedHosts: opts.allowedHosts });
-        return;
-      }
       if (
         url.pathname.startsWith("/functions/")
         || url.pathname.startsWith("/api/")
@@ -229,66 +224,19 @@ function resolveDashboardDir() {
   return null;
 }
-function splitHostList(value) {
-  if (Array.isArray(value)) return value.flatMap(splitHostList);
-  if (typeof value !== "string") return [];
-  return value.split(",").map((entry) => entry.trim()).filter(Boolean);
-}
-function normalizeAllowedHost(value) {
-  if (typeof value !== "string") return null;
-  const raw = value.trim();
-  if (!raw || raw.includes("*") || /\s/.test(raw)) return null;
-  try {
-    const withScheme = /^[a-z][a-z0-9+.-]*:\/\//i.test(raw) ? raw : `http://${raw}`;
-    const url = new URL(withScheme);
-    if (!url.hostname || url.username || url.password) return null;
-    return url.hostname.toLowerCase();
-  } catch (_e) {
-    return null;
-  }
-}
-function normalizeAllowedHosts(values) {
-  const out = [];
-  const seen = new Set();
-  for (const item of splitHostList(values)) {
-    const host = normalizeAllowedHost(item);
-    if (!host || seen.has(host)) continue;
-    seen.add(host);
-    out.push(host);
-  }
-  return out;
-}
-function serveDashboardConfig(res, { allowedHosts } = {}) {
-  const body = Buffer.from(JSON.stringify({ allowedHosts: normalizeAllowedHosts(allowedHosts) }), "utf8");
-  res.writeHead(200, {
-    "Content-Type": "application/json; charset=utf-8",
-    "Content-Length": body.length,
-    "Cache-Control": "no-store",
-  });
-  res.end(body);
-}
 function parseArgs(argv) {
-  const opts = { port: DEFAULT_PORT, open: true, sync: true, allowedHosts: [] };
+  const opts = { port: DEFAULT_PORT, open: true, sync: true };
   for (let i = 0; i < argv.length; i++) {
     const arg = argv[i];
     if (arg === "--port" && i + 1 < argv.length) {
       const n = parseInt(argv[++i], 10);
       if (Number.isFinite(n) && n > 0 && n < 65536) opts.port = n;
-    } else if (arg === "--allowed-hosts" && i + 1 < argv.length && !argv[i + 1].startsWith("-")) {
-      opts.allowedHosts.push(...normalizeAllowedHosts(argv[++i]));
-    } else if (arg.startsWith("--allowed-hosts=")) {
-      opts.allowedHosts.push(...normalizeAllowedHosts(arg.slice("--allowed-hosts=".length)));
     } else if (arg === "--no-open") {
       opts.open = false;
     } else if (arg === "--no-sync") {
       opts.sync = false;
     }
   }
-  opts.allowedHosts = normalizeAllowedHosts(opts.allowedHosts);
   return opts;
 }
@@ -298,7 +246,4 @@ module.exports = {
   NPM_PACKAGE_NAME,
   LOCAL_BIND_HOST,
   getLocalServerUrl,
-  parseArgs,
-  normalizeAllowedHosts,
-  serveDashboardConfig,
 };

package/src/lib/local-api.js CHANGED Viewed

@@ -457,45 +457,13 @@ function isLoopbackHostname(hostname) {
   return hostname === "127.0.0.1" || hostname === "localhost" || hostname === "::1" || hostname === "[::1]";
 }
-function normalizeAllowedHost(value) {
-  if (typeof value !== "string") return null;
-  const raw = value.trim();
-  if (!raw || raw.includes("*") || /\s/.test(raw)) return null;
-  try {
-    const withScheme = /^[a-z][a-z0-9+.-]*:\/\//i.test(raw) ? raw : `http://${raw}`;
-    const url = new URL(withScheme);
-    if (!url.hostname || url.username || url.password) return null;
-    return url.hostname.toLowerCase();
-  } catch (_e) {
-    return null;
-  }
-}
-function normalizeAllowedHosts(values) {
-  const raw = Array.isArray(values) ? values : [values];
-  const out = [];
-  const seen = new Set();
-  for (const item of raw) {
-    const host = normalizeAllowedHost(item);
-    if (!host || seen.has(host)) continue;
-    seen.add(host);
-    out.push(host);
-  }
-  return out;
-}
-function hasAllowedLoopbackOrigin(headers = {}, allowedHosts = []) {
-  const allowed = new Set(normalizeAllowedHosts(allowedHosts));
+function hasAllowedLoopbackOrigin(headers = {}) {
   const candidates = [headers.origin, headers.referer];
   for (const raw of candidates) {
     if (raw == null || raw === "") continue;
     try {
       const url = new URL(String(raw));
-      if (!["http:", "https:"].includes(url.protocol)) return false;
-      const host = url.hostname.toLowerCase();
-      if (url.protocol === "http:" && isLoopbackHostname(host)) continue;
-      if (allowed.has(host)) continue;
-      return false;
+      if (url.protocol !== "http:" || !isLoopbackHostname(url.hostname)) return false;
     } catch (_e) {
       return false;
     }
@@ -689,9 +657,8 @@ const IP_CHECK_TARGET = "https://ip.net.coffee";
 // Main handler factory
 // ---------------------------------------------------------------------------
-function createLocalApiHandler({ queuePath, allowedHosts = [] } = {}) {
+function createLocalApiHandler({ queuePath }) {
   const qp = queuePath || resolveQueuePath();
-  const allowedLocalOriginHosts = normalizeAllowedHosts(allowedHosts);
   // Server-side cookie relay: captures auth cookies from InsForge cloud responses
   // so that both browser and WKWebView share the same login session via the proxy.
@@ -863,7 +830,7 @@ function createLocalApiHandler({ queuePath, allowedHosts = [] } = {}) {
       ? headerToken.trim()
       : cookieToken || "";
     if (!token || token !== localAuthToken) return false;
-    return hasAllowedLoopbackOrigin(req?.headers || {}, allowedLocalOriginHosts);
+    return hasAllowedLoopbackOrigin(req?.headers || {});
   }
   return async function handleLocalApi(req, res, url) {