@ainyc/canonry 1.10.0 → 1.10.1

package/dist/{chunk-P4D4VWJQ.js → chunk-2DC7RBXJ.js}

@@ -140,6 +140,7 @@ function trackEvent(event, properties) {
 
 // src/server.ts
 import { createRequire as createRequire2 } from "module";
+import crypto16 from "crypto";
 import fs2 from "fs";
 import path2 from "path";
 import { fileURLToPath } from "url";
@@ -161,6 +162,9 @@ __export(schema_exports, {
   apiKeys: () => apiKeys,
   auditLog: () => auditLog,
   competitors: () => competitors,
+  googleConnections: () => googleConnections,
+  gscSearchData: () => gscSearchData,
+  gscUrlInspections: () => gscUrlInspections,
   keywords: () => keywords,
   notifications: () => notifications,
   projects: () => projects,
@@ -286,6 +290,61 @@ var notifications = sqliteTable("notifications", {
 }, (table) => [
   index("idx_notifications_project").on(table.projectId)
 ]);
+var googleConnections = sqliteTable("google_connections", {
+  id: text("id").primaryKey(),
+  domain: text("domain").notNull(),
+  connectionType: text("connection_type").notNull(),
+  propertyId: text("property_id"),
+  accessToken: text("access_token"),
+  refreshToken: text("refresh_token"),
+  tokenExpiresAt: text("token_expires_at"),
+  scopes: text("scopes").notNull().default("[]"),
+  createdAt: text("created_at").notNull(),
+  updatedAt: text("updated_at").notNull()
+}, (table) => [
+  uniqueIndex("idx_google_conn_domain_type").on(table.domain, table.connectionType)
+]);
+var gscSearchData = sqliteTable("gsc_search_data", {
+  id: text("id").primaryKey(),
+  projectId: text("project_id").notNull().references(() => projects.id, { onDelete: "cascade" }),
+  syncRunId: text("sync_run_id").notNull().references(() => runs.id, { onDelete: "cascade" }),
+  date: text("date").notNull(),
+  query: text("query").notNull(),
+  page: text("page").notNull(),
+  country: text("country"),
+  device: text("device"),
+  clicks: integer("clicks").notNull().default(0),
+  impressions: integer("impressions").notNull().default(0),
+  ctr: text("ctr").notNull().default("0"),
+  position: text("position").notNull().default("0"),
+  createdAt: text("created_at").notNull()
+}, (table) => [
+  index("idx_gsc_search_project_date").on(table.projectId, table.date),
+  index("idx_gsc_search_query").on(table.query),
+  index("idx_gsc_search_run").on(table.syncRunId)
+]);
+var gscUrlInspections = sqliteTable("gsc_url_inspections", {
+  id: text("id").primaryKey(),
+  projectId: text("project_id").notNull().references(() => projects.id, { onDelete: "cascade" }),
+  syncRunId: text("sync_run_id").references(() => runs.id, { onDelete: "cascade" }),
+  url: text("url").notNull(),
+  indexingState: text("indexing_state"),
+  verdict: text("verdict"),
+  coverageState: text("coverage_state"),
+  pageFetchState: text("page_fetch_state"),
+  robotsTxtState: text("robots_txt_state"),
+  crawlTime: text("crawl_time"),
+  lastCrawlResult: text("last_crawl_result"),
+  isMobileFriendly: integer("is_mobile_friendly"),
+  richResults: text("rich_results").notNull().default("[]"),
+  referringUrls: text("referring_urls").notNull().default("[]"),
+  inspectedAt: text("inspected_at").notNull(),
+  createdAt: text("created_at").notNull()
+}, (table) => [
+  index("idx_gsc_inspect_project_url").on(table.projectId, table.url),
+  index("idx_gsc_inspect_run").on(table.syncRunId),
+  index("idx_gsc_inspect_url_time").on(table.url, table.inspectedAt)
+]);
 var usageCounters = sqliteTable("usage_counters", {
   id: text("id").primaryKey(),
   scope: text("scope").notNull(),
@@ -448,7 +507,62 @@ var MIGRATIONS = [
   // v5: Add model column to query_snapshots for per-model scoring
   `ALTER TABLE query_snapshots ADD COLUMN model TEXT`,
   // v5b: Backfill model from rawResponse JSON for existing snapshots
-  `UPDATE query_snapshots SET model = json_extract(raw_response, '$.model') WHERE model IS NULL AND raw_response IS NOT NULL AND json_extract(raw_response, '$.model') IS NOT NULL`
+  `UPDATE query_snapshots SET model = json_extract(raw_response, '$.model') WHERE model IS NULL AND raw_response IS NOT NULL AND json_extract(raw_response, '$.model') IS NOT NULL`,
+  // v6: Google Search Console integration — google_connections table (domain-scoped)
+  `CREATE TABLE IF NOT EXISTS google_connections (
+    id              TEXT PRIMARY KEY,
+    domain          TEXT NOT NULL,
+    connection_type TEXT NOT NULL,
+    property_id     TEXT,
+    access_token    TEXT,
+    refresh_token   TEXT,
+    token_expires_at TEXT,
+    scopes          TEXT NOT NULL DEFAULT '[]',
+    created_at      TEXT NOT NULL,
+    updated_at      TEXT NOT NULL
+  )`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS idx_google_conn_domain_type ON google_connections(domain, connection_type)`,
+  // v6: Google Search Console integration — gsc_search_data table
+  `CREATE TABLE IF NOT EXISTS gsc_search_data (
+    id            TEXT PRIMARY KEY,
+    project_id    TEXT NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
+    sync_run_id   TEXT NOT NULL REFERENCES runs(id) ON DELETE CASCADE,
+    date          TEXT NOT NULL,
+    query         TEXT NOT NULL,
+    page          TEXT NOT NULL,
+    country       TEXT,
+    device        TEXT,
+    clicks        INTEGER NOT NULL DEFAULT 0,
+    impressions   INTEGER NOT NULL DEFAULT 0,
+    ctr           TEXT NOT NULL DEFAULT '0',
+    position      TEXT NOT NULL DEFAULT '0',
+    created_at    TEXT NOT NULL
+  )`,
+  `CREATE INDEX IF NOT EXISTS idx_gsc_search_project_date ON gsc_search_data(project_id, date)`,
+  `CREATE INDEX IF NOT EXISTS idx_gsc_search_query ON gsc_search_data(query)`,
+  `CREATE INDEX IF NOT EXISTS idx_gsc_search_run ON gsc_search_data(sync_run_id)`,
+  // v6: Google Search Console integration — gsc_url_inspections table
+  `CREATE TABLE IF NOT EXISTS gsc_url_inspections (
+    id                TEXT PRIMARY KEY,
+    project_id        TEXT NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
+    sync_run_id       TEXT REFERENCES runs(id) ON DELETE CASCADE,
+    url               TEXT NOT NULL,
+    indexing_state    TEXT,
+    verdict           TEXT,
+    coverage_state    TEXT,
+    page_fetch_state  TEXT,
+    robots_txt_state  TEXT,
+    crawl_time        TEXT,
+    last_crawl_result TEXT,
+    is_mobile_friendly INTEGER,
+    rich_results      TEXT NOT NULL DEFAULT '[]',
+    referring_urls    TEXT NOT NULL DEFAULT '[]',
+    inspected_at      TEXT NOT NULL,
+    created_at        TEXT NOT NULL
+  )`,
+  `CREATE INDEX IF NOT EXISTS idx_gsc_inspect_project_url ON gsc_url_inspections(project_id, url)`,
+  `CREATE INDEX IF NOT EXISTS idx_gsc_inspect_run ON gsc_url_inspections(sync_run_id)`,
+  `CREATE INDEX IF NOT EXISTS idx_gsc_inspect_url_time ON gsc_url_inspections(url, inspected_at)`
 ];
 function migrate(db) {
   const statements = MIGRATION_SQL.split(";").map((s) => s.trim()).filter((s) => s.length > 0);
@@ -521,6 +635,15 @@ var configNotificationSchema = z3.object({
   url: z3.string().url(),
   events: z3.array(notificationEventSchema).min(1)
 });
+var configGoogleSchema = z3.object({
+  gsc: z3.object({
+    propertyUrl: z3.string()
+  }).optional(),
+  syncSchedule: z3.object({
+    preset: z3.string().optional(),
+    cron: z3.string().optional()
+  }).optional()
+}).optional();
 var configSpecSchema = z3.object({
   displayName: z3.string().min(1),
   canonicalDomain: z3.string().min(1),
@@ -531,7 +654,8 @@ var configSpecSchema = z3.object({
   competitors: z3.array(z3.string().min(1)).optional().default([]),
   providers: z3.array(providerNameSchema).optional().default([]),
   schedule: configScheduleSchema,
-  notifications: z3.array(configNotificationSchema).optional().default([])
+  notifications: z3.array(configNotificationSchema).optional().default([]),
+  google: configGoogleSchema
 });
 var projectConfigSchema = z3.object({
   apiVersion: z3.literal("canonry/v1"),
@@ -633,23 +757,62 @@ function unsupportedKind(kind) {
   return new AppError("UNSUPPORTED_KIND", `Kind '${kind}' is not supported in this version`, 400);
 }
 
-// ../contracts/src/project.ts
+// ../contracts/src/google.ts
 import { z as z4 } from "zod";
-var configSourceSchema = z4.enum(["cli", "api", "config-file"]);
-var projectDtoSchema = z4.object({
+var googleConnectionTypeSchema = z4.enum(["gsc", "ga4"]);
+var googleConnectionDtoSchema = z4.object({
+  id: z4.string(),
+  domain: z4.string(),
+  connectionType: googleConnectionTypeSchema,
+  propertyId: z4.string().nullable().optional(),
+  scopes: z4.array(z4.string()).default([]),
+  createdAt: z4.string(),
+  updatedAt: z4.string()
+});
+var gscSearchDataDtoSchema = z4.object({
+  date: z4.string(),
+  query: z4.string(),
+  page: z4.string(),
+  country: z4.string().nullable().optional(),
+  device: z4.string().nullable().optional(),
+  clicks: z4.number(),
+  impressions: z4.number(),
+  ctr: z4.number(),
+  position: z4.number()
+});
+var gscUrlInspectionDtoSchema = z4.object({
   id: z4.string(),
-  name: z4.string(),
-  displayName: z4.string().optional(),
-  canonicalDomain: z4.string(),
-  ownedDomains: z4.array(z4.string()).default([]),
-  country: z4.string().length(2),
-  language: z4.string().min(2),
-  tags: z4.array(z4.string()).default([]),
-  labels: z4.record(z4.string(), z4.string()).default({}),
+  url: z4.string(),
+  indexingState: z4.string().nullable().optional(),
+  verdict: z4.string().nullable().optional(),
+  coverageState: z4.string().nullable().optional(),
+  pageFetchState: z4.string().nullable().optional(),
+  robotsTxtState: z4.string().nullable().optional(),
+  crawlTime: z4.string().nullable().optional(),
+  lastCrawlResult: z4.string().nullable().optional(),
+  isMobileFriendly: z4.boolean().nullable().optional(),
+  richResults: z4.array(z4.string()).default([]),
+  inspectedAt: z4.string()
+});
+var indexTransitionSchema = z4.enum(["stable", "reindexed", "deindexed", "still-missing", "new"]);
+
+// ../contracts/src/project.ts
+import { z as z5 } from "zod";
+var configSourceSchema = z5.enum(["cli", "api", "config-file"]);
+var projectDtoSchema = z5.object({
+  id: z5.string(),
+  name: z5.string(),
+  displayName: z5.string().optional(),
+  canonicalDomain: z5.string(),
+  ownedDomains: z5.array(z5.string()).default([]),
+  country: z5.string().length(2),
+  language: z5.string().min(2),
+  tags: z5.array(z5.string()).default([]),
+  labels: z5.record(z5.string(), z5.string()).default({}),
   configSource: configSourceSchema.default("cli"),
-  configRevision: z4.number().int().positive().default(1),
-  createdAt: z4.string().optional(),
-  updatedAt: z4.string().optional()
+  configRevision: z5.number().int().positive().default(1),
+  createdAt: z5.string().optional(),
+  updatedAt: z5.string().optional()
 });
 function normalizeProjectDomain(input) {
   let domain = input.trim().toLowerCase();
@@ -677,68 +840,68 @@ function effectiveDomains(project) {
 }
 
 // ../contracts/src/run.ts
-import { z as z5 } from "zod";
-var runStatusSchema = z5.enum(["queued", "running", "completed", "partial", "failed"]);
-var runKindSchema = z5.enum(["answer-visibility", "site-audit"]);
-var runTriggerSchema = z5.enum(["manual", "scheduled", "config-apply"]);
-var citationStateSchema = z5.enum(["cited", "not-cited"]);
-var computedTransitionSchema = z5.enum(["new", "cited", "lost", "emerging", "not-cited"]);
-var runDtoSchema = z5.object({
-  id: z5.string(),
-  projectId: z5.string(),
+import { z as z6 } from "zod";
+var runStatusSchema = z6.enum(["queued", "running", "completed", "partial", "failed"]);
+var runKindSchema = z6.enum(["answer-visibility", "site-audit", "gsc-sync"]);
+var runTriggerSchema = z6.enum(["manual", "scheduled", "config-apply"]);
+var citationStateSchema = z6.enum(["cited", "not-cited"]);
+var computedTransitionSchema = z6.enum(["new", "cited", "lost", "emerging", "not-cited"]);
+var runDtoSchema = z6.object({
+  id: z6.string(),
+  projectId: z6.string(),
   kind: runKindSchema,
   status: runStatusSchema,
   trigger: runTriggerSchema.default("manual"),
-  startedAt: z5.string().nullable().optional(),
-  finishedAt: z5.string().nullable().optional(),
-  error: z5.string().nullable().optional(),
-  createdAt: z5.string()
+  startedAt: z6.string().nullable().optional(),
+  finishedAt: z6.string().nullable().optional(),
+  error: z6.string().nullable().optional(),
+  createdAt: z6.string()
 });
-var groundingSourceSchema = z5.object({
-  uri: z5.string(),
-  title: z5.string()
+var groundingSourceSchema = z6.object({
+  uri: z6.string(),
+  title: z6.string()
 });
-var querySnapshotDtoSchema = z5.object({
-  id: z5.string(),
-  runId: z5.string(),
-  keywordId: z5.string(),
-  keyword: z5.string().optional(),
+var querySnapshotDtoSchema = z6.object({
+  id: z6.string(),
+  runId: z6.string(),
+  keywordId: z6.string(),
+  keyword: z6.string().optional(),
   provider: providerNameSchema,
   citationState: citationStateSchema,
   transition: computedTransitionSchema.optional(),
-  answerText: z5.string().nullable().optional(),
-  citedDomains: z5.array(z5.string()).default([]),
-  competitorOverlap: z5.array(z5.string()).default([]),
-  groundingSources: z5.array(groundingSourceSchema).default([]),
-  searchQueries: z5.array(z5.string()).default([]),
-  model: z5.string().nullable().optional(),
-  createdAt: z5.string()
+  answerText: z6.string().nullable().optional(),
+  citedDomains: z6.array(z6.string()).default([]),
+  competitorOverlap: z6.array(z6.string()).default([]),
+  groundingSources: z6.array(groundingSourceSchema).default([]),
+  searchQueries: z6.array(z6.string()).default([]),
+  model: z6.string().nullable().optional(),
+  createdAt: z6.string()
 });
-var auditLogEntrySchema = z5.object({
-  id: z5.string(),
-  projectId: z5.string().nullable().optional(),
-  actor: z5.string(),
-  action: z5.string(),
-  entityType: z5.string(),
-  entityId: z5.string().nullable().optional(),
-  diff: z5.unknown().optional(),
-  createdAt: z5.string()
+var auditLogEntrySchema = z6.object({
+  id: z6.string(),
+  projectId: z6.string().nullable().optional(),
+  actor: z6.string(),
+  action: z6.string(),
+  entityType: z6.string(),
+  entityId: z6.string().nullable().optional(),
+  diff: z6.unknown().optional(),
+  createdAt: z6.string()
 });
 
 // ../contracts/src/schedule.ts
-import { z as z6 } from "zod";
-var scheduleDtoSchema = z6.object({
-  id: z6.string(),
-  projectId: z6.string(),
-  cronExpr: z6.string(),
-  preset: z6.string().nullable().optional(),
-  timezone: z6.string().default("UTC"),
-  enabled: z6.boolean().default(true),
-  providers: z6.array(providerNameSchema).default([]),
-  lastRunAt: z6.string().nullable().optional(),
-  nextRunAt: z6.string().nullable().optional(),
-  createdAt: z6.string(),
-  updatedAt: z6.string()
+import { z as z7 } from "zod";
+var scheduleDtoSchema = z7.object({
+  id: z7.string(),
+  projectId: z7.string(),
+  cronExpr: z7.string(),
+  preset: z7.string().nullable().optional(),
+  timezone: z7.string().default("UTC"),
+  enabled: z7.boolean().default(true),
+  providers: z7.array(providerNameSchema).default([]),
+  lastRunAt: z7.string().nullable().optional(),
+  nextRunAt: z7.string().nullable().optional(),
+  createdAt: z7.string(),
+  updatedAt: z7.string()
 });
 
 // ../api-routes/src/auth.ts
@@ -749,6 +912,7 @@ var SKIP_PATHS = ["/health"];
 function shouldSkipAuth(url) {
   if (SKIP_PATHS.includes(url)) return true;
   if (url.endsWith("/openapi.json")) return true;
+  if (url.includes("/google/callback")) return true;
   return false;
 }
 async function authPlugin(app) {
@@ -1384,7 +1548,7 @@ function resolveProjectSafe3(app, name, reply) {
 
 // ../api-routes/src/apply.ts
 import crypto9 from "crypto";
-import { eq as eq8 } from "drizzle-orm";
+import { eq as eq8, and as and3 } from "drizzle-orm";
 
 // ../api-routes/src/schedule-utils.ts
 var DAY_MAP = {
@@ -1821,6 +1985,13 @@ async function applyRoutes(app, opts) {
         diff: { notifications: config.spec.notifications }
       });
     }
+    if ("google" in rawSpec && config.spec.google?.gsc?.propertyUrl) {
+      const domain = config.spec.canonicalDomain;
+      const conn = app.db.select().from(googleConnections).where(and3(eq8(googleConnections.domain, domain), eq8(googleConnections.connectionType, "gsc"))).get();
+      if (conn) {
+        app.db.update(googleConnections).set({ propertyId: config.spec.google.gsc.propertyUrl, updatedAt: now }).where(eq8(googleConnections.id, conn.id)).run();
+      }
+    }
     const project = app.db.select().from(projects).where(eq8(projects.id, projectId)).get();
     return reply.status(200).send({
       id: project.id,
@@ -3075,6 +3246,501 @@ function resolveProjectSafe6(app, name, reply) {
   }
 }
 
+// ../api-routes/src/google.ts
+import crypto12 from "crypto";
+import { eq as eq12, and as and4, desc as desc2, sql as sql2 } from "drizzle-orm";
+
+// ../integration-google/src/constants.ts
+var GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+var GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token";
+var GSC_SCOPE = "https://www.googleapis.com/auth/webmasters.readonly";
+var GSC_API_BASE = "https://www.googleapis.com/webmasters/v3";
+var URL_INSPECTION_API = "https://searchconsole.googleapis.com/v1/urlInspection/index:inspect";
+var GSC_MAX_ROWS_PER_REQUEST = 25e3;
+var GSC_DATA_LAG_DAYS = 3;
+
+// ../integration-google/src/types.ts
+var GoogleAuthError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "GoogleAuthError";
+  }
+};
+var GoogleApiError = class extends Error {
+  status;
+  constructor(message, status) {
+    super(message);
+    this.name = "GoogleApiError";
+    this.status = status;
+  }
+};
+
+// ../integration-google/src/oauth.ts
+function getAuthUrl(clientId, redirectUri, scopes, state) {
+  const params = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    scope: scopes.join(" "),
+    access_type: "offline",
+    prompt: "consent"
+  });
+  if (state) params.set("state", state);
+  return `${GOOGLE_AUTH_URL}?${params.toString()}`;
+}
+async function exchangeCode(clientId, clientSecret, code, redirectUri) {
+  const res = await fetch(GOOGLE_TOKEN_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      client_id: clientId,
+      client_secret: clientSecret,
+      code,
+      redirect_uri: redirectUri,
+      grant_type: "authorization_code"
+    })
+  });
+  if (!res.ok) {
+    const body = await res.text();
+    throw new GoogleAuthError(`Token exchange failed (${res.status}): ${body}`);
+  }
+  return await res.json();
+}
+async function refreshAccessToken(clientId, clientSecret, currentRefreshToken) {
+  const res = await fetch(GOOGLE_TOKEN_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      client_id: clientId,
+      client_secret: clientSecret,
+      refresh_token: currentRefreshToken,
+      grant_type: "refresh_token"
+    })
+  });
+  if (!res.ok) {
+    const body = await res.text();
+    throw new GoogleAuthError(`Token refresh failed (${res.status}): ${body}`);
+  }
+  return await res.json();
+}
+
+// ../integration-google/src/gsc-client.ts
+async function gscFetch(accessToken, url, opts) {
+  const method = opts?.method ?? "GET";
+  const headers = {
+    Authorization: `Bearer ${accessToken}`,
+    "Content-Type": "application/json"
+  };
+  const res = await fetch(url, {
+    method,
+    headers,
+    body: opts?.body != null ? JSON.stringify(opts.body) : void 0
+  });
+  if (res.status === 401) {
+    throw new GoogleApiError("Access token expired or revoked", 401);
+  }
+  if (res.status === 429) {
+    throw new GoogleApiError("Google API rate limit exceeded", 429);
+  }
+  if (!res.ok) {
+    const body = await res.text();
+    throw new GoogleApiError(`GSC API error (${res.status}): ${body}`, res.status);
+  }
+  return await res.json();
+}
+async function listSites(accessToken) {
+  const data = await gscFetch(
+    accessToken,
+    `${GSC_API_BASE}/sites`
+  );
+  return data.siteEntry ?? [];
+}
+async function fetchSearchAnalytics(accessToken, siteUrl, opts) {
+  const allRows = [];
+  let startRow = 0;
+  const dimensions = opts.dimensions ?? ["query", "page", "country", "device", "date"];
+  for (; ; ) {
+    const requestBody = {
+      startDate: opts.startDate,
+      endDate: opts.endDate,
+      dimensions,
+      rowLimit: GSC_MAX_ROWS_PER_REQUEST,
+      startRow
+    };
+    if (opts.query || opts.page) {
+      const filters = [];
+      const filterList = [];
+      if (opts.query) filterList.push({ dimension: "query", operator: "contains", expression: opts.query });
+      if (opts.page) filterList.push({ dimension: "page", operator: "contains", expression: opts.page });
+      filters.push({ filters: filterList });
+      requestBody.dimensionFilterGroups = filters;
+    }
+    const encodedSiteUrl = encodeURIComponent(siteUrl);
+    const data = await gscFetch(
+      accessToken,
+      `${GSC_API_BASE}/sites/${encodedSiteUrl}/searchAnalytics/query`,
+      { method: "POST", body: requestBody }
+    );
+    const rows = data.rows ?? [];
+    allRows.push(...rows);
+    if (rows.length < GSC_MAX_ROWS_PER_REQUEST) {
+      break;
+    }
+    startRow += rows.length;
+  }
+  return allRows;
+}
+async function inspectUrl(accessToken, inspectionUrl, siteUrl) {
+  return gscFetch(
+    accessToken,
+    URL_INSPECTION_API,
+    {
+      method: "POST",
+      body: {
+        inspectionUrl,
+        siteUrl
+      }
+    }
+  );
+}
+
+// ../api-routes/src/google.ts
+function signState(payload, secret) {
+  return crypto12.createHmac("sha256", secret).update(payload).digest("hex");
+}
+function buildSignedState(data, secret) {
+  const payload = JSON.stringify(data);
+  const sig = signState(payload, secret);
+  return Buffer.from(JSON.stringify({ payload, sig })).toString("base64url");
+}
+function verifySignedState(encoded, secret) {
+  try {
+    const { payload, sig } = JSON.parse(Buffer.from(encoded, "base64url").toString());
+    const expected = signState(payload, secret);
+    if (!crypto12.timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(expected, "hex"))) return null;
+    return JSON.parse(payload);
+  } catch {
+    return null;
+  }
+}
+async function getValidToken(app, domain, connectionType, clientId, clientSecret) {
+  const conn = app.db.select().from(googleConnections).where(and4(eq12(googleConnections.domain, domain), eq12(googleConnections.connectionType, connectionType))).get();
+  if (!conn) {
+    throw notFound("Google connection", connectionType);
+  }
+  if (!conn.accessToken || !conn.refreshToken) {
+    throw validationError("Google connection is incomplete \u2014 please reconnect");
+  }
+  const expiresAt = conn.tokenExpiresAt ? new Date(conn.tokenExpiresAt).getTime() : 0;
+  const fiveMinutes = 5 * 60 * 1e3;
+  if (Date.now() > expiresAt - fiveMinutes) {
+    const tokens = await refreshAccessToken(clientId, clientSecret, conn.refreshToken);
+    const newExpiresAt = new Date(Date.now() + tokens.expires_in * 1e3).toISOString();
+    app.db.update(googleConnections).set({
+      accessToken: tokens.access_token,
+      tokenExpiresAt: newExpiresAt,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    }).where(eq12(googleConnections.id, conn.id)).run();
+    return { accessToken: tokens.access_token, connectionId: conn.id, propertyId: conn.propertyId };
+  }
+  return { accessToken: conn.accessToken, connectionId: conn.id, propertyId: conn.propertyId };
+}
+async function googleRoutes(app, opts) {
+  const { googleClientId, googleClientSecret } = opts;
+  const stateSecret = opts.googleStateSecret ?? "insecure-default-secret";
+  app.get("/projects/:name/google/connections", async (request) => {
+    const project = resolveProject(app.db, request.params.name);
+    const conns = app.db.select({
+      id: googleConnections.id,
+      domain: googleConnections.domain,
+      connectionType: googleConnections.connectionType,
+      propertyId: googleConnections.propertyId,
+      scopes: googleConnections.scopes,
+      createdAt: googleConnections.createdAt,
+      updatedAt: googleConnections.updatedAt
+    }).from(googleConnections).where(eq12(googleConnections.domain, project.canonicalDomain)).all();
+    return conns.map((c) => ({
+      ...c,
+      scopes: JSON.parse(c.scopes)
+    }));
+  });
+  app.post("/projects/:name/google/connect", async (request, reply) => {
+    if (!googleClientId || !googleClientSecret) {
+      const err = validationError("Google OAuth is not configured. Set GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET environment variables.");
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const { type, propertyId } = request.body ?? {};
+    if (!type || type !== "gsc" && type !== "ga4") {
+      const err = validationError('type must be "gsc" or "ga4"');
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const project = resolveProject(app.db, request.params.name);
+    const proto = request.headers["x-forwarded-proto"] ?? "http";
+    const host = request.headers.host ?? "localhost:4100";
+    const redirectUri = `${proto}://${host}/api/v1/projects/${encodeURIComponent(request.params.name)}/google/callback`;
+    const scopes = type === "gsc" ? [GSC_SCOPE] : [];
+    const stateEncoded = buildSignedState(
+      { domain: project.canonicalDomain, type, propertyId, redirectUri },
+      stateSecret
+    );
+    const authUrl = getAuthUrl(googleClientId, redirectUri, scopes, stateEncoded);
+    return { authUrl };
+  });
+  app.get("/projects/:name/google/callback", async (request, reply) => {
+    if (!googleClientId || !googleClientSecret) {
+      return reply.status(500).send("Google OAuth not configured");
+    }
+    const { code, state, error } = request.query;
+    if (error) {
+      const safeError = String(error).replace(/[&<>"']/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" })[c]);
+      return reply.type("text/html").send(`<html><body><h2>Authorization failed</h2><p>${safeError}</p><p>You can close this tab.</p></body></html>`);
+    }
+    if (!code || !state) {
+      return reply.status(400).send("Missing code or state parameter");
+    }
+    const stateData = verifySignedState(state, stateSecret);
+    if (!stateData) {
+      return reply.status(400).send("Invalid or tampered state parameter");
+    }
+    const { domain, type, propertyId, redirectUri } = stateData;
+    const tokens = await exchangeCode(googleClientId, googleClientSecret, code, redirectUri);
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const expiresAt = new Date(Date.now() + tokens.expires_in * 1e3).toISOString();
+    const existing = app.db.select().from(googleConnections).where(and4(eq12(googleConnections.domain, domain), eq12(googleConnections.connectionType, type))).get();
+    if (existing) {
+      app.db.update(googleConnections).set({
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token ?? existing.refreshToken,
+        tokenExpiresAt: expiresAt,
+        propertyId: propertyId ?? existing.propertyId,
+        scopes: JSON.stringify(tokens.scope?.split(" ") ?? []),
+        updatedAt: now
+      }).where(eq12(googleConnections.id, existing.id)).run();
+    } else {
+      app.db.insert(googleConnections).values({
+        id: crypto12.randomUUID(),
+        domain,
+        connectionType: type,
+        propertyId: propertyId ?? null,
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token ?? null,
+        tokenExpiresAt: expiresAt,
+        scopes: JSON.stringify(tokens.scope?.split(" ") ?? []),
+        createdAt: now,
+        updatedAt: now
+      }).run();
+    }
+    writeAuditLog(app.db, {
+      projectId: null,
+      actor: "oauth",
+      action: "google.connected",
+      entityType: "google_connection",
+      entityId: type,
+      diff: { domain, type, propertyId }
+    });
+    return reply.type("text/html").send(
+      `<html><body style="font-family:system-ui;text-align:center;padding:60px">
+        <h2>Connected successfully!</h2>
+        <p>Google ${type.toUpperCase()} has been linked to your domain.</p>
+        <p style="color:#888">You can close this tab.</p>
+      </body></html>`
+    );
+  });
+  app.delete("/projects/:name/google/connections/:type", async (request, reply) => {
+    const project = resolveProject(app.db, request.params.name);
+    const deleted = app.db.delete(googleConnections).where(and4(eq12(googleConnections.domain, project.canonicalDomain), eq12(googleConnections.connectionType, request.params.type))).run();
+    if (deleted.changes === 0) {
+      const err = notFound("Google connection", request.params.type);
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    writeAuditLog(app.db, {
+      projectId: project.id,
+      actor: "api",
+      action: "google.disconnected",
+      entityType: "google_connection",
+      entityId: request.params.type
+    });
+    return reply.status(204).send();
+  });
+  app.get("/projects/:name/google/properties", async (request, reply) => {
+    if (!googleClientId || !googleClientSecret) {
+      const err = validationError("Google OAuth is not configured");
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const project = resolveProject(app.db, request.params.name);
+    const { accessToken } = await getValidToken(app, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
+    const sites = await listSites(accessToken);
+    return { sites };
+  });
+  app.post("/projects/:name/google/gsc/sync", async (request, reply) => {
+    const project = resolveProject(app.db, request.params.name);
+    const conn = app.db.select().from(googleConnections).where(and4(eq12(googleConnections.domain, project.canonicalDomain), eq12(googleConnections.connectionType, "gsc"))).get();
+    if (!conn) {
+      const err = validationError('No GSC connection found for this domain. Run "canonry google connect" first.');
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const runId = crypto12.randomUUID();
+    app.db.insert(runs).values({
+      id: runId,
+      projectId: project.id,
+      kind: "gsc-sync",
+      status: "queued",
+      trigger: "manual",
+      createdAt: now
+    }).run();
+    const { days, full } = request.body ?? {};
+    if (opts.onGscSyncRequested) {
+      opts.onGscSyncRequested(runId, project.id, { days, full });
+    }
+    const run = app.db.select().from(runs).where(eq12(runs.id, runId)).get();
+    return run;
+  });
+  app.get("/projects/:name/google/gsc/performance", async (request) => {
+    const project = resolveProject(app.db, request.params.name);
+    const { startDate, endDate, query, page, limit } = request.query;
+    const conditions = [eq12(gscSearchData.projectId, project.id)];
+    if (startDate) conditions.push(sql2`${gscSearchData.date} >= ${startDate}`);
+    if (endDate) conditions.push(sql2`${gscSearchData.date} <= ${endDate}`);
+    if (query) conditions.push(sql2`${gscSearchData.query} LIKE ${"%" + query + "%"}`);
+    if (page) conditions.push(sql2`${gscSearchData.page} LIKE ${"%" + page + "%"}`);
+    const rows = app.db.select().from(gscSearchData).where(and4(...conditions)).orderBy(desc2(gscSearchData.date)).limit(parseInt(limit ?? "500", 10)).all();
+    return rows.map((r) => ({
+      date: r.date,
+      query: r.query,
+      page: r.page,
+      country: r.country,
+      device: r.device,
+      clicks: r.clicks,
+      impressions: r.impressions,
+      ctr: parseFloat(r.ctr),
+      position: parseFloat(r.position)
+    }));
+  });
+  app.post("/projects/:name/google/gsc/inspect", async (request, reply) => {
+    if (!googleClientId || !googleClientSecret) {
+      const err = validationError("Google OAuth is not configured");
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const project = resolveProject(app.db, request.params.name);
+    const { url } = request.body ?? {};
+    if (!url) {
+      const err = validationError("url is required");
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const { accessToken, propertyId } = await getValidToken(app, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
+    if (!propertyId) {
+      const err = validationError("No GSC property configured for this connection");
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const result = await inspectUrl(accessToken, url, propertyId);
+    const ir = result.inspectionResult;
+    const idx = ir.indexStatusResult;
+    const mob = ir.mobileUsabilityResult;
+    const rich = ir.richResultsResult;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const id = crypto12.randomUUID();
+    app.db.insert(gscUrlInspections).values({
+      id,
+      projectId: project.id,
+      syncRunId: null,
+      url,
+      indexingState: idx?.indexingState ?? null,
+      verdict: idx?.verdict ?? null,
+      coverageState: idx?.coverageState ?? null,
+      pageFetchState: idx?.pageFetchState ?? null,
+      robotsTxtState: idx?.robotsTxtState ?? null,
+      crawlTime: idx?.lastCrawlTime ?? null,
+      lastCrawlResult: idx?.crawlResult ?? null,
+      isMobileFriendly: mob?.verdict === "PASS" ? 1 : mob?.verdict === "FAIL" ? 0 : null,
+      richResults: JSON.stringify(rich?.detectedItems?.map((d) => d.richResultType) ?? []),
+      referringUrls: JSON.stringify(idx?.referringUrls ?? []),
+      inspectedAt: now,
+      createdAt: now
+    }).run();
+    return {
+      id,
+      url,
+      indexingState: idx?.indexingState,
+      verdict: idx?.verdict,
+      coverageState: idx?.coverageState,
+      pageFetchState: idx?.pageFetchState,
+      robotsTxtState: idx?.robotsTxtState,
+      crawlTime: idx?.lastCrawlTime,
+      lastCrawlResult: idx?.crawlResult,
+      isMobileFriendly: mob?.verdict === "PASS",
+      richResults: rich?.detectedItems?.map((d) => d.richResultType) ?? [],
+      referringUrls: idx?.referringUrls ?? [],
+      inspectedAt: now
+    };
+  });
+  app.get("/projects/:name/google/gsc/inspections", async (request) => {
+    const project = resolveProject(app.db, request.params.name);
+    const { url, limit } = request.query;
+    const conditions = [eq12(gscUrlInspections.projectId, project.id)];
+    if (url) conditions.push(eq12(gscUrlInspections.url, url));
+    const rows = app.db.select().from(gscUrlInspections).where(and4(...conditions)).orderBy(desc2(gscUrlInspections.inspectedAt)).limit(parseInt(limit ?? "100", 10)).all();
+    return rows.map((r) => ({
+      id: r.id,
+      url: r.url,
+      indexingState: r.indexingState,
+      verdict: r.verdict,
+      coverageState: r.coverageState,
+      pageFetchState: r.pageFetchState,
+      robotsTxtState: r.robotsTxtState,
+      crawlTime: r.crawlTime,
+      lastCrawlResult: r.lastCrawlResult,
+      isMobileFriendly: r.isMobileFriendly === 1 ? true : r.isMobileFriendly === 0 ? false : null,
+      richResults: JSON.parse(r.richResults),
+      referringUrls: JSON.parse(r.referringUrls),
+      inspectedAt: r.inspectedAt
+    }));
+  });
+  app.get("/projects/:name/google/gsc/deindexed", async (request) => {
+    const project = resolveProject(app.db, request.params.name);
+    const allInspections = app.db.select().from(gscUrlInspections).where(eq12(gscUrlInspections.projectId, project.id)).orderBy(desc2(gscUrlInspections.inspectedAt)).all();
+    const byUrl = /* @__PURE__ */ new Map();
+    for (const row of allInspections) {
+      const existing = byUrl.get(row.url);
+      if (existing) {
+        existing.push(row);
+      } else {
+        byUrl.set(row.url, [row]);
+      }
+    }
+    const deindexed = [];
+    for (const [url, inspections] of byUrl) {
+      if (inspections.length < 2) continue;
+      const latest = inspections[0];
+      const previous = inspections[1];
+      if (previous.indexingState?.toUpperCase() === "INDEXED" && latest.indexingState?.toUpperCase() !== "INDEXED") {
+        deindexed.push({
+          url,
+          previousState: previous.indexingState,
+          currentState: latest.indexingState,
+          transitionDate: latest.inspectedAt
+        });
+      }
+    }
+    return deindexed;
+  });
+  app.put("/projects/:name/google/connections/:type/property", async (request, reply) => {
+    const project = resolveProject(app.db, request.params.name);
+    const { propertyId } = request.body ?? {};
+    if (!propertyId) {
+      const err = validationError("propertyId is required");
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const conn = app.db.select().from(googleConnections).where(and4(eq12(googleConnections.domain, project.canonicalDomain), eq12(googleConnections.connectionType, request.params.type))).get();
+    if (!conn) {
+      const err = notFound("Google connection", request.params.type);
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    app.db.update(googleConnections).set({ propertyId, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq12(googleConnections.id, conn.id)).run();
+    return { propertyId };
+  });
+}
+
 // ../api-routes/src/index.ts
 async function apiRoutes(app, opts) {
   app.decorate("db", opts.db);
@@ -3107,6 +3773,12 @@ async function apiRoutes(app, opts) {
       getTelemetryStatus: opts.getTelemetryStatus,
       setTelemetryEnabled: opts.setTelemetryEnabled
     });
+    await api.register(googleRoutes, {
+      googleClientId: opts.googleClientId,
+      googleClientSecret: opts.googleClientSecret,
+      googleStateSecret: opts.googleStateSecret,
+      onGscSyncRequested: opts.onGscSyncRequested
+    });
   }, { prefix: "/api/v1" });
 }
 
@@ -4027,8 +4699,8 @@ var localAdapter = {
 };
 
 // src/job-runner.ts
-import crypto12 from "crypto";
-import { eq as eq12, inArray as inArray2 } from "drizzle-orm";
+import crypto13 from "crypto";
+import { eq as eq13, inArray as inArray2 } from "drizzle-orm";
 var JobRunner = class {
   db;
   registry;
@@ -4042,7 +4714,7 @@ var JobRunner = class {
     if (stale.length === 0) return;
     const now = (/* @__PURE__ */ new Date()).toISOString();
     for (const run of stale) {
-      this.db.update(runs).set({ status: "failed", finishedAt: now, error: "Server restarted while run was in progress" }).where(eq12(runs.id, run.id)).run();
+      this.db.update(runs).set({ status: "failed", finishedAt: now, error: "Server restarted while run was in progress" }).where(eq13(runs.id, run.id)).run();
       console.log(`[JobRunner] Recovered stale run ${run.id} (was ${run.status})`);
     }
   }
@@ -4050,8 +4722,8 @@ var JobRunner = class {
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const startTime = Date.now();
     try {
-      this.db.update(runs).set({ status: "running", startedAt: now }).where(eq12(runs.id, runId)).run();
-      const project = this.db.select().from(projects).where(eq12(projects.id, projectId)).get();
+      this.db.update(runs).set({ status: "running", startedAt: now }).where(eq13(runs.id, runId)).run();
+      const project = this.db.select().from(projects).where(eq13(projects.id, projectId)).get();
       if (!project) {
         throw new Error(`Project ${projectId} not found`);
       }
@@ -4061,14 +4733,14 @@ var JobRunner = class {
         throw new Error("No providers configured. Add at least one provider API key.");
       }
       console.log(`[JobRunner] Run ${runId}: dispatching to ${activeProviders.length} providers: ${activeProviders.map((p) => p.adapter.name).join(", ")}`);
-      const projectKeywords = this.db.select().from(keywords).where(eq12(keywords.projectId, projectId)).all();
-      const projectCompetitors = this.db.select().from(competitors).where(eq12(competitors.projectId, projectId)).all();
+      const projectKeywords = this.db.select().from(keywords).where(eq13(keywords.projectId, projectId)).all();
+      const projectCompetitors = this.db.select().from(competitors).where(eq13(competitors.projectId, projectId)).all();
       const competitorDomains = projectCompetitors.map((c) => c.domain);
       const queriesPerProvider = projectKeywords.length;
       const todayPeriod = getCurrentPeriod();
       for (const p of activeProviders) {
         const providerScope = `${projectId}:${p.adapter.name}`;
-        const providerUsage = this.db.select().from(usageCounters).where(eq12(usageCounters.scope, providerScope)).all().filter((r) => r.period === todayPeriod && r.metric === "queries").reduce((sum, r) => sum + r.count, 0);
+        const providerUsage = this.db.select().from(usageCounters).where(eq13(usageCounters.scope, providerScope)).all().filter((r) => r.period === todayPeriod && r.metric === "queries").reduce((sum, r) => sum + r.count, 0);
         const limit = p.config.quotaPolicy.maxRequestsPerDay;
         if (providerUsage + queriesPerProvider > limit) {
           throw new Error(
@@ -4108,7 +4780,7 @@ var JobRunner = class {
             const citationState = determineCitationState(normalized, allDomains);
             const overlap = computeCompetitorOverlap(normalized, competitorDomains);
             this.db.insert(querySnapshots).values({
-              id: crypto12.randomUUID(),
+              id: crypto13.randomUUID(),
               runId,
               keywordId: kw.id,
               provider: providerName,
@@ -4139,12 +4811,12 @@ var JobRunner = class {
       const someFailed = providerErrors.size > 0;
       if (allFailed) {
         const errorDetail = JSON.stringify(Object.fromEntries(providerErrors));
-        this.db.update(runs).set({ status: "failed", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq12(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "failed", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq13(runs.id, runId)).run();
       } else if (someFailed) {
         const errorDetail = JSON.stringify(Object.fromEntries(providerErrors));
-        this.db.update(runs).set({ status: "partial", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq12(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "partial", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq13(runs.id, runId)).run();
       } else {
-        this.db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq12(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq13(runs.id, runId)).run();
       }
       const finalStatus = allFailed ? "failed" : someFailed ? "partial" : "completed";
       trackEvent("run.completed", {
@@ -4169,7 +4841,7 @@ var JobRunner = class {
         status: "failed",
         finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
         error: errorMessage
-      }).where(eq12(runs.id, runId)).run();
+      }).where(eq13(runs.id, runId)).run();
       trackEvent("run.completed", {
         status: "failed",
         providerCount: 0,
@@ -4205,10 +4877,10 @@ var JobRunner = class {
   incrementUsage(scope, metric, count) {
     const now = /* @__PURE__ */ new Date();
     const period = `${now.getUTCFullYear()}-${String(now.getUTCMonth() + 1).padStart(2, "0")}`;
-    const id = crypto12.randomUUID();
-    const existing = this.db.select().from(usageCounters).where(eq12(usageCounters.scope, scope)).all().find((r) => r.period === period && r.metric === metric);
+    const id = crypto13.randomUUID();
+    const existing = this.db.select().from(usageCounters).where(eq13(usageCounters.scope, scope)).all().find((r) => r.period === period && r.metric === metric);
     if (existing) {
-      this.db.update(usageCounters).set({ count: existing.count + count, updatedAt: now.toISOString() }).where(eq12(usageCounters.id, existing.id)).run();
+      this.db.update(usageCounters).set({ count: existing.count + count, updatedAt: now.toISOString() }).where(eq13(usageCounters.id, existing.id)).run();
     } else {
       this.db.insert(usageCounters).values({
         id,
@@ -4287,6 +4959,132 @@ function computeCompetitorOverlap(normalized, competitorDomains) {
   return [...overlapSet];
 }
 
+// src/gsc-sync.ts
+import crypto14 from "crypto";
+import { eq as eq14, and as and5, sql as sql3 } from "drizzle-orm";
+function formatDate(d) {
+  return d.toISOString().split("T")[0];
+}
+function daysAgo(n) {
+  const d = /* @__PURE__ */ new Date();
+  d.setDate(d.getDate() - n);
+  return d;
+}
+async function executeGscSync(db, runId, projectId, opts) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  db.update(runs).set({ status: "running", startedAt: now }).where(eq14(runs.id, runId)).run();
+  try {
+    const project = db.select().from(projects).where(eq14(projects.id, projectId)).get();
+    if (!project) {
+      throw new Error(`Project not found: ${projectId}`);
+    }
+    const conn = db.select().from(googleConnections).where(and5(eq14(googleConnections.domain, project.canonicalDomain), eq14(googleConnections.connectionType, "gsc"))).get();
+    if (!conn || !conn.refreshToken) {
+      throw new Error("No GSC connection found or connection is incomplete");
+    }
+    if (!conn.propertyId) {
+      throw new Error('No GSC property selected. Use "canonry google properties" to list available sites, then set one with the API.');
+    }
+    let accessToken = conn.accessToken;
+    const expiresAt = conn.tokenExpiresAt ? new Date(conn.tokenExpiresAt).getTime() : 0;
+    if (Date.now() > expiresAt - 5 * 60 * 1e3) {
+      const tokens = await refreshAccessToken(opts.googleClientId, opts.googleClientSecret, conn.refreshToken);
+      accessToken = tokens.access_token;
+      db.update(googleConnections).set({
+        accessToken: tokens.access_token,
+        tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3).toISOString(),
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+      }).where(eq14(googleConnections.id, conn.id)).run();
+    }
+    const lagOffset = GSC_DATA_LAG_DAYS;
+    const endDate = formatDate(daysAgo(lagOffset));
+    const days = opts.full ? 480 : opts.days ?? 30;
+    const startDate = formatDate(daysAgo(days + lagOffset));
+    console.log(`[GSC Sync] Fetching search analytics for ${conn.propertyId} from ${startDate} to ${endDate}`);
+    const rows = await fetchSearchAnalytics(accessToken, conn.propertyId, {
+      startDate,
+      endDate
+    });
+    console.log(`[GSC Sync] Received ${rows.length} rows`);
+    db.delete(gscSearchData).where(
+      and5(
+        eq14(gscSearchData.projectId, projectId),
+        sql3`${gscSearchData.date} >= ${startDate}`,
+        sql3`${gscSearchData.date} <= ${endDate}`
+      )
+    ).run();
+    const batchSize = 500;
+    for (let i = 0; i < rows.length; i += batchSize) {
+      const batch = rows.slice(i, i + batchSize);
+      const insertNow = (/* @__PURE__ */ new Date()).toISOString();
+      for (const row of batch) {
+        const [query, page, country, device, date] = row.keys;
+        db.insert(gscSearchData).values({
+          id: crypto14.randomUUID(),
+          projectId,
+          syncRunId: runId,
+          date: date ?? "",
+          query: query ?? "",
+          page: page ?? "",
+          country: country ?? null,
+          device: device ?? null,
+          clicks: row.clicks,
+          impressions: row.impressions,
+          ctr: String(row.ctr),
+          position: String(row.position),
+          createdAt: insertNow
+        }).run();
+      }
+    }
+    const pageClicks = /* @__PURE__ */ new Map();
+    for (const row of rows) {
+      const page = row.keys[1];
+      if (page) {
+        pageClicks.set(page, (pageClicks.get(page) ?? 0) + row.clicks);
+      }
+    }
+    const topPages = [...pageClicks.entries()].sort((a, b) => b[1] - a[1]).slice(0, 50).map(([page]) => page);
+    console.log(`[GSC Sync] Inspecting ${topPages.length} URLs`);
+    for (const pageUrl of topPages) {
+      try {
+        const result = await inspectUrl(accessToken, pageUrl, conn.propertyId);
+        const ir = result.inspectionResult;
+        const idx = ir.indexStatusResult;
+        const mob = ir.mobileUsabilityResult;
+        const rich = ir.richResultsResult;
+        const inspectedAt = (/* @__PURE__ */ new Date()).toISOString();
+        db.insert(gscUrlInspections).values({
+          id: crypto14.randomUUID(),
+          projectId,
+          syncRunId: runId,
+          url: pageUrl,
+          indexingState: idx?.indexingState ?? null,
+          verdict: idx?.verdict ?? null,
+          coverageState: idx?.coverageState ?? null,
+          pageFetchState: idx?.pageFetchState ?? null,
+          robotsTxtState: idx?.robotsTxtState ?? null,
+          crawlTime: idx?.lastCrawlTime ?? null,
+          lastCrawlResult: idx?.crawlResult ?? null,
+          isMobileFriendly: mob?.verdict === "PASS" ? 1 : mob?.verdict === "FAIL" ? 0 : null,
+          richResults: JSON.stringify(rich?.detectedItems?.map((d) => d.richResultType) ?? []),
+          referringUrls: JSON.stringify(idx?.referringUrls ?? []),
+          inspectedAt,
+          createdAt: inspectedAt
+        }).run();
+      } catch (err) {
+        console.error(`[GSC Sync] Failed to inspect ${pageUrl}:`, err instanceof Error ? err.message : err);
+      }
+    }
+    db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq14(runs.id, runId)).run();
+    console.log(`[GSC Sync] Completed. ${rows.length} search data rows, ${topPages.length} URL inspections.`);
+  } catch (err) {
+    const errorMsg = err instanceof Error ? err.message : String(err);
+    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq14(runs.id, runId)).run();
+    console.error(`[GSC Sync] Failed:`, errorMsg);
+    throw err;
+  }
+}
+
 // src/provider-registry.ts
 var ProviderRegistry = class {
   providers = /* @__PURE__ */ new Map();
@@ -4332,7 +5130,7 @@ var ProviderRegistry = class {
 
 // src/scheduler.ts
 import cron from "node-cron";
-import { eq as eq13 } from "drizzle-orm";
+import { eq as eq15 } from "drizzle-orm";
 var Scheduler = class {
   db;
   callbacks;
@@ -4343,7 +5141,7 @@ var Scheduler = class {
   }
   /** Load all enabled schedules from DB and register cron jobs. */
   start() {
-    const allSchedules = this.db.select().from(schedules).where(eq13(schedules.enabled, 1)).all();
+    const allSchedules = this.db.select().from(schedules).where(eq15(schedules.enabled, 1)).all();
     for (const schedule of allSchedules) {
       const missedRunAt = schedule.nextRunAt;
       this.registerCronTask(schedule);
@@ -4369,7 +5167,7 @@ var Scheduler = class {
       existing.stop();
       this.tasks.delete(projectId);
     }
-    const schedule = this.db.select().from(schedules).where(eq13(schedules.projectId, projectId)).get();
+    const schedule = this.db.select().from(schedules).where(eq15(schedules.projectId, projectId)).get();
     if (schedule && schedule.enabled === 1) {
       this.registerCronTask(schedule);
     }
@@ -4398,13 +5196,13 @@ var Scheduler = class {
     this.db.update(schedules).set({
       nextRunAt: task.getNextRun()?.toISOString() ?? null,
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    }).where(eq13(schedules.id, scheduleId)).run();
+    }).where(eq15(schedules.id, scheduleId)).run();
     const label = schedule.preset ?? cronExpr;
     console.log(`[Scheduler] Registered "${label}" (${timezone}) for project ${projectId}`);
   }
   triggerRun(scheduleId, projectId) {
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    const currentSchedule = this.db.select().from(schedules).where(eq13(schedules.id, scheduleId)).get();
+    const currentSchedule = this.db.select().from(schedules).where(eq15(schedules.id, scheduleId)).get();
     if (!currentSchedule || currentSchedule.enabled !== 1) {
       console.log(`[Scheduler] Schedule ${scheduleId} no longer exists or is disabled, removing task for project ${projectId}`);
       this.remove(projectId);
@@ -4412,7 +5210,7 @@ var Scheduler = class {
     }
     const task = this.tasks.get(projectId);
     const nextRunAt = task?.getNextRun()?.toISOString() ?? null;
-    const project = this.db.select().from(projects).where(eq13(projects.id, projectId)).get();
+    const project = this.db.select().from(projects).where(eq15(projects.id, projectId)).get();
     if (!project) {
       console.error(`[Scheduler] Project ${projectId} not found, skipping scheduled run`);
       this.remove(projectId);
@@ -4429,7 +5227,7 @@ var Scheduler = class {
       this.db.update(schedules).set({
         nextRunAt,
         updatedAt: now
-      }).where(eq13(schedules.id, currentSchedule.id)).run();
+      }).where(eq15(schedules.id, currentSchedule.id)).run();
       return;
     }
     const runId = queueResult.runId;
@@ -4437,7 +5235,7 @@ var Scheduler = class {
       lastRunAt: now,
       nextRunAt,
       updatedAt: now
-    }).where(eq13(schedules.id, currentSchedule.id)).run();
+    }).where(eq15(schedules.id, currentSchedule.id)).run();
     const scheduleProviders = JSON.parse(currentSchedule.providers);
     const providers = scheduleProviders.length > 0 ? scheduleProviders : void 0;
     console.log(`[Scheduler] Triggered scheduled run ${runId} for project ${project.name}`);
@@ -4446,8 +5244,8 @@ var Scheduler = class {
 };
 
 // src/notifier.ts
-import { eq as eq14, desc as desc2, and as and3, or as or2 } from "drizzle-orm";
-import crypto13 from "crypto";
+import { eq as eq16, desc as desc3, and as and6, or as or2 } from "drizzle-orm";
+import crypto15 from "crypto";
 var Notifier = class {
   db;
   serverUrl;
@@ -4458,18 +5256,18 @@ var Notifier = class {
   /** Called after a run completes (success, partial, or failed). */
   async onRunCompleted(runId, projectId) {
     console.log(`[Notifier] onRunCompleted: runId=${runId} projectId=${projectId}`);
-    const notifs = this.db.select().from(notifications).where(eq14(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
+    const notifs = this.db.select().from(notifications).where(eq16(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
     if (notifs.length === 0) {
       console.log(`[Notifier] No enabled notifications for project ${projectId} \u2014 skipping`);
       return;
     }
     console.log(`[Notifier] Found ${notifs.length} enabled notification(s) for project ${projectId}`);
-    const run = this.db.select().from(runs).where(eq14(runs.id, runId)).get();
+    const run = this.db.select().from(runs).where(eq16(runs.id, runId)).get();
     if (!run) {
       console.error(`[Notifier] Run ${runId} not found \u2014 skipping notification dispatch`);
       return;
     }
-    const project = this.db.select().from(projects).where(eq14(projects.id, projectId)).get();
+    const project = this.db.select().from(projects).where(eq16(projects.id, projectId)).get();
     if (!project) {
       console.error(`[Notifier] Project ${projectId} not found \u2014 skipping notification dispatch`);
       return;
@@ -4509,11 +5307,11 @@ var Notifier = class {
   }
   computeTransitions(runId, projectId) {
     const recentRuns = this.db.select().from(runs).where(
-      and3(
-        eq14(runs.projectId, projectId),
-        or2(eq14(runs.status, "completed"), eq14(runs.status, "partial"))
+      and6(
+        eq16(runs.projectId, projectId),
+        or2(eq16(runs.status, "completed"), eq16(runs.status, "partial"))
       )
-    ).orderBy(desc2(runs.createdAt)).limit(2).all();
+    ).orderBy(desc3(runs.createdAt)).limit(2).all();
     if (recentRuns.length < 2) return [];
     const currentRunId = recentRuns[0].id;
     const previousRunId = recentRuns[1].id;
@@ -4523,12 +5321,12 @@ var Notifier = class {
       keyword: keywords.keyword,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).leftJoin(keywords, eq14(querySnapshots.keywordId, keywords.id)).where(eq14(querySnapshots.runId, currentRunId)).all();
+    }).from(querySnapshots).leftJoin(keywords, eq16(querySnapshots.keywordId, keywords.id)).where(eq16(querySnapshots.runId, currentRunId)).all();
     const previousSnapshots = this.db.select({
       keywordId: querySnapshots.keywordId,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).where(eq14(querySnapshots.runId, previousRunId)).all();
+    }).from(querySnapshots).where(eq16(querySnapshots.runId, previousRunId)).all();
     const prevMap = /* @__PURE__ */ new Map();
     for (const s of previousSnapshots) {
       prevMap.set(`${s.keywordId}:${s.provider}`, s.citationState);
@@ -4585,7 +5383,7 @@ var Notifier = class {
   }
   logDelivery(projectId, notificationId, event, status, error) {
     this.db.insert(auditLog).values({
-      id: crypto13.randomUUID(),
+      id: crypto15.randomUUID(),
       projectId,
       actor: "scheduler",
       action: `notification.${status}`,
@@ -4796,9 +5594,28 @@ async function createServer(opts) {
     quota: registry.get(name)?.config.quotaPolicy
   }));
   const adapterMap = { gemini: geminiAdapter, openai: openaiAdapter, claude: claudeAdapter, local: localAdapter };
+  const googleClientId = process.env.GOOGLE_CLIENT_ID;
+  const googleClientSecret = process.env.GOOGLE_CLIENT_SECRET;
+  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto16.randomBytes(32).toString("hex");
   await app.register(apiRoutes, {
     db: opts.db,
     skipAuth: false,
+    googleClientId,
+    googleClientSecret,
+    googleStateSecret,
+    onGscSyncRequested: (runId, projectId, syncOpts) => {
+      if (!googleClientId || !googleClientSecret) {
+        app.log.error("GSC sync requested but GOOGLE_CLIENT_ID/SECRET not configured");
+        return;
+      }
+      executeGscSync(opts.db, runId, projectId, {
+        ...syncOpts,
+        googleClientId,
+        googleClientSecret
+      }).catch((err) => {
+        app.log.error({ runId, err }, "GSC sync failed");
+      });
+    },
     openApiInfo: {
       title: "Canonry API",
       version: PKG_VERSION