@ainyc/canonry 1.10.1 → 1.12.0

package/dist/{chunk-2DC7RBXJ.js → chunk-O4HLQBL7.js}

@@ -9,6 +9,16 @@ import fs from "fs";
 import path from "path";
 import os from "os";
 import { parse, stringify } from "yaml";
+function normalizeGoogleConfig(config) {
+  if (!config.google) return;
+  config.google.connections = (config.google.connections ?? []).map((connection) => ({
+    ...connection,
+    propertyId: connection.propertyId ?? null,
+    refreshToken: connection.refreshToken ?? null,
+    tokenExpiresAt: connection.tokenExpiresAt ?? null,
+    scopes: connection.scopes ?? []
+  }));
+}
 function getConfigDir() {
   const override = process.env.CANONRY_CONFIG_DIR?.trim();
   if (override) {
@@ -25,7 +35,7 @@ function loadConfig() {
     throw new Error(
       `Config not found at ${configPath}.
 Run "canonry init" to set up interactively, or "canonry init --gemini-key <key>" for non-interactive setup.
-For CI/Docker, use "canonry bootstrap" with env vars (GEMINI_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY).`
+For CI/Docker, use "canonry bootstrap" with env vars (GEMINI_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET).`
     );
   }
   const raw = fs.readFileSync(configPath, "utf-8");
@@ -39,7 +49,7 @@ For CI/Docker, use "canonry bootstrap" with env vars (GEMINI_API_KEY, OPENAI_API
     throw new Error(
       `Invalid config at ${configPath} \u2014 missing: ${missing}.
 These fields are auto-generated. Run "canonry init" (or "canonry init --gemini-key <key>" for non-interactive setup) to create a valid config.
-Do not write config.yaml by hand; use "canonry init" or "canonry bootstrap" instead.`
+Do not write config.yaml by hand; use "canonry init", "canonry settings", or "canonry bootstrap" instead.`
     );
   }
   if (parsed.geminiApiKey && !parsed.providers?.gemini) {
@@ -52,6 +62,7 @@ Do not write config.yaml by hand; use "canonry init" or "canonry bootstrap" inst
       }
     };
   }
+  normalizeGoogleConfig(parsed);
   return parsed;
 }
 function saveConfig(config) {
@@ -1548,7 +1559,7 @@ function resolveProjectSafe3(app, name, reply) {
 
 // ../api-routes/src/apply.ts
 import crypto9 from "crypto";
-import { eq as eq8, and as and3 } from "drizzle-orm";
+import { eq as eq8 } from "drizzle-orm";
 
 // ../api-routes/src/schedule-utils.ts
 var DAY_MAP = {
@@ -1986,11 +1997,7 @@ async function applyRoutes(app, opts) {
       });
     }
     if ("google" in rawSpec && config.spec.google?.gsc?.propertyUrl) {
-      const domain = config.spec.canonicalDomain;
-      const conn = app.db.select().from(googleConnections).where(and3(eq8(googleConnections.domain, domain), eq8(googleConnections.connectionType, "gsc"))).get();
-      if (conn) {
-        app.db.update(googleConnections).set({ propertyId: config.spec.google.gsc.propertyUrl, updatedAt: now }).where(eq8(googleConnections.id, conn.id)).run();
-      }
+      opts?.onGoogleConnectionPropertyUpdated?.(config.spec.canonicalDomain, "gsc", config.spec.google.gsc.propertyUrl);
     }
     const project = app.db.select().from(projects).where(eq8(projects.id, projectId)).get();
     return reply.status(200).send({
@@ -2887,7 +2894,8 @@ function buildOperationId(method, path3) {
 // ../api-routes/src/settings.ts
 async function settingsRoutes(app, opts) {
   app.get("/settings", async () => ({
-    providers: opts.providerSummary ?? []
+    providers: opts.providerSummary ?? [],
+    google: opts.google ?? { configured: false }
   }));
   app.put("/settings/providers/:name", async (request, reply) => {
     const providerName = parseProviderName(request.params.name);
@@ -2935,6 +2943,22 @@ async function settingsRoutes(app, opts) {
     }
     return result;
   });
+  app.put("/settings/google", async (request, reply) => {
+    const { clientId, clientSecret } = request.body ?? {};
+    if (!clientId || typeof clientId !== "string" || !clientSecret || typeof clientSecret !== "string") {
+      return reply.status(400).send({
+        error: { code: "VALIDATION_ERROR", message: "clientId and clientSecret are required" }
+      });
+    }
+    if (!opts.onGoogleUpdate) {
+      return reply.status(501).send({ error: "Google OAuth configuration updates are not supported in this deployment" });
+    }
+    const result = opts.onGoogleUpdate(clientId, clientSecret);
+    if (!result) {
+      return reply.status(500).send({ error: "Failed to update Google OAuth configuration" });
+    }
+    return result;
+  });
 }
 
 // ../api-routes/src/telemetry.ts
@@ -3248,7 +3272,7 @@ function resolveProjectSafe6(app, name, reply) {
 
 // ../api-routes/src/google.ts
 import crypto12 from "crypto";
-import { eq as eq12, and as and4, desc as desc2, sql as sql2 } from "drizzle-orm";
+import { eq as eq12, and as and3, desc as desc2, sql as sql2 } from "drizzle-orm";
 
 // ../integration-google/src/constants.ts
 var GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
@@ -3423,8 +3447,8 @@ function verifySignedState(encoded, secret) {
     return null;
   }
 }
-async function getValidToken(app, domain, connectionType, clientId, clientSecret) {
-  const conn = app.db.select().from(googleConnections).where(and4(eq12(googleConnections.domain, domain), eq12(googleConnections.connectionType, connectionType))).get();
+async function getValidToken(store, domain, connectionType, clientId, clientSecret) {
+  const conn = store.getConnection(domain, connectionType);
   if (!conn) {
     throw notFound("Google connection", connectionType);
   }
@@ -3436,64 +3460,110 @@ async function getValidToken(app, domain, connectionType, clientId, clientSecret
   if (Date.now() > expiresAt - fiveMinutes) {
     const tokens = await refreshAccessToken(clientId, clientSecret, conn.refreshToken);
     const newExpiresAt = new Date(Date.now() + tokens.expires_in * 1e3).toISOString();
-    app.db.update(googleConnections).set({
+    const updated = store.updateConnection(domain, connectionType, {
       accessToken: tokens.access_token,
       tokenExpiresAt: newExpiresAt,
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    }).where(eq12(googleConnections.id, conn.id)).run();
-    return { accessToken: tokens.access_token, connectionId: conn.id, propertyId: conn.propertyId };
+    });
+    return {
+      accessToken: tokens.access_token,
+      connectionId: `${domain}:${connectionType}`,
+      propertyId: updated?.propertyId ?? conn.propertyId ?? null
+    };
   }
-  return { accessToken: conn.accessToken, connectionId: conn.id, propertyId: conn.propertyId };
+  return {
+    accessToken: conn.accessToken,
+    connectionId: `${domain}:${connectionType}`,
+    propertyId: conn.propertyId ?? null
+  };
 }
 async function googleRoutes(app, opts) {
-  const { googleClientId, googleClientSecret } = opts;
   const stateSecret = opts.googleStateSecret ?? "insecure-default-secret";
+  function getAuthConfig() {
+    return opts.getGoogleAuthConfig?.() ?? {};
+  }
+  function requireConnectionStore(reply) {
+    if (opts.googleConnectionStore) return opts.googleConnectionStore;
+    const err = validationError("Google auth storage is not configured for this deployment");
+    reply.status(err.statusCode).send(err.toJSON());
+    return null;
+  }
   app.get("/projects/:name/google/connections", async (request) => {
     const project = resolveProject(app.db, request.params.name);
-    const conns = app.db.select({
-      id: googleConnections.id,
-      domain: googleConnections.domain,
-      connectionType: googleConnections.connectionType,
-      propertyId: googleConnections.propertyId,
-      scopes: googleConnections.scopes,
-      createdAt: googleConnections.createdAt,
-      updatedAt: googleConnections.updatedAt
-    }).from(googleConnections).where(eq12(googleConnections.domain, project.canonicalDomain)).all();
-    return conns.map((c) => ({
-      ...c,
-      scopes: JSON.parse(c.scopes)
+    const conns = opts.googleConnectionStore?.listConnections(project.canonicalDomain) ?? [];
+    return conns.map((connection) => ({
+      id: `${connection.domain}:${connection.connectionType}`,
+      domain: connection.domain,
+      connectionType: connection.connectionType,
+      propertyId: connection.propertyId ?? null,
+      scopes: connection.scopes ?? [],
+      createdAt: connection.createdAt,
+      updatedAt: connection.updatedAt
     }));
   });
   app.post("/projects/:name/google/connect", async (request, reply) => {
+    const { clientId: googleClientId, clientSecret: googleClientSecret } = getAuthConfig();
     if (!googleClientId || !googleClientSecret) {
-      const err = validationError("Google OAuth is not configured. Set GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET environment variables.");
+      const err = validationError("Google OAuth is not configured. Set Google OAuth credentials in the local Canonry config.");
       return reply.status(err.statusCode).send(err.toJSON());
     }
-    const { type, propertyId } = request.body ?? {};
+    const { type, propertyId, publicUrl } = request.body ?? {};
     if (!type || type !== "gsc" && type !== "ga4") {
       const err = validationError('type must be "gsc" or "ga4"');
       return reply.status(err.statusCode).send(err.toJSON());
     }
     const project = resolveProject(app.db, request.params.name);
-    const proto = request.headers["x-forwarded-proto"] ?? "http";
-    const host = request.headers.host ?? "localhost:4100";
-    const redirectUri = `${proto}://${host}/api/v1/projects/${encodeURIComponent(request.params.name)}/google/callback`;
+    let redirectUri;
+    if (publicUrl) {
+      redirectUri = publicUrl.replace(/\/$/, "") + "/api/v1/google/callback";
+    } else if (opts.publicUrl) {
+      redirectUri = opts.publicUrl.replace(/\/$/, "") + "/api/v1/google/callback";
+    } else {
+      const proto = request.headers["x-forwarded-proto"] ?? "http";
+      const host = request.headers.host ?? "localhost:4100";
+      redirectUri = `${proto}://${host}/api/v1/projects/${encodeURIComponent(request.params.name)}/google/callback`;
+    }
     const scopes = type === "gsc" ? [GSC_SCOPE] : [];
     const stateEncoded = buildSignedState(
       { domain: project.canonicalDomain, type, propertyId, redirectUri },
       stateSecret
     );
     const authUrl = getAuthUrl(googleClientId, redirectUri, scopes, stateEncoded);
-    return { authUrl };
+    return { authUrl, redirectUri };
   });
-  app.get("/projects/:name/google/callback", async (request, reply) => {
+  async function handleOAuthCallback(request, reply) {
+    const { clientId: googleClientId, clientSecret: googleClientSecret } = getAuthConfig();
     if (!googleClientId || !googleClientSecret) {
       return reply.status(500).send("Google OAuth not configured");
     }
+    const store = requireConnectionStore(reply);
+    if (!store) return;
+    const escapeHtml = (s) => s.replace(/[&<>"']/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" })[c]);
     const { code, state, error } = request.query;
     if (error) {
-      const safeError = String(error).replace(/[&<>"']/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" })[c]);
-      return reply.type("text/html").send(`<html><body><h2>Authorization failed</h2><p>${safeError}</p><p>You can close this tab.</p></body></html>`);
+      const safeError = escapeHtml(String(error));
+      const errorHtml = error === "redirect_uri_mismatch" ? `<html><body style="font-family:system-ui;padding:40px;max-width:600px;margin:0 auto">
+            <h2 style="color:#ef4444">Redirect URI mismatch</h2>
+            <p>Google rejected the OAuth callback because the redirect URI is not registered.</p>
+            <p><strong>To fix this:</strong></p>
+            <ol>
+              <li>Go to the <a href="https://console.cloud.google.com/apis/credentials" target="_blank">Google Cloud Console \u2192 Credentials</a></li>
+              <li>Click your OAuth 2.0 Client ID</li>
+              <li>Under "Authorized redirect URIs", add:<br><code style="background:#1e1e1e;color:#e0e0e0;padding:4px 8px;border-radius:4px;display:inline-block;margin-top:4px">${request.query.state ? (() => {
+        try {
+          const s = verifySignedState(request.query.state, stateSecret);
+          return escapeHtml(String(s?.redirectUri ?? "Could not determine URI"));
+        } catch {
+          return "Could not determine URI";
+        }
+      })() : "Could not determine URI"}</code></li>
+              <li>Click Save, then retry the connection</li>
+            </ol>
+            <p style="color:#888">You can close this tab.</p>
+          </body></html>` : `<html><body style="font-family:system-ui;text-align:center;padding:60px">
+            <h2>Authorization failed</h2><p>${safeError}</p><p style="color:#888">You can close this tab.</p>
+          </body></html>`;
+      return reply.type("text/html").send(errorHtml);
     }
     if (!code || !state) {
       return reply.status(400).send("Missing code or state parameter");
@@ -3503,33 +3573,37 @@ async function googleRoutes(app, opts) {
       return reply.status(400).send("Invalid or tampered state parameter");
     }
     const { domain, type, propertyId, redirectUri } = stateData;
-    const tokens = await exchangeCode(googleClientId, googleClientSecret, code, redirectUri);
+    let tokens;
+    try {
+      tokens = await exchangeCode(googleClientId, googleClientSecret, code, redirectUri);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      return reply.type("text/html").send(
+        `<html><body style="font-family:system-ui;padding:40px;max-width:600px;margin:0 auto">
+          <h2 style="color:#ef4444">Token exchange failed</h2>
+          <p>${escapeHtml(msg)}</p>
+          <p><strong>Redirect URI used:</strong><br>
+            <code style="background:#1e1e1e;color:#e0e0e0;padding:4px 8px;border-radius:4px">${escapeHtml(redirectUri)}</code>
+          </p>
+          <p>Ensure this URI is listed in your <a href="https://console.cloud.google.com/apis/credentials" target="_blank">Google Cloud Console</a> OAuth client's authorized redirect URIs.</p>
+          <p style="color:#888">You can close this tab.</p>
+        </body></html>`
+      );
+    }
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const expiresAt = new Date(Date.now() + tokens.expires_in * 1e3).toISOString();
-    const existing = app.db.select().from(googleConnections).where(and4(eq12(googleConnections.domain, domain), eq12(googleConnections.connectionType, type))).get();
-    if (existing) {
-      app.db.update(googleConnections).set({
-        accessToken: tokens.access_token,
-        refreshToken: tokens.refresh_token ?? existing.refreshToken,
-        tokenExpiresAt: expiresAt,
-        propertyId: propertyId ?? existing.propertyId,
-        scopes: JSON.stringify(tokens.scope?.split(" ") ?? []),
-        updatedAt: now
-      }).where(eq12(googleConnections.id, existing.id)).run();
-    } else {
-      app.db.insert(googleConnections).values({
-        id: crypto12.randomUUID(),
-        domain,
-        connectionType: type,
-        propertyId: propertyId ?? null,
-        accessToken: tokens.access_token,
-        refreshToken: tokens.refresh_token ?? null,
-        tokenExpiresAt: expiresAt,
-        scopes: JSON.stringify(tokens.scope?.split(" ") ?? []),
-        createdAt: now,
-        updatedAt: now
-      }).run();
-    }
+    const existing = store.getConnection(domain, type);
+    store.upsertConnection({
+      domain,
+      connectionType: type,
+      propertyId: propertyId ?? existing?.propertyId ?? null,
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token ?? existing?.refreshToken ?? null,
+      tokenExpiresAt: expiresAt,
+      scopes: tokens.scope?.split(" ") ?? [],
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now
+    });
     writeAuditLog(app.db, {
       projectId: null,
       actor: "oauth",
@@ -3545,11 +3619,19 @@ async function googleRoutes(app, opts) {
         <p style="color:#888">You can close this tab.</p>
       </body></html>`
     );
+  }
+  app.get("/google/callback", async (request, reply) => {
+    return handleOAuthCallback(request, reply);
+  });
+  app.get("/projects/:name/google/callback", async (request, reply) => {
+    return handleOAuthCallback(request, reply);
   });
   app.delete("/projects/:name/google/connections/:type", async (request, reply) => {
+    const store = requireConnectionStore(reply);
+    if (!store) return;
     const project = resolveProject(app.db, request.params.name);
-    const deleted = app.db.delete(googleConnections).where(and4(eq12(googleConnections.domain, project.canonicalDomain), eq12(googleConnections.connectionType, request.params.type))).run();
-    if (deleted.changes === 0) {
+    const deleted = store.deleteConnection(project.canonicalDomain, request.params.type);
+    if (!deleted) {
       const err = notFound("Google connection", request.params.type);
       return reply.status(err.statusCode).send(err.toJSON());
     }
@@ -3563,18 +3645,23 @@ async function googleRoutes(app, opts) {
     return reply.status(204).send();
   });
   app.get("/projects/:name/google/properties", async (request, reply) => {
+    const { clientId: googleClientId, clientSecret: googleClientSecret } = getAuthConfig();
     if (!googleClientId || !googleClientSecret) {
       const err = validationError("Google OAuth is not configured");
       return reply.status(err.statusCode).send(err.toJSON());
     }
+    const store = requireConnectionStore(reply);
+    if (!store) return;
     const project = resolveProject(app.db, request.params.name);
-    const { accessToken } = await getValidToken(app, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
+    const { accessToken } = await getValidToken(store, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
     const sites = await listSites(accessToken);
     return { sites };
   });
   app.post("/projects/:name/google/gsc/sync", async (request, reply) => {
+    const store = requireConnectionStore(reply);
+    if (!store) return;
     const project = resolveProject(app.db, request.params.name);
-    const conn = app.db.select().from(googleConnections).where(and4(eq12(googleConnections.domain, project.canonicalDomain), eq12(googleConnections.connectionType, "gsc"))).get();
+    const conn = store.getConnection(project.canonicalDomain, "gsc");
     if (!conn) {
       const err = validationError('No GSC connection found for this domain. Run "canonry google connect" first.');
       return reply.status(err.statusCode).send(err.toJSON());
@@ -3604,7 +3691,7 @@ async function googleRoutes(app, opts) {
     if (endDate) conditions.push(sql2`${gscSearchData.date} <= ${endDate}`);
     if (query) conditions.push(sql2`${gscSearchData.query} LIKE ${"%" + query + "%"}`);
     if (page) conditions.push(sql2`${gscSearchData.page} LIKE ${"%" + page + "%"}`);
-    const rows = app.db.select().from(gscSearchData).where(and4(...conditions)).orderBy(desc2(gscSearchData.date)).limit(parseInt(limit ?? "500", 10)).all();
+    const rows = app.db.select().from(gscSearchData).where(and3(...conditions)).orderBy(desc2(gscSearchData.date)).limit(parseInt(limit ?? "500", 10)).all();
     return rows.map((r) => ({
       date: r.date,
       query: r.query,
@@ -3618,17 +3705,20 @@ async function googleRoutes(app, opts) {
     }));
   });
   app.post("/projects/:name/google/gsc/inspect", async (request, reply) => {
+    const { clientId: googleClientId, clientSecret: googleClientSecret } = getAuthConfig();
     if (!googleClientId || !googleClientSecret) {
       const err = validationError("Google OAuth is not configured");
       return reply.status(err.statusCode).send(err.toJSON());
     }
+    const store = requireConnectionStore(reply);
+    if (!store) return;
     const project = resolveProject(app.db, request.params.name);
     const { url } = request.body ?? {};
     if (!url) {
       const err = validationError("url is required");
       return reply.status(err.statusCode).send(err.toJSON());
     }
-    const { accessToken, propertyId } = await getValidToken(app, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
+    const { accessToken, propertyId } = await getValidToken(store, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
     if (!propertyId) {
       const err = validationError("No GSC property configured for this connection");
       return reply.status(err.statusCode).send(err.toJSON());
@@ -3679,7 +3769,7 @@ async function googleRoutes(app, opts) {
     const { url, limit } = request.query;
     const conditions = [eq12(gscUrlInspections.projectId, project.id)];
     if (url) conditions.push(eq12(gscUrlInspections.url, url));
-    const rows = app.db.select().from(gscUrlInspections).where(and4(...conditions)).orderBy(desc2(gscUrlInspections.inspectedAt)).limit(parseInt(limit ?? "100", 10)).all();
+    const rows = app.db.select().from(gscUrlInspections).where(and3(...conditions)).orderBy(desc2(gscUrlInspections.inspectedAt)).limit(parseInt(limit ?? "100", 10)).all();
     return rows.map((r) => ({
       id: r.id,
       url: r.url,
@@ -3725,18 +3815,23 @@ async function googleRoutes(app, opts) {
     return deindexed;
   });
   app.put("/projects/:name/google/connections/:type/property", async (request, reply) => {
+    const store = requireConnectionStore(reply);
+    if (!store) return;
     const project = resolveProject(app.db, request.params.name);
     const { propertyId } = request.body ?? {};
     if (!propertyId) {
       const err = validationError("propertyId is required");
       return reply.status(err.statusCode).send(err.toJSON());
     }
-    const conn = app.db.select().from(googleConnections).where(and4(eq12(googleConnections.domain, project.canonicalDomain), eq12(googleConnections.connectionType, request.params.type))).get();
+    const conn = store.updateConnection(
+      project.canonicalDomain,
+      request.params.type,
+      { propertyId, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }
+    );
     if (!conn) {
       const err = notFound("Google connection", request.params.type);
       return reply.status(err.statusCode).send(err.toJSON());
     }
-    app.db.update(googleConnections).set({ propertyId, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq12(googleConnections.id, conn.id)).run();
     return { propertyId };
   });
 }
@@ -3758,12 +3853,20 @@ async function apiRoutes(app, opts) {
     await api.register(competitorRoutes);
     await api.register(runRoutes, { onRunCreated: opts.onRunCreated });
     await api.register(applyRoutes, {
-      onScheduleUpdated: opts.onScheduleUpdated
+      onScheduleUpdated: opts.onScheduleUpdated,
+      onGoogleConnectionPropertyUpdated: (domain, connectionType, propertyId) => {
+        opts.googleConnectionStore?.updateConnection(domain, connectionType, {
+          propertyId,
+          updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+        });
+      }
     });
     await api.register(historyRoutes);
     await api.register(settingsRoutes, {
       providerSummary: opts.providerSummary,
-      onProviderUpdate: opts.onProviderUpdate
+      onProviderUpdate: opts.onProviderUpdate,
+      google: opts.googleSettingsSummary,
+      onGoogleUpdate: opts.onGoogleSettingsUpdate
     });
     await api.register(scheduleRoutes, {
       onScheduleUpdated: opts.onScheduleUpdated
@@ -3774,9 +3877,10 @@ async function apiRoutes(app, opts) {
       setTelemetryEnabled: opts.setTelemetryEnabled
     });
     await api.register(googleRoutes, {
-      googleClientId: opts.googleClientId,
-      googleClientSecret: opts.googleClientSecret,
+      getGoogleAuthConfig: opts.getGoogleAuthConfig,
+      googleConnectionStore: opts.googleConnectionStore,
       googleStateSecret: opts.googleStateSecret,
+      publicUrl: opts.publicUrl,
       onGscSyncRequested: opts.onGscSyncRequested
     });
   }, { prefix: "/api/v1" });
@@ -4698,6 +4802,77 @@ var localAdapter = {
   }
 };
 
+// src/google-config.ts
+function ensureConnections(config) {
+  if (!config.google) config.google = {};
+  if (!config.google.connections) config.google.connections = [];
+  return config.google.connections;
+}
+function getGoogleAuthConfig(config) {
+  return {
+    clientId: config.google?.clientId,
+    clientSecret: config.google?.clientSecret
+  };
+}
+function setGoogleAuthConfig(config, auth) {
+  const hasValues = Boolean(auth.clientId || auth.clientSecret || config.google?.connections?.length);
+  if (!hasValues) {
+    delete config.google;
+    return;
+  }
+  if (!config.google) config.google = {};
+  config.google.clientId = auth.clientId;
+  config.google.clientSecret = auth.clientSecret;
+  config.google.connections = config.google.connections ?? [];
+}
+function listGoogleConnections(config, domain) {
+  return (config.google?.connections ?? []).filter((connection) => connection.domain === domain);
+}
+function getGoogleConnection(config, domain, connectionType) {
+  return (config.google?.connections ?? []).find((connection) => connection.domain === domain && connection.connectionType === connectionType);
+}
+function upsertGoogleConnection(config, connection) {
+  const connections = ensureConnections(config);
+  const index2 = connections.findIndex((entry) => entry.domain === connection.domain && entry.connectionType === connection.connectionType);
+  const normalized = {
+    ...connection,
+    propertyId: connection.propertyId ?? null,
+    refreshToken: connection.refreshToken ?? null,
+    tokenExpiresAt: connection.tokenExpiresAt ?? null,
+    scopes: connection.scopes ?? []
+  };
+  if (index2 === -1) {
+    connections.push(normalized);
+    return normalized;
+  }
+  connections[index2] = normalized;
+  return normalized;
+}
+function patchGoogleConnection(config, domain, connectionType, patch) {
+  const existing = getGoogleConnection(config, domain, connectionType);
+  if (!existing) return void 0;
+  return upsertGoogleConnection(config, {
+    ...existing,
+    ...patch,
+    propertyId: Object.prototype.hasOwnProperty.call(patch, "propertyId") ? patch.propertyId ?? null : existing.propertyId ?? null,
+    refreshToken: Object.prototype.hasOwnProperty.call(patch, "refreshToken") ? patch.refreshToken ?? null : existing.refreshToken ?? null,
+    tokenExpiresAt: Object.prototype.hasOwnProperty.call(patch, "tokenExpiresAt") ? patch.tokenExpiresAt ?? null : existing.tokenExpiresAt ?? null,
+    scopes: patch.scopes ?? existing.scopes ?? []
+  });
+}
+function removeGoogleConnection(config, domain, connectionType) {
+  const connections = config.google?.connections;
+  if (!connections?.length) return false;
+  const next = connections.filter((connection) => connection.domain !== domain || connection.connectionType !== connectionType);
+  if (next.length === connections.length) return false;
+  if (!config.google) return false;
+  config.google.connections = next;
+  if (!config.google.clientId && !config.google.clientSecret && next.length === 0) {
+    delete config.google;
+  }
+  return true;
+}
+
 // src/job-runner.ts
 import crypto13 from "crypto";
 import { eq as eq13, inArray as inArray2 } from "drizzle-orm";
@@ -4961,7 +5136,7 @@ function computeCompetitorOverlap(normalized, competitorDomains) {
 
 // src/gsc-sync.ts
 import crypto14 from "crypto";
-import { eq as eq14, and as and5, sql as sql3 } from "drizzle-orm";
+import { eq as eq14, and as and4, sql as sql3 } from "drizzle-orm";
 function formatDate(d) {
   return d.toISOString().split("T")[0];
 }
@@ -4974,11 +5149,15 @@ async function executeGscSync(db, runId, projectId, opts) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
   db.update(runs).set({ status: "running", startedAt: now }).where(eq14(runs.id, runId)).run();
   try {
+    const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
+    if (!googleClientId || !googleClientSecret) {
+      throw new Error("Google OAuth is not configured in the local Canonry config");
+    }
     const project = db.select().from(projects).where(eq14(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
-    const conn = db.select().from(googleConnections).where(and5(eq14(googleConnections.domain, project.canonicalDomain), eq14(googleConnections.connectionType, "gsc"))).get();
+    const conn = getGoogleConnection(opts.config, project.canonicalDomain, "gsc");
     if (!conn || !conn.refreshToken) {
       throw new Error("No GSC connection found or connection is incomplete");
     }
@@ -4988,13 +5167,14 @@ async function executeGscSync(db, runId, projectId, opts) {
     let accessToken = conn.accessToken;
     const expiresAt = conn.tokenExpiresAt ? new Date(conn.tokenExpiresAt).getTime() : 0;
     if (Date.now() > expiresAt - 5 * 60 * 1e3) {
-      const tokens = await refreshAccessToken(opts.googleClientId, opts.googleClientSecret, conn.refreshToken);
+      const tokens = await refreshAccessToken(googleClientId, googleClientSecret, conn.refreshToken);
       accessToken = tokens.access_token;
-      db.update(googleConnections).set({
+      patchGoogleConnection(opts.config, project.canonicalDomain, "gsc", {
         accessToken: tokens.access_token,
         tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3).toISOString(),
         updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-      }).where(eq14(googleConnections.id, conn.id)).run();
+      });
+      saveConfig(opts.config);
     }
     const lagOffset = GSC_DATA_LAG_DAYS;
     const endDate = formatDate(daysAgo(lagOffset));
@@ -5007,7 +5187,7 @@ async function executeGscSync(db, runId, projectId, opts) {
     });
     console.log(`[GSC Sync] Received ${rows.length} rows`);
     db.delete(gscSearchData).where(
-      and5(
+      and4(
         eq14(gscSearchData.projectId, projectId),
         sql3`${gscSearchData.date} >= ${startDate}`,
         sql3`${gscSearchData.date} <= ${endDate}`
@@ -5155,8 +5335,7 @@ var Scheduler = class {
   /** Stop all cron tasks for graceful shutdown. */
   stop() {
     for (const [projectId, task] of this.tasks) {
-      task.stop();
-      console.log(`[Scheduler] Stopped task for project ${projectId}`);
+      this.stopTask(projectId, task, "Stopped");
     }
     this.tasks.clear();
   }
@@ -5164,7 +5343,7 @@ var Scheduler = class {
   upsert(projectId) {
     const existing = this.tasks.get(projectId);
     if (existing) {
-      existing.stop();
+      this.stopTask(projectId, existing, "Stopped");
       this.tasks.delete(projectId);
     }
     const schedule = this.db.select().from(schedules).where(eq15(schedules.projectId, projectId)).get();
@@ -5176,11 +5355,15 @@ var Scheduler = class {
   remove(projectId) {
     const existing = this.tasks.get(projectId);
     if (existing) {
-      existing.stop();
+      this.stopTask(projectId, existing, "Removed");
       this.tasks.delete(projectId);
-      console.log(`[Scheduler] Removed task for project ${projectId}`);
     }
   }
+  stopTask(projectId, task, verb) {
+    task.stop();
+    task.destroy();
+    console.log(`[Scheduler] ${verb} task for project ${projectId}`);
+  }
   registerCronTask(schedule) {
     const { id: scheduleId, projectId, cronExpr, timezone } = schedule;
     if (!cron.validate(cronExpr)) {
@@ -5244,7 +5427,7 @@ var Scheduler = class {
 };
 
 // src/notifier.ts
-import { eq as eq16, desc as desc3, and as and6, or as or2 } from "drizzle-orm";
+import { eq as eq16, desc as desc3, and as and5, or as or2 } from "drizzle-orm";
 import crypto15 from "crypto";
 var Notifier = class {
   db;
@@ -5307,7 +5490,7 @@ var Notifier = class {
   }
   computeTransitions(runId, projectId) {
     const recentRuns = this.db.select().from(runs).where(
-      and6(
+      and5(
         eq16(runs.projectId, projectId),
         or2(eq16(runs.status, "completed"), eq16(runs.status, "partial"))
       )
@@ -5515,18 +5698,19 @@ var DEFAULT_QUOTA = {
   maxRequestsPerDay: 1e3
 };
 async function createServer(opts) {
-  const app = Fastify({
-    logger: {
-      transport: {
-        target: "pino-pretty",
-        options: {
-          colorize: true,
-          translateTime: "HH:MM:ss",
-          ignore: "pid,hostname,reqId",
-          messageFormat: "{msg} {req.method} {req.url}"
-        }
+  const logger = opts.logger === false ? false : process.stdout.isTTY ? {
+    transport: {
+      target: "pino-pretty",
+      options: {
+        colorize: true,
+        translateTime: "HH:MM:ss",
+        ignore: "pid,hostname,reqId",
+        messageFormat: "{msg} {req.method} {req.url}"
       }
     }
+  } : true;
+  const app = Fastify({
+    logger
   });
   const registry = new ProviderRegistry();
   const providers = opts.config.providers ?? {};
@@ -5593,25 +5777,46 @@ async function createServer(opts) {
     configured: !!registry.get(name),
     quota: registry.get(name)?.config.quotaPolicy
   }));
+  const googleSettingsSummary = {
+    configured: Boolean(opts.config.google?.clientId && opts.config.google?.clientSecret)
+  };
   const adapterMap = { gemini: geminiAdapter, openai: openaiAdapter, claude: claudeAdapter, local: localAdapter };
-  const googleClientId = process.env.GOOGLE_CLIENT_ID;
-  const googleClientSecret = process.env.GOOGLE_CLIENT_SECRET;
   const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto16.randomBytes(32).toString("hex");
+  const googleConnectionStore = {
+    listConnections: (domain) => listGoogleConnections(opts.config, domain),
+    getConnection: (domain, connectionType) => getGoogleConnection(opts.config, domain, connectionType),
+    upsertConnection: (connection) => {
+      const updated = upsertGoogleConnection(opts.config, connection);
+      saveConfig(opts.config);
+      return updated;
+    },
+    updateConnection: (domain, connectionType, patch) => {
+      const updated = patchGoogleConnection(opts.config, domain, connectionType, patch);
+      if (updated) saveConfig(opts.config);
+      return updated;
+    },
+    deleteConnection: (domain, connectionType) => {
+      const removed = removeGoogleConnection(opts.config, domain, connectionType);
+      if (removed) saveConfig(opts.config);
+      return removed;
+    }
+  };
   await app.register(apiRoutes, {
     db: opts.db,
     skipAuth: false,
-    googleClientId,
-    googleClientSecret,
+    getGoogleAuthConfig: () => getGoogleAuthConfig(opts.config),
+    googleConnectionStore,
     googleStateSecret,
+    publicUrl: opts.config.publicUrl,
     onGscSyncRequested: (runId, projectId, syncOpts) => {
+      const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
       if (!googleClientId || !googleClientSecret) {
-        app.log.error("GSC sync requested but GOOGLE_CLIENT_ID/SECRET not configured");
+        app.log.error("GSC sync requested but Google OAuth credentials are not configured in the local config");
         return;
       }
       executeGscSync(opts.db, runId, projectId, {
         ...syncOpts,
-        googleClientId,
-        googleClientSecret
+        config: opts.config
       }).catch((err) => {
         app.log.error({ runId, err }, "GSC sync failed");
       });
@@ -5621,6 +5826,7 @@ async function createServer(opts) {
       version: PKG_VERSION
     },
     providerSummary,
+    googleSettingsSummary,
     onRunCreated: (runId, projectId, providers2) => {
       jobRunner.executeRun(runId, projectId, providers2).catch((err) => {
         app.log.error({ runId, err }, "Job runner failed");
@@ -5665,6 +5871,17 @@ async function createServer(opts) {
         quota
       };
     },
+    onGoogleSettingsUpdate: (clientId, clientSecret) => {
+      try {
+        setGoogleAuthConfig(opts.config, { clientId, clientSecret });
+        saveConfig(opts.config);
+        googleSettingsSummary.configured = true;
+        return { ...googleSettingsSummary };
+      } catch (err) {
+        app.log.error({ err }, "Failed to save Google OAuth config");
+        return null;
+      }
+    },
     onScheduleUpdated: (action, projectId) => {
       if (action === "upsert") scheduler.upsert(projectId);
       if (action === "delete") scheduler.remove(projectId);
@@ -5814,5 +6031,6 @@ export {
   isFirstRun,
   showFirstRunNotice,
   trackEvent,
+  setGoogleAuthConfig,
   createServer
 };