@ainyc/canonry 1.11.0 → 1.13.0

package/dist/{chunk-MVIL2UGM.js → chunk-65PXJTPN.js}

@@ -151,7 +151,7 @@ function trackEvent(event, properties) {
 
 // src/server.ts
 import { createRequire as createRequire2 } from "module";
-import crypto16 from "crypto";
+import crypto17 from "crypto";
 import fs2 from "fs";
 import path2 from "path";
 import { fileURLToPath } from "url";
@@ -806,6 +806,25 @@ var gscUrlInspectionDtoSchema = z4.object({
   inspectedAt: z4.string()
 });
 var indexTransitionSchema = z4.enum(["stable", "reindexed", "deindexed", "still-missing", "new"]);
+var gscDeindexedRowSchema = z4.object({
+  url: z4.string(),
+  previousState: z4.string().nullable(),
+  currentState: z4.string().nullable(),
+  transitionDate: z4.string()
+});
+var gscCoverageSummaryDtoSchema = z4.object({
+  summary: z4.object({
+    total: z4.number(),
+    indexed: z4.number(),
+    notIndexed: z4.number(),
+    deindexed: z4.number(),
+    percentage: z4.number()
+  }),
+  lastInspectedAt: z4.string().nullable(),
+  indexed: z4.array(gscUrlInspectionDtoSchema).default([]),
+  notIndexed: z4.array(gscUrlInspectionDtoSchema).default([]),
+  deindexed: z4.array(gscDeindexedRowSchema).default([])
+});
 
 // ../contracts/src/project.ts
 import { z as z5 } from "zod";
@@ -853,7 +872,7 @@ function effectiveDomains(project) {
 // ../contracts/src/run.ts
 import { z as z6 } from "zod";
 var runStatusSchema = z6.enum(["queued", "running", "completed", "partial", "failed"]);
-var runKindSchema = z6.enum(["answer-visibility", "site-audit", "gsc-sync"]);
+var runKindSchema = z6.enum(["answer-visibility", "site-audit", "gsc-sync", "inspect-sitemap"]);
 var runTriggerSchema = z6.enum(["manual", "scheduled", "config-apply"]);
 var citationStateSchema = z6.enum(["cited", "not-cited"]);
 var computedTransitionSchema = z6.enum(["new", "cited", "lost", "emerging", "not-cited"]);
@@ -1193,6 +1212,34 @@ async function keywordRoutes(app, opts) {
     const rows = app.db.select().from(keywords).where(eq4(keywords.projectId, project.id)).all();
     return reply.send(rows.map((r) => ({ id: r.id, keyword: r.keyword, createdAt: r.createdAt })));
   });
+  app.delete("/projects/:name/keywords", async (request, reply) => {
+    const project = resolveProjectSafe(app, request.params.name, reply);
+    if (!project) return;
+    const body = request.body;
+    if (!body || !Array.isArray(body.keywords) || body.keywords.length === 0) {
+      const err = validationError('Body must contain a non-empty "keywords" array');
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const existing = app.db.select().from(keywords).where(eq4(keywords.projectId, project.id)).all();
+    const toDelete = new Set(body.keywords);
+    const idsToDelete = existing.filter((k) => toDelete.has(k.keyword)).map((k) => k.id);
+    if (idsToDelete.length > 0) {
+      app.db.transaction((tx) => {
+        for (const id of idsToDelete) {
+          tx.delete(keywords).where(eq4(keywords.id, id)).run();
+        }
+        writeAuditLog(tx, {
+          projectId: project.id,
+          actor: "api",
+          action: "keywords.deleted",
+          entityType: "keyword",
+          diff: { deleted: body.keywords.filter((kw) => existing.some((e) => e.keyword === kw)) }
+        });
+      });
+    }
+    const rows = app.db.select().from(keywords).where(eq4(keywords.projectId, project.id)).all();
+    return reply.send(rows.map((r) => ({ id: r.id, keyword: r.keyword, createdAt: r.createdAt })));
+  });
   app.post("/projects/:name/keywords", async (request, reply) => {
     const project = resolveProjectSafe(app, request.params.name, reply);
     if (!project) return;
@@ -3507,34 +3554,63 @@ async function googleRoutes(app, opts) {
       const err = validationError("Google OAuth is not configured. Set Google OAuth credentials in the local Canonry config.");
       return reply.status(err.statusCode).send(err.toJSON());
     }
-    const { type, propertyId } = request.body ?? {};
+    const { type, propertyId, publicUrl } = request.body ?? {};
     if (!type || type !== "gsc" && type !== "ga4") {
       const err = validationError('type must be "gsc" or "ga4"');
       return reply.status(err.statusCode).send(err.toJSON());
     }
     const project = resolveProject(app.db, request.params.name);
-    const proto = request.headers["x-forwarded-proto"] ?? "http";
-    const host = request.headers.host ?? "localhost:4100";
-    const redirectUri = `${proto}://${host}/api/v1/projects/${encodeURIComponent(request.params.name)}/google/callback`;
+    let redirectUri;
+    if (publicUrl) {
+      redirectUri = publicUrl.replace(/\/$/, "") + "/api/v1/google/callback";
+    } else if (opts.publicUrl) {
+      redirectUri = opts.publicUrl.replace(/\/$/, "") + "/api/v1/google/callback";
+    } else {
+      const proto = request.headers["x-forwarded-proto"] ?? "http";
+      const host = request.headers.host ?? "localhost:4100";
+      redirectUri = `${proto}://${host}/api/v1/projects/${encodeURIComponent(request.params.name)}/google/callback`;
+    }
     const scopes = type === "gsc" ? [GSC_SCOPE] : [];
     const stateEncoded = buildSignedState(
       { domain: project.canonicalDomain, type, propertyId, redirectUri },
       stateSecret
     );
     const authUrl = getAuthUrl(googleClientId, redirectUri, scopes, stateEncoded);
-    return { authUrl };
+    return { authUrl, redirectUri };
   });
-  app.get("/projects/:name/google/callback", async (request, reply) => {
+  async function handleOAuthCallback(request, reply) {
     const { clientId: googleClientId, clientSecret: googleClientSecret } = getAuthConfig();
     if (!googleClientId || !googleClientSecret) {
       return reply.status(500).send("Google OAuth not configured");
     }
     const store = requireConnectionStore(reply);
     if (!store) return;
+    const escapeHtml = (s) => s.replace(/[&<>"']/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" })[c]);
     const { code, state, error } = request.query;
     if (error) {
-      const safeError = String(error).replace(/[&<>"']/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" })[c]);
-      return reply.type("text/html").send(`<html><body><h2>Authorization failed</h2><p>${safeError}</p><p>You can close this tab.</p></body></html>`);
+      const safeError = escapeHtml(String(error));
+      const errorHtml = error === "redirect_uri_mismatch" ? `<html><body style="font-family:system-ui;padding:40px;max-width:600px;margin:0 auto">
+            <h2 style="color:#ef4444">Redirect URI mismatch</h2>
+            <p>Google rejected the OAuth callback because the redirect URI is not registered.</p>
+            <p><strong>To fix this:</strong></p>
+            <ol>
+              <li>Go to the <a href="https://console.cloud.google.com/apis/credentials" target="_blank">Google Cloud Console \u2192 Credentials</a></li>
+              <li>Click your OAuth 2.0 Client ID</li>
+              <li>Under "Authorized redirect URIs", add:<br><code style="background:#1e1e1e;color:#e0e0e0;padding:4px 8px;border-radius:4px;display:inline-block;margin-top:4px">${request.query.state ? (() => {
+        try {
+          const s = verifySignedState(request.query.state, stateSecret);
+          return escapeHtml(String(s?.redirectUri ?? "Could not determine URI"));
+        } catch {
+          return "Could not determine URI";
+        }
+      })() : "Could not determine URI"}</code></li>
+              <li>Click Save, then retry the connection</li>
+            </ol>
+            <p style="color:#888">You can close this tab.</p>
+          </body></html>` : `<html><body style="font-family:system-ui;text-align:center;padding:60px">
+            <h2>Authorization failed</h2><p>${safeError}</p><p style="color:#888">You can close this tab.</p>
+          </body></html>`;
+      return reply.type("text/html").send(errorHtml);
     }
     if (!code || !state) {
       return reply.status(400).send("Missing code or state parameter");
@@ -3544,7 +3620,23 @@ async function googleRoutes(app, opts) {
       return reply.status(400).send("Invalid or tampered state parameter");
     }
     const { domain, type, propertyId, redirectUri } = stateData;
-    const tokens = await exchangeCode(googleClientId, googleClientSecret, code, redirectUri);
+    let tokens;
+    try {
+      tokens = await exchangeCode(googleClientId, googleClientSecret, code, redirectUri);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      return reply.type("text/html").send(
+        `<html><body style="font-family:system-ui;padding:40px;max-width:600px;margin:0 auto">
+          <h2 style="color:#ef4444">Token exchange failed</h2>
+          <p>${escapeHtml(msg)}</p>
+          <p><strong>Redirect URI used:</strong><br>
+            <code style="background:#1e1e1e;color:#e0e0e0;padding:4px 8px;border-radius:4px">${escapeHtml(redirectUri)}</code>
+          </p>
+          <p>Ensure this URI is listed in your <a href="https://console.cloud.google.com/apis/credentials" target="_blank">Google Cloud Console</a> OAuth client's authorized redirect URIs.</p>
+          <p style="color:#888">You can close this tab.</p>
+        </body></html>`
+      );
+    }
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const expiresAt = new Date(Date.now() + tokens.expires_in * 1e3).toISOString();
     const existing = store.getConnection(domain, type);
@@ -3574,6 +3666,12 @@ async function googleRoutes(app, opts) {
         <p style="color:#888">You can close this tab.</p>
       </body></html>`
     );
+  }
+  app.get("/google/callback", async (request, reply) => {
+    return handleOAuthCallback(request, reply);
+  });
+  app.get("/projects/:name/google/callback", async (request, reply) => {
+    return handleOAuthCallback(request, reply);
   });
   app.delete("/projects/:name/google/connections/:type", async (request, reply) => {
     const store = requireConnectionStore(reply);
@@ -3752,7 +3850,7 @@ async function googleRoutes(app, opts) {
       if (inspections.length < 2) continue;
       const latest = inspections[0];
       const previous = inspections[1];
-      if (previous.indexingState?.toUpperCase() === "INDEXED" && latest.indexingState?.toUpperCase() !== "INDEXED") {
+      if (previous.indexingState === "INDEXING_ALLOWED" && latest.indexingState !== "INDEXING_ALLOWED") {
         deindexed.push({
           url,
           previousState: previous.indexingState,
@@ -3763,6 +3861,110 @@ async function googleRoutes(app, opts) {
     }
     return deindexed;
   });
+  app.get("/projects/:name/google/gsc/coverage", async (request) => {
+    const project = resolveProject(app.db, request.params.name);
+    const allInspections = app.db.select().from(gscUrlInspections).where(eq12(gscUrlInspections.projectId, project.id)).orderBy(desc2(gscUrlInspections.inspectedAt)).all();
+    const latestByUrl = /* @__PURE__ */ new Map();
+    const historyByUrl = /* @__PURE__ */ new Map();
+    for (const row of allInspections) {
+      if (!latestByUrl.has(row.url)) {
+        latestByUrl.set(row.url, row);
+      }
+      const history = historyByUrl.get(row.url);
+      if (history) {
+        history.push(row);
+      } else {
+        historyByUrl.set(row.url, [row]);
+      }
+    }
+    const indexedUrls = [];
+    const notIndexedUrls = [];
+    let lastInspectedAt = null;
+    for (const [, row] of latestByUrl) {
+      if (row.indexingState === "INDEXING_ALLOWED") {
+        indexedUrls.push(row);
+      } else {
+        notIndexedUrls.push(row);
+      }
+      if (!lastInspectedAt || row.inspectedAt > lastInspectedAt) {
+        lastInspectedAt = row.inspectedAt;
+      }
+    }
+    const deindexedUrls = [];
+    for (const [url, history] of historyByUrl) {
+      if (history.length < 2) continue;
+      const latest = history[0];
+      const previous = history[1];
+      if (previous.indexingState === "INDEXING_ALLOWED" && latest.indexingState !== "INDEXING_ALLOWED") {
+        deindexedUrls.push({
+          url,
+          previousState: previous.indexingState,
+          currentState: latest.indexingState,
+          transitionDate: latest.inspectedAt
+        });
+      }
+    }
+    const total = latestByUrl.size;
+    const indexed = indexedUrls.length;
+    const notIndexed = notIndexedUrls.length;
+    const formatRow = (r) => ({
+      id: r.id,
+      url: r.url,
+      indexingState: r.indexingState,
+      verdict: r.verdict,
+      coverageState: r.coverageState,
+      pageFetchState: r.pageFetchState,
+      robotsTxtState: r.robotsTxtState,
+      crawlTime: r.crawlTime,
+      lastCrawlResult: r.lastCrawlResult,
+      isMobileFriendly: r.isMobileFriendly === 1 ? true : r.isMobileFriendly === 0 ? false : null,
+      richResults: JSON.parse(r.richResults),
+      inspectedAt: r.inspectedAt
+    });
+    return {
+      summary: {
+        total,
+        indexed,
+        notIndexed,
+        deindexed: deindexedUrls.length,
+        percentage: total > 0 ? Math.round(indexed / total * 1e3) / 10 : 0
+      },
+      lastInspectedAt,
+      indexed: indexedUrls.map(formatRow),
+      notIndexed: notIndexedUrls.map(formatRow),
+      deindexed: deindexedUrls
+    };
+  });
+  app.post("/projects/:name/google/gsc/inspect-sitemap", async (request, reply) => {
+    const store = requireConnectionStore(reply);
+    if (!store) return;
+    const project = resolveProject(app.db, request.params.name);
+    const conn = store.getConnection(project.canonicalDomain, "gsc");
+    if (!conn) {
+      const err = validationError('No GSC connection found for this domain. Run "canonry google connect" first.');
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    if (!conn.propertyId) {
+      const err = validationError("No GSC property configured for this connection");
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const runId = crypto12.randomUUID();
+    app.db.insert(runs).values({
+      id: runId,
+      projectId: project.id,
+      kind: "inspect-sitemap",
+      status: "queued",
+      trigger: "manual",
+      createdAt: now
+    }).run();
+    const { sitemapUrl } = request.body ?? {};
+    if (opts.onInspectSitemapRequested) {
+      opts.onInspectSitemapRequested(runId, project.id, { sitemapUrl: sitemapUrl ?? void 0 });
+    }
+    const run = app.db.select().from(runs).where(eq12(runs.id, runId)).get();
+    return run;
+  });
   app.put("/projects/:name/google/connections/:type/property", async (request, reply) => {
     const store = requireConnectionStore(reply);
     if (!store) return;
@@ -3829,7 +4031,9 @@ async function apiRoutes(app, opts) {
       getGoogleAuthConfig: opts.getGoogleAuthConfig,
       googleConnectionStore: opts.googleConnectionStore,
       googleStateSecret: opts.googleStateSecret,
-      onGscSyncRequested: opts.onGscSyncRequested
+      publicUrl: opts.publicUrl,
+      onGscSyncRequested: opts.onGscSyncRequested,
+      onInspectSitemapRequested: opts.onInspectSitemapRequested
     });
   }, { prefix: "/api/v1" });
 }
@@ -5213,6 +5417,161 @@ async function executeGscSync(db, runId, projectId, opts) {
   }
 }
 
+// src/gsc-inspect-sitemap.ts
+import crypto15 from "crypto";
+import { eq as eq15 } from "drizzle-orm";
+
+// src/sitemap-parser.ts
+var LOC_REGEX = /<loc>\s*([^<]+?)\s*<\/loc>/gi;
+var SITEMAP_TAG_REGEX = /<sitemap>[\s\S]*?<\/sitemap>/gi;
+var PRIVATE_IP_PATTERNS = [
+  /^169\.254\./,
+  // link-local (AWS metadata endpoint etc.)
+  /^10\./,
+  // private class A
+  /^172\.(1[6-9]|2\d|3[01])\./,
+  // private class B
+  /^192\.168\./
+  // private class C
+];
+function validateSitemapUrl(url) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw new Error(`Invalid sitemap URL: ${url}`);
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error(`Sitemap URL must use http or https protocol: ${url}`);
+  }
+  const host = parsed.hostname.toLowerCase();
+  for (const pattern of PRIVATE_IP_PATTERNS) {
+    if (pattern.test(host)) {
+      throw new Error(`Sitemap URL points to a private or reserved IP range: ${url}`);
+    }
+  }
+}
+async function fetchAndParseSitemap(sitemapUrl) {
+  const urls = /* @__PURE__ */ new Set();
+  await parseSitemapRecursive(sitemapUrl, urls, 0);
+  return [...urls];
+}
+async function parseSitemapRecursive(url, urls, depth) {
+  if (depth > 3) return;
+  validateSitemapUrl(url);
+  const res = await fetch(url);
+  if (!res.ok) {
+    throw new Error(`Failed to fetch sitemap at ${url}: ${res.status} ${res.statusText}`);
+  }
+  const xml = await res.text();
+  const sitemapEntries = xml.match(SITEMAP_TAG_REGEX);
+  if (sitemapEntries) {
+    for (const entry of sitemapEntries) {
+      const locMatch = LOC_REGEX.exec(entry);
+      LOC_REGEX.lastIndex = 0;
+      if (locMatch?.[1]) {
+        await parseSitemapRecursive(locMatch[1], urls, depth + 1);
+      }
+    }
+    return;
+  }
+  let match;
+  while ((match = LOC_REGEX.exec(xml)) !== null) {
+    if (match[1]) {
+      urls.add(match[1]);
+    }
+  }
+  LOC_REGEX.lastIndex = 0;
+}
+
+// src/gsc-inspect-sitemap.ts
+async function executeInspectSitemap(db, runId, projectId, opts) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  db.update(runs).set({ status: "running", startedAt: now }).where(eq15(runs.id, runId)).run();
+  try {
+    const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
+    if (!googleClientId || !googleClientSecret) {
+      throw new Error("Google OAuth is not configured in the local Canonry config");
+    }
+    const project = db.select().from(projects).where(eq15(projects.id, projectId)).get();
+    if (!project) {
+      throw new Error(`Project not found: ${projectId}`);
+    }
+    const conn = getGoogleConnection(opts.config, project.canonicalDomain, "gsc");
+    if (!conn || !conn.refreshToken) {
+      throw new Error("No GSC connection found or connection is incomplete");
+    }
+    if (!conn.propertyId) {
+      throw new Error('No GSC property selected. Use "canonry google properties" to list available sites, then set one.');
+    }
+    let accessToken = conn.accessToken;
+    const expiresAt = conn.tokenExpiresAt ? new Date(conn.tokenExpiresAt).getTime() : 0;
+    if (Date.now() > expiresAt - 5 * 60 * 1e3) {
+      const tokens = await refreshAccessToken(googleClientId, googleClientSecret, conn.refreshToken);
+      accessToken = tokens.access_token;
+      patchGoogleConnection(opts.config, project.canonicalDomain, "gsc", {
+        accessToken: tokens.access_token,
+        tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3).toISOString(),
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      saveConfig(opts.config);
+    }
+    const sitemapUrl = opts.sitemapUrl || `https://${project.canonicalDomain}/sitemap.xml`;
+    console.log(`[Inspect Sitemap] Fetching sitemap from ${sitemapUrl}`);
+    const urls = await fetchAndParseSitemap(sitemapUrl);
+    console.log(`[Inspect Sitemap] Found ${urls.length} URLs in sitemap`);
+    if (urls.length === 0) {
+      throw new Error("No URLs found in sitemap");
+    }
+    let inspected = 0;
+    let errors = 0;
+    for (const pageUrl of urls) {
+      try {
+        const result = await inspectUrl(accessToken, pageUrl, conn.propertyId);
+        const ir = result.inspectionResult;
+        const idx = ir.indexStatusResult;
+        const mob = ir.mobileUsabilityResult;
+        const rich = ir.richResultsResult;
+        const inspectedAt = (/* @__PURE__ */ new Date()).toISOString();
+        db.insert(gscUrlInspections).values({
+          id: crypto15.randomUUID(),
+          projectId,
+          syncRunId: runId,
+          url: pageUrl,
+          indexingState: idx?.indexingState ?? null,
+          verdict: idx?.verdict ?? null,
+          coverageState: idx?.coverageState ?? null,
+          pageFetchState: idx?.pageFetchState ?? null,
+          robotsTxtState: idx?.robotsTxtState ?? null,
+          crawlTime: idx?.lastCrawlTime ?? null,
+          lastCrawlResult: idx?.crawlResult ?? null,
+          isMobileFriendly: mob?.verdict === "PASS" ? 1 : mob?.verdict === "FAIL" ? 0 : null,
+          richResults: JSON.stringify(rich?.detectedItems?.map((d) => d.richResultType) ?? []),
+          referringUrls: JSON.stringify(idx?.referringUrls ?? []),
+          inspectedAt,
+          createdAt: inspectedAt
+        }).run();
+        inspected++;
+        console.log(`[Inspect Sitemap] ${inspected}/${urls.length} inspected: ${pageUrl}`);
+      } catch (err) {
+        errors++;
+        console.error(`[Inspect Sitemap] Failed to inspect ${pageUrl}:`, err instanceof Error ? err.message : err);
+      }
+      if (inspected + errors < urls.length) {
+        await new Promise((r) => setTimeout(r, 1e3));
+      }
+    }
+    const status = errors > 0 && inspected > 0 ? "partial" : errors === urls.length ? "failed" : "completed";
+    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq15(runs.id, runId)).run();
+    console.log(`[Inspect Sitemap] Done. ${inspected} inspected, ${errors} errors out of ${urls.length} URLs.`);
+  } catch (err) {
+    const errorMsg = err instanceof Error ? err.message : String(err);
+    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq15(runs.id, runId)).run();
+    console.error(`[Inspect Sitemap] Failed:`, errorMsg);
+    throw err;
+  }
+}
+
 // src/provider-registry.ts
 var ProviderRegistry = class {
   providers = /* @__PURE__ */ new Map();
@@ -5258,7 +5617,7 @@ var ProviderRegistry = class {
 
 // src/scheduler.ts
 import cron from "node-cron";
-import { eq as eq15 } from "drizzle-orm";
+import { eq as eq16 } from "drizzle-orm";
 var Scheduler = class {
   db;
   callbacks;
@@ -5269,7 +5628,7 @@ var Scheduler = class {
   }
   /** Load all enabled schedules from DB and register cron jobs. */
   start() {
-    const allSchedules = this.db.select().from(schedules).where(eq15(schedules.enabled, 1)).all();
+    const allSchedules = this.db.select().from(schedules).where(eq16(schedules.enabled, 1)).all();
     for (const schedule of allSchedules) {
       const missedRunAt = schedule.nextRunAt;
       this.registerCronTask(schedule);
@@ -5294,7 +5653,7 @@ var Scheduler = class {
       this.stopTask(projectId, existing, "Stopped");
       this.tasks.delete(projectId);
     }
-    const schedule = this.db.select().from(schedules).where(eq15(schedules.projectId, projectId)).get();
+    const schedule = this.db.select().from(schedules).where(eq16(schedules.projectId, projectId)).get();
     if (schedule && schedule.enabled === 1) {
       this.registerCronTask(schedule);
     }
@@ -5327,13 +5686,13 @@ var Scheduler = class {
     this.db.update(schedules).set({
       nextRunAt: task.getNextRun()?.toISOString() ?? null,
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    }).where(eq15(schedules.id, scheduleId)).run();
+    }).where(eq16(schedules.id, scheduleId)).run();
     const label = schedule.preset ?? cronExpr;
     console.log(`[Scheduler] Registered "${label}" (${timezone}) for project ${projectId}`);
   }
   triggerRun(scheduleId, projectId) {
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    const currentSchedule = this.db.select().from(schedules).where(eq15(schedules.id, scheduleId)).get();
+    const currentSchedule = this.db.select().from(schedules).where(eq16(schedules.id, scheduleId)).get();
     if (!currentSchedule || currentSchedule.enabled !== 1) {
       console.log(`[Scheduler] Schedule ${scheduleId} no longer exists or is disabled, removing task for project ${projectId}`);
       this.remove(projectId);
@@ -5341,7 +5700,7 @@ var Scheduler = class {
     }
     const task = this.tasks.get(projectId);
     const nextRunAt = task?.getNextRun()?.toISOString() ?? null;
-    const project = this.db.select().from(projects).where(eq15(projects.id, projectId)).get();
+    const project = this.db.select().from(projects).where(eq16(projects.id, projectId)).get();
     if (!project) {
       console.error(`[Scheduler] Project ${projectId} not found, skipping scheduled run`);
       this.remove(projectId);
@@ -5358,7 +5717,7 @@ var Scheduler = class {
       this.db.update(schedules).set({
         nextRunAt,
         updatedAt: now
-      }).where(eq15(schedules.id, currentSchedule.id)).run();
+      }).where(eq16(schedules.id, currentSchedule.id)).run();
       return;
     }
     const runId = queueResult.runId;
@@ -5366,7 +5725,7 @@ var Scheduler = class {
       lastRunAt: now,
       nextRunAt,
       updatedAt: now
-    }).where(eq15(schedules.id, currentSchedule.id)).run();
+    }).where(eq16(schedules.id, currentSchedule.id)).run();
     const scheduleProviders = JSON.parse(currentSchedule.providers);
     const providers = scheduleProviders.length > 0 ? scheduleProviders : void 0;
     console.log(`[Scheduler] Triggered scheduled run ${runId} for project ${project.name}`);
@@ -5375,8 +5734,8 @@ var Scheduler = class {
 };
 
 // src/notifier.ts
-import { eq as eq16, desc as desc3, and as and5, or as or2 } from "drizzle-orm";
-import crypto15 from "crypto";
+import { eq as eq17, desc as desc3, and as and5, or as or2 } from "drizzle-orm";
+import crypto16 from "crypto";
 var Notifier = class {
   db;
   serverUrl;
@@ -5387,18 +5746,18 @@ var Notifier = class {
   /** Called after a run completes (success, partial, or failed). */
   async onRunCompleted(runId, projectId) {
     console.log(`[Notifier] onRunCompleted: runId=${runId} projectId=${projectId}`);
-    const notifs = this.db.select().from(notifications).where(eq16(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
+    const notifs = this.db.select().from(notifications).where(eq17(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
     if (notifs.length === 0) {
       console.log(`[Notifier] No enabled notifications for project ${projectId} \u2014 skipping`);
       return;
     }
     console.log(`[Notifier] Found ${notifs.length} enabled notification(s) for project ${projectId}`);
-    const run = this.db.select().from(runs).where(eq16(runs.id, runId)).get();
+    const run = this.db.select().from(runs).where(eq17(runs.id, runId)).get();
     if (!run) {
       console.error(`[Notifier] Run ${runId} not found \u2014 skipping notification dispatch`);
       return;
     }
-    const project = this.db.select().from(projects).where(eq16(projects.id, projectId)).get();
+    const project = this.db.select().from(projects).where(eq17(projects.id, projectId)).get();
     if (!project) {
       console.error(`[Notifier] Project ${projectId} not found \u2014 skipping notification dispatch`);
       return;
@@ -5439,8 +5798,8 @@ var Notifier = class {
   computeTransitions(runId, projectId) {
     const recentRuns = this.db.select().from(runs).where(
       and5(
-        eq16(runs.projectId, projectId),
-        or2(eq16(runs.status, "completed"), eq16(runs.status, "partial"))
+        eq17(runs.projectId, projectId),
+        or2(eq17(runs.status, "completed"), eq17(runs.status, "partial"))
       )
     ).orderBy(desc3(runs.createdAt)).limit(2).all();
     if (recentRuns.length < 2) return [];
@@ -5452,12 +5811,12 @@ var Notifier = class {
       keyword: keywords.keyword,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).leftJoin(keywords, eq16(querySnapshots.keywordId, keywords.id)).where(eq16(querySnapshots.runId, currentRunId)).all();
+    }).from(querySnapshots).leftJoin(keywords, eq17(querySnapshots.keywordId, keywords.id)).where(eq17(querySnapshots.runId, currentRunId)).all();
     const previousSnapshots = this.db.select({
       keywordId: querySnapshots.keywordId,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).where(eq16(querySnapshots.runId, previousRunId)).all();
+    }).from(querySnapshots).where(eq17(querySnapshots.runId, previousRunId)).all();
     const prevMap = /* @__PURE__ */ new Map();
     for (const s of previousSnapshots) {
       prevMap.set(`${s.keywordId}:${s.provider}`, s.citationState);
@@ -5514,7 +5873,7 @@ var Notifier = class {
   }
   logDelivery(projectId, notificationId, event, status, error) {
     this.db.insert(auditLog).values({
-      id: crypto15.randomUUID(),
+      id: crypto16.randomUUID(),
       projectId,
       actor: "scheduler",
       action: `notification.${status}`,
@@ -5645,6 +6004,14 @@ var DEFAULT_QUOTA = {
   maxRequestsPerMinute: 10,
   maxRequestsPerDay: 1e3
 };
+function summarizeProviderConfig(provider, config) {
+  return {
+    configured: Boolean(config?.apiKey || config?.baseUrl),
+    model: config?.model ?? null,
+    baseUrl: provider === "local" ? config?.baseUrl ?? null : null,
+    quota: { ...config?.quota ?? DEFAULT_QUOTA }
+  };
+}
 async function createServer(opts) {
   const logger = opts.logger === false ? false : process.stdout.isTTY ? {
     transport: {
@@ -5729,7 +6096,7 @@ async function createServer(opts) {
     configured: Boolean(opts.config.google?.clientId && opts.config.google?.clientSecret)
   };
   const adapterMap = { gemini: geminiAdapter, openai: openaiAdapter, claude: claudeAdapter, local: localAdapter };
-  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto16.randomBytes(32).toString("hex");
+  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto17.randomBytes(32).toString("hex");
   const googleConnectionStore = {
     listConnections: (domain) => listGoogleConnections(opts.config, domain),
     getConnection: (domain, connectionType) => getGoogleConnection(opts.config, domain, connectionType),
@@ -5755,6 +6122,7 @@ async function createServer(opts) {
     getGoogleAuthConfig: () => getGoogleAuthConfig(opts.config),
     googleConnectionStore,
     googleStateSecret,
+    publicUrl: opts.config.publicUrl,
     onGscSyncRequested: (runId, projectId, syncOpts) => {
       const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
       if (!googleClientId || !googleClientSecret) {
@@ -5768,6 +6136,19 @@ async function createServer(opts) {
         app.log.error({ runId, err }, "GSC sync failed");
       });
     },
+    onInspectSitemapRequested: (runId, projectId, inspectOpts) => {
+      const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
+      if (!googleClientId || !googleClientSecret) {
+        app.log.error("Inspect sitemap requested but Google OAuth credentials are not configured");
+        return;
+      }
+      executeInspectSitemap(opts.db, runId, projectId, {
+        ...inspectOpts,
+        config: opts.config
+      }).catch((err) => {
+        app.log.error({ runId, err }, "Inspect sitemap failed");
+      });
+    },
     openApiInfo: {
       title: "Canonry API",
       version: PKG_VERSION
@@ -5784,6 +6165,7 @@ async function createServer(opts) {
       if (!(name in adapterMap)) return null;
       if (!opts.config.providers) opts.config.providers = {};
       const existing = opts.config.providers[name];
+      const beforeConfig = summarizeProviderConfig(name, existing);
       const mergedQuota = incomingQuota ? { ...existing?.quota ?? DEFAULT_QUOTA, ...incomingQuota } : existing?.quota;
       opts.config.providers[name] = {
         apiKey: apiKey || existing?.apiKey,
@@ -5811,6 +6193,33 @@ async function createServer(opts) {
         entry.model = model || registry.get(name)?.config.model;
         entry.quota = quota;
       }
+      const afterConfig = summarizeProviderConfig(name, opts.config.providers[name]);
+      if (JSON.stringify(beforeConfig) !== JSON.stringify(afterConfig)) {
+        const diff = JSON.stringify({
+          before: existing ? beforeConfig : null,
+          after: afterConfig
+        });
+        const affectedProjectIds = opts.db.select({ id: projects.id, providers: projects.providers }).from(projects).all().filter((project) => {
+          try {
+            const configuredProviders = JSON.parse(project.providers || "[]");
+            return configuredProviders.length === 0 || configuredProviders.includes(name);
+          } catch {
+            return false;
+          }
+        }).map((project) => project.id);
+        const targetProjectIds = affectedProjectIds.length > 0 ? affectedProjectIds : [null];
+        const createdAt = (/* @__PURE__ */ new Date()).toISOString();
+        opts.db.insert(auditLog).values(targetProjectIds.map((projectId) => ({
+          id: crypto17.randomUUID(),
+          projectId,
+          actor: "api",
+          action: existing ? "provider.updated" : "provider.created",
+          entityType: "provider",
+          entityId: name,
+          diff,
+          createdAt
+        }))).run();
+      }
       return {
         name,
         model: entry?.model,