@ainyc/canonry 1.21.1 → 1.24.0

package/dist/{chunk-2JBQ7NMO.js → chunk-Q5REKIL6.js}

@@ -170,7 +170,7 @@ function trackEvent(event, properties) {
 
 // src/server.ts
 import { createRequire as createRequire2 } from "module";
-import crypto19 from "crypto";
+import crypto21 from "crypto";
 import fs5 from "fs";
 import path6 from "path";
 import { fileURLToPath } from "url";
@@ -711,6 +711,37 @@ function categoryLabel(category) {
   return CATEGORY_LABELS[category];
 }
 
+// ../contracts/src/ga.ts
+import { z as z9 } from "zod";
+var ga4ConnectionDtoSchema = z9.object({
+  id: z9.string(),
+  projectId: z9.string(),
+  propertyId: z9.string(),
+  clientEmail: z9.string(),
+  connected: z9.boolean(),
+  createdAt: z9.string(),
+  updatedAt: z9.string()
+});
+var ga4TrafficSnapshotDtoSchema = z9.object({
+  date: z9.string(),
+  landingPage: z9.string(),
+  sessions: z9.number(),
+  organicSessions: z9.number(),
+  users: z9.number()
+});
+var ga4TrafficSummaryDtoSchema = z9.object({
+  totalSessions: z9.number(),
+  totalOrganicSessions: z9.number(),
+  totalUsers: z9.number(),
+  topPages: z9.array(z9.object({
+    landingPage: z9.string(),
+    sessions: z9.number(),
+    organicSessions: z9.number(),
+    users: z9.number()
+  })),
+  lastSyncedAt: z9.string().nullable()
+});
+
 // ../api-routes/src/auth.ts
 import crypto2 from "crypto";
 import { eq } from "drizzle-orm";
@@ -730,6 +761,8 @@ __export(schema_exports, {
   bingKeywordStats: () => bingKeywordStats,
   bingUrlInspections: () => bingUrlInspections,
   competitors: () => competitors,
+  gaConnections: () => gaConnections,
+  gaTrafficSnapshots: () => gaTrafficSnapshots,
   googleConnections: () => googleConnections,
   gscCoverageSnapshots: () => gscCoverageSnapshots,
   gscSearchData: () => gscSearchData,
@@ -970,6 +1003,30 @@ var bingKeywordStats = sqliteTable("bing_keyword_stats", {
   index("idx_bing_keyword_project").on(table.projectId),
   index("idx_bing_keyword_query").on(table.query)
 ]);
+var gaConnections = sqliteTable("ga_connections", {
+  id: text("id").primaryKey(),
+  projectId: text("project_id").notNull().references(() => projects.id, { onDelete: "cascade" }),
+  propertyId: text("property_id").notNull(),
+  clientEmail: text("client_email").notNull(),
+  privateKey: text("private_key").notNull(),
+  createdAt: text("created_at").notNull(),
+  updatedAt: text("updated_at").notNull()
+}, (table) => [
+  uniqueIndex("idx_ga_conn_project").on(table.projectId)
+]);
+var gaTrafficSnapshots = sqliteTable("ga_traffic_snapshots", {
+  id: text("id").primaryKey(),
+  projectId: text("project_id").notNull().references(() => projects.id, { onDelete: "cascade" }),
+  date: text("date").notNull(),
+  landingPage: text("landing_page").notNull(),
+  sessions: integer("sessions").notNull().default(0),
+  organicSessions: integer("organic_sessions").notNull().default(0),
+  users: integer("users").notNull().default(0),
+  syncedAt: text("synced_at").notNull()
+}, (table) => [
+  index("idx_ga_traffic_project_date").on(table.projectId, table.date),
+  index("idx_ga_traffic_page").on(table.landingPage)
+]);
 var usageCounters = sqliteTable("usage_counters", {
   id: text("id").primaryKey(),
   scope: text("scope").notNull(),
@@ -1247,7 +1304,31 @@ var MIGRATIONS = [
     created_at       TEXT NOT NULL
   )`,
   `CREATE INDEX IF NOT EXISTS idx_bing_keyword_project ON bing_keyword_stats(project_id)`,
-  `CREATE INDEX IF NOT EXISTS idx_bing_keyword_query ON bing_keyword_stats(query)`
+  `CREATE INDEX IF NOT EXISTS idx_bing_keyword_query ON bing_keyword_stats(query)`,
+  // v13: Google Analytics 4 — ga_connections table (service account auth)
+  `CREATE TABLE IF NOT EXISTS ga_connections (
+    id            TEXT PRIMARY KEY,
+    project_id    TEXT NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
+    property_id   TEXT NOT NULL,
+    client_email  TEXT NOT NULL,
+    private_key   TEXT NOT NULL,
+    created_at    TEXT NOT NULL,
+    updated_at    TEXT NOT NULL
+  )`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS idx_ga_conn_project ON ga_connections(project_id)`,
+  // v13: Google Analytics 4 — ga_traffic_snapshots table
+  `CREATE TABLE IF NOT EXISTS ga_traffic_snapshots (
+    id               TEXT PRIMARY KEY,
+    project_id       TEXT NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
+    date             TEXT NOT NULL,
+    landing_page     TEXT NOT NULL,
+    sessions         INTEGER NOT NULL DEFAULT 0,
+    organic_sessions INTEGER NOT NULL DEFAULT 0,
+    users            INTEGER NOT NULL DEFAULT 0,
+    synced_at        TEXT NOT NULL
+  )`,
+  `CREATE INDEX IF NOT EXISTS idx_ga_traffic_project_date ON ga_traffic_snapshots(project_id, date)`,
+  `CREATE INDEX IF NOT EXISTS idx_ga_traffic_page ON ga_traffic_snapshots(landing_page)`
 ];
 function migrate(db) {
   const statements = MIGRATION_SQL.split(";").map((s) => s.trim()).filter((s) => s.length > 0);
@@ -4639,6 +4720,105 @@ var routeCatalog = [
       400: { description: "Bing is not configured for this project." },
       404: { description: "Project not found." }
     }
+  },
+  // GA4 routes
+  {
+    method: "post",
+    path: "/api/v1/projects/{name}/ga/connect",
+    summary: "Connect Google Analytics 4 via service account",
+    tags: ["ga4"],
+    parameters: [nameParameter],
+    requestBody: {
+      required: true,
+      content: {
+        "application/json": {
+          schema: {
+            type: "object",
+            required: ["propertyId", "keyJson"],
+            properties: {
+              propertyId: stringSchema,
+              keyJson: stringSchema
+            }
+          }
+        }
+      }
+    },
+    responses: {
+      200: { description: "GA4 connection established." },
+      400: { description: "Invalid GA4 connection request." },
+      404: { description: "Project not found." }
+    }
+  },
+  {
+    method: "delete",
+    path: "/api/v1/projects/{name}/ga/disconnect",
+    summary: "Disconnect Google Analytics 4",
+    tags: ["ga4"],
+    parameters: [nameParameter],
+    responses: {
+      204: { description: "GA4 connection deleted." },
+      404: { description: "Project or connection not found." }
+    }
+  },
+  {
+    method: "get",
+    path: "/api/v1/projects/{name}/ga/status",
+    summary: "Get GA4 connection status",
+    tags: ["ga4"],
+    parameters: [nameParameter],
+    responses: {
+      200: { description: "GA4 status returned." },
+      404: { description: "Project not found." }
+    }
+  },
+  {
+    method: "post",
+    path: "/api/v1/projects/{name}/ga/sync",
+    summary: "Sync GA4 traffic data",
+    tags: ["ga4"],
+    parameters: [nameParameter],
+    requestBody: {
+      required: false,
+      content: {
+        "application/json": {
+          schema: {
+            type: "object",
+            properties: {
+              days: integerSchema
+            }
+          }
+        }
+      }
+    },
+    responses: {
+      200: { description: "GA4 sync completed." },
+      400: { description: "GA4 is not connected." },
+      404: { description: "Project not found." }
+    }
+  },
+  {
+    method: "get",
+    path: "/api/v1/projects/{name}/ga/traffic",
+    summary: "Get GA4 landing page traffic",
+    tags: ["ga4"],
+    parameters: [nameParameter, limitQueryParameter],
+    responses: {
+      200: { description: "GA4 traffic data returned." },
+      400: { description: "GA4 is not connected." },
+      404: { description: "Project not found." }
+    }
+  },
+  {
+    method: "get",
+    path: "/api/v1/projects/{name}/ga/coverage",
+    summary: "Get GA4 page coverage with traffic overlay",
+    tags: ["ga4"],
+    parameters: [nameParameter],
+    responses: {
+      200: { description: "GA4 coverage data returned." },
+      400: { description: "GA4 is not connected." },
+      404: { description: "Project not found." }
+    }
   }
 ];
 function buildOpenApiDocument(info = {}) {
@@ -5221,6 +5401,11 @@ async function refreshAccessToken(clientId, clientSecret, currentRefreshToken) {
 }
 
 // ../integration-google/src/gsc-client.ts
+function gscClientLog(level, action, ctx) {
+  const entry = { ts: (/* @__PURE__ */ new Date()).toISOString(), level, module: "GscClient", action, ...ctx };
+  const stream = level === "error" ? process.stderr : process.stdout;
+  stream.write(JSON.stringify(entry) + "\n");
+}
 async function gscFetch(accessToken, url, opts) {
   const method = opts?.method ?? "GET";
   const headers = {
@@ -5233,13 +5418,18 @@ async function gscFetch(accessToken, url, opts) {
     body: opts?.body != null ? JSON.stringify(opts.body) : void 0
   });
   if (res.status === 401) {
+    const body = await res.text().catch(() => "");
+    gscClientLog("error", "http.auth-expired", { url, method, httpStatus: 401, responseBody: body });
     throw new GoogleApiError("Access token expired or revoked", 401);
   }
   if (res.status === 429) {
+    const body = await res.text().catch(() => "");
+    gscClientLog("error", "http.rate-limited", { url, method, httpStatus: 429, responseBody: body });
     throw new GoogleApiError("Google API rate limit exceeded", 429);
   }
   if (!res.ok) {
     const body = await res.text();
+    gscClientLog("error", "http.error", { url, method, httpStatus: res.status, responseBody: body });
     throw new GoogleApiError(`GSC API error (${res.status}): ${body}`, res.status);
   }
   return await res.json();
@@ -6045,6 +6235,11 @@ var BingApiError = class extends Error {
 };
 
 // ../integration-bing/src/bing-client.ts
+function bingClientLog(level, action, ctx) {
+  const entry = { ts: (/* @__PURE__ */ new Date()).toISOString(), level, module: "BingClient", action, ...ctx };
+  const stream = level === "error" ? process.stderr : process.stdout;
+  stream.write(JSON.stringify(entry) + "\n");
+}
 async function bingFetch(apiKey, endpoint, opts) {
   const method = opts?.method ?? "GET";
   const separator = endpoint.includes("?") ? "&" : "?";
@@ -6058,13 +6253,18 @@ async function bingFetch(apiKey, endpoint, opts) {
     body: opts?.body != null ? JSON.stringify(opts.body) : void 0
   });
   if (res.status === 401 || res.status === 403) {
+    const body = await res.text().catch(() => "");
+    bingClientLog("error", "http.auth-failed", { endpoint, method, httpStatus: res.status, responseBody: body });
     throw new BingApiError("Bing API key is invalid or unauthorized", res.status);
   }
   if (res.status === 429) {
+    const body = await res.text().catch(() => "");
+    bingClientLog("error", "http.rate-limited", { endpoint, method, httpStatus: 429, responseBody: body });
     throw new BingApiError("Bing API rate limit exceeded", 429);
   }
   if (!res.ok) {
     const body = await res.text();
+    bingClientLog("error", "http.error", { endpoint, method, httpStatus: res.status, responseBody: body });
     throw new BingApiError(`Bing API error (${res.status}): ${body}`, res.status);
   }
   const text2 = await res.text();
@@ -6112,6 +6312,11 @@ async function getKeywordStats(apiKey, siteUrl) {
 }
 
 // ../api-routes/src/bing.ts
+function bingLog(level, action, ctx) {
+  const entry = { ts: (/* @__PURE__ */ new Date()).toISOString(), level, module: "BingRoutes", action, ...ctx };
+  const stream = level === "error" ? process.stderr : process.stdout;
+  stream.write(JSON.stringify(entry) + "\n");
+}
 async function bingRoutes(app, opts) {
   function requireConnectionStore(reply) {
     if (opts.bingConnectionStore) return opts.bingConnectionStore;
@@ -6140,8 +6345,10 @@ async function bingRoutes(app, opts) {
     let sites;
     try {
       sites = await getSites(apiKey);
+      bingLog("info", "connect.verify-key", { domain: project.canonicalDomain, siteCount: sites.length });
     } catch (e) {
       const msg = e instanceof Error ? e.message : String(e);
+      bingLog("error", "connect.verify-key-failed", { domain: project.canonicalDomain, error: msg });
       const err = validationError(`Failed to verify Bing API key: ${msg}`);
       return reply.status(err.statusCode).send(err.toJSON());
     }
@@ -6307,7 +6514,15 @@ async function bingRoutes(app, opts) {
       const err = validationError("url is required");
       return reply.status(err.statusCode).send(err.toJSON());
     }
-    const result = await getUrlInfo(conn.apiKey, conn.siteUrl, url);
+    let result;
+    try {
+      result = await getUrlInfo(conn.apiKey, conn.siteUrl, url);
+      bingLog("info", "inspect-url.result", { domain: project.canonicalDomain, url, httpCode: result.HttpCode ?? null, inIndex: result.InIndex ?? null, lastCrawledDate: result.LastCrawledDate ?? null });
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      bingLog("error", "inspect-url.failed", { domain: project.canonicalDomain, url, error: msg });
+      throw e;
+    }
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const id = crypto14.randomUUID();
     app.db.insert(bingUrlInspections).values({
@@ -6371,6 +6586,7 @@ async function bingRoutes(app, opts) {
       return reply.status(err.statusCode).send(err.toJSON());
     }
     const results = [];
+    bingLog("info", "index-submit.start", { domain: project.canonicalDomain, siteUrl: conn.siteUrl, urlCount: urlsToSubmit.length, allUnindexed: !!request.body?.allUnindexed });
     if (urlsToSubmit.length > 1) {
       for (let i = 0; i < urlsToSubmit.length; i += BING_SUBMIT_URL_BATCH_LIMIT) {
         const batch = urlsToSubmit.slice(i, i + BING_SUBMIT_URL_BATCH_LIMIT);
@@ -6380,12 +6596,14 @@ async function bingRoutes(app, opts) {
           for (const url of batch) {
             results.push({ url, status: "success", submittedAt: now });
           }
+          bingLog("info", "index-submit.batch-ok", { domain: project.canonicalDomain, batchSize: batch.length, urls: batch });
         } catch (e) {
           const msg = e instanceof Error ? e.message : String(e);
           const now = (/* @__PURE__ */ new Date()).toISOString();
           for (const url of batch) {
             results.push({ url, status: "error", submittedAt: now, error: msg });
           }
+          bingLog("error", "index-submit.batch-failed", { domain: project.canonicalDomain, batchSize: batch.length, urls: batch, error: msg });
         }
       }
     } else {
@@ -6393,13 +6611,16 @@ async function bingRoutes(app, opts) {
       try {
         await submitUrl(conn.apiKey, conn.siteUrl, url);
         results.push({ url, status: "success", submittedAt: (/* @__PURE__ */ new Date()).toISOString() });
+        bingLog("info", "index-submit.ok", { domain: project.canonicalDomain, url });
       } catch (e) {
         const msg = e instanceof Error ? e.message : String(e);
         results.push({ url, status: "error", submittedAt: (/* @__PURE__ */ new Date()).toISOString(), error: msg });
+        bingLog("error", "index-submit.failed", { domain: project.canonicalDomain, url, error: msg });
       }
     }
     const succeeded = results.filter((r) => r.status === "success").length;
     const failed = results.filter((r) => r.status === "error").length;
+    bingLog("info", "index-submit.complete", { domain: project.canonicalDomain, total: results.length, succeeded, failed });
     return {
       summary: { total: results.length, succeeded, failed },
       results
@@ -6598,6 +6819,439 @@ async function cdpRoutes(app, opts) {
   );
 }
 
+// ../api-routes/src/ga.ts
+import crypto16 from "crypto";
+import { eq as eq16, desc as desc6, and as and6, sql as sql3 } from "drizzle-orm";
+
+// ../integration-google-analytics/src/ga4-client.ts
+import crypto15 from "crypto";
+
+// ../integration-google-analytics/src/constants.ts
+var GA4_DATA_API_BASE = "https://analyticsdata.googleapis.com/v1beta";
+var GA4_SCOPE = "https://www.googleapis.com/auth/analytics.readonly";
+var GOOGLE_TOKEN_URL2 = "https://oauth2.googleapis.com/token";
+var GA4_DEFAULT_SYNC_DAYS = 30;
+var GA4_MAX_SYNC_DAYS = 90;
+
+// ../integration-google-analytics/src/types.ts
+var GA4ApiError = class extends Error {
+  status;
+  constructor(message, status) {
+    super(message);
+    this.name = "GA4ApiError";
+    this.status = status;
+  }
+};
+
+// ../integration-google-analytics/src/ga4-client.ts
+function ga4Log(level, action, ctx) {
+  const entry = { ts: (/* @__PURE__ */ new Date()).toISOString(), level, module: "GA4Client", action, ...ctx };
+  const stream = level === "error" ? process.stderr : process.stdout;
+  stream.write(JSON.stringify(entry) + "\n");
+}
+function createServiceAccountJwt(clientEmail, privateKey, scope) {
+  const now = Math.floor(Date.now() / 1e3);
+  const header = { alg: "RS256", typ: "JWT" };
+  const payload = {
+    iss: clientEmail,
+    scope,
+    aud: GOOGLE_TOKEN_URL2,
+    iat: now,
+    exp: now + 3600
+    // 1 hour
+  };
+  const encode = (obj) => Buffer.from(JSON.stringify(obj)).toString("base64url");
+  const headerB64 = encode(header);
+  const payloadB64 = encode(payload);
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const sign = crypto15.createSign("RSA-SHA256");
+  sign.update(signingInput);
+  const signature = sign.sign(privateKey, "base64url");
+  return `${signingInput}.${signature}`;
+}
+async function getAccessToken(clientEmail, privateKey) {
+  const jwt = createServiceAccountJwt(clientEmail, privateKey, GA4_SCOPE);
+  const res = await fetch(GOOGLE_TOKEN_URL2, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+      assertion: jwt
+    })
+  });
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    ga4Log("error", "token.failed", { httpStatus: res.status, responseBody: body });
+    throw new GA4ApiError(`Failed to get access token: ${body}`, res.status);
+  }
+  const data = await res.json();
+  return data.access_token;
+}
+async function runReport(accessToken, propertyId, request) {
+  const url = `${GA4_DATA_API_BASE}/properties/${propertyId}:runReport`;
+  const res = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Authorization": `Bearer ${accessToken}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify(request)
+  });
+  if (res.status === 401 || res.status === 403) {
+    const body = await res.text().catch(() => "");
+    let detail = "";
+    try {
+      const parsed = JSON.parse(body);
+      if (parsed.error?.status === "SERVICE_DISABLED") {
+        detail = " The Google Analytics Data API is not enabled for this GCP project. Enable it at: https://console.developers.google.com/apis/api/analyticsdata.googleapis.com/overview";
+      } else if (parsed.error?.message) {
+        detail = ` ${parsed.error.message}`;
+      }
+    } catch {
+      if (body.length < 200) detail = ` ${body}`;
+    }
+    ga4Log("error", "report.auth-failed", { propertyId, httpStatus: res.status, responseBody: body });
+    throw new GA4ApiError(
+      `GA4 API authentication failed \u2014 check service account permissions.${detail}`,
+      res.status
+    );
+  }
+  if (res.status === 429) {
+    ga4Log("error", "report.rate-limited", { propertyId });
+    throw new GA4ApiError("GA4 API rate limit exceeded", 429);
+  }
+  if (!res.ok) {
+    const body = await res.text();
+    ga4Log("error", "report.error", { propertyId, httpStatus: res.status, responseBody: body });
+    throw new GA4ApiError(`GA4 API error (${res.status}): ${body}`, res.status);
+  }
+  return await res.json();
+}
+function formatDate(d) {
+  return d.toISOString().split("T")[0];
+}
+async function fetchTrafficByLandingPage(accessToken, propertyId, days) {
+  const syncDays = Math.min(Math.max(1, days ?? GA4_DEFAULT_SYNC_DAYS), GA4_MAX_SYNC_DAYS);
+  const endDate = /* @__PURE__ */ new Date();
+  const startDate = /* @__PURE__ */ new Date();
+  startDate.setDate(startDate.getDate() - syncDays);
+  ga4Log("info", "fetch-traffic.start", { propertyId, days: syncDays });
+  const PAGE_SIZE = 1e4;
+  const rows = [];
+  let offset = 0;
+  while (true) {
+    const request = {
+      dateRanges: [{ startDate: formatDate(startDate), endDate: formatDate(endDate) }],
+      dimensions: [
+        { name: "date" },
+        { name: "landingPagePlusQueryString" }
+      ],
+      metrics: [
+        { name: "sessions" },
+        { name: "totalUsers" }
+      ],
+      limit: PAGE_SIZE,
+      offset
+    };
+    const response = await runReport(accessToken, propertyId, request);
+    const pageRows = (response.rows ?? []).map((row) => ({
+      date: row.dimensionValues[0].value,
+      landingPage: row.dimensionValues[1].value,
+      sessions: parseInt(row.metricValues[0].value, 10) || 0,
+      organicSessions: 0,
+      // populated by organic-only pass below
+      users: parseInt(row.metricValues[1].value, 10) || 0
+    }));
+    rows.push(...pageRows);
+    const totalRows = response.rowCount ?? 0;
+    offset += pageRows.length;
+    if (pageRows.length < PAGE_SIZE || offset >= totalRows) break;
+  }
+  const organicMap = /* @__PURE__ */ new Map();
+  let organicOffset = 0;
+  while (true) {
+    const organicRequest = {
+      dateRanges: [{ startDate: formatDate(startDate), endDate: formatDate(endDate) }],
+      dimensions: [{ name: "date" }, { name: "landingPagePlusQueryString" }],
+      metrics: [{ name: "sessions" }],
+      dimensionFilter: {
+        filter: {
+          fieldName: "sessionDefaultChannelGrouping",
+          stringFilter: { matchType: "EXACT", value: "Organic Search" }
+        }
+      },
+      limit: 1e4,
+      offset: organicOffset
+    };
+    const organicResponse = await runReport(accessToken, propertyId, organicRequest);
+    for (const row of organicResponse.rows ?? []) {
+      const key = `${row.dimensionValues[0].value}::${row.dimensionValues[1].value}`;
+      organicMap.set(key, parseInt(row.metricValues[0].value, 10) || 0);
+    }
+    const total = organicResponse.rowCount ?? 0;
+    organicOffset += (organicResponse.rows ?? []).length;
+    if ((organicResponse.rows ?? []).length < 1e4 || organicOffset >= total) break;
+  }
+  for (const row of rows) {
+    const key = `${row.date}::${row.landingPage}`;
+    row.organicSessions = organicMap.get(key) ?? 0;
+  }
+  for (const row of rows) {
+    if (row.date.length === 8 && !row.date.includes("-")) {
+      row.date = `${row.date.slice(0, 4)}-${row.date.slice(4, 6)}-${row.date.slice(6, 8)}`;
+    }
+  }
+  ga4Log("info", "fetch-traffic.done", { propertyId, rowCount: rows.length });
+  return rows;
+}
+async function verifyConnection(clientEmail, privateKey, propertyId) {
+  const accessToken = await getAccessToken(clientEmail, privateKey);
+  const endDate = /* @__PURE__ */ new Date();
+  const startDate = /* @__PURE__ */ new Date();
+  startDate.setDate(startDate.getDate() - 1);
+  await runReport(accessToken, propertyId, {
+    dateRanges: [{ startDate: formatDate(startDate), endDate: formatDate(endDate) }],
+    dimensions: [{ name: "date" }],
+    metrics: [{ name: "sessions" }],
+    limit: 1
+  });
+  return true;
+}
+
+// ../api-routes/src/ga.ts
+function gaLog(level, action, ctx) {
+  const entry = { ts: (/* @__PURE__ */ new Date()).toISOString(), level, module: "GA4Routes", action, ...ctx };
+  const stream = level === "error" ? process.stderr : process.stdout;
+  stream.write(JSON.stringify(entry) + "\n");
+}
+async function ga4Routes(app, opts) {
+  function requireCredentialStore(reply) {
+    if (opts.ga4CredentialStore) return opts.ga4CredentialStore;
+    const err = validationError("GA4 credential storage is not configured for this deployment");
+    reply.status(err.statusCode).send(err.toJSON());
+    return null;
+  }
+  app.post("/projects/:name/ga/connect", async (request, reply) => {
+    const store = requireCredentialStore(reply);
+    if (!store) return;
+    const project = resolveProject(app.db, request.params.name);
+    const { propertyId, keyJson } = request.body ?? {};
+    if (!propertyId || typeof propertyId !== "string") {
+      const err = validationError("propertyId is required");
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    let clientEmail;
+    let privateKey;
+    if (keyJson && typeof keyJson === "string") {
+      try {
+        const parsed = JSON.parse(keyJson);
+        if (!parsed.client_email || !parsed.private_key) {
+          const err = validationError("Service account JSON must contain client_email and private_key");
+          return reply.status(err.statusCode).send(err.toJSON());
+        }
+        clientEmail = parsed.client_email;
+        privateKey = parsed.private_key;
+      } catch {
+        const err = validationError("Invalid JSON in keyJson");
+        return reply.status(err.statusCode).send(err.toJSON());
+      }
+    } else {
+      const err = validationError("keyJson is required");
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    try {
+      await verifyConnection(clientEmail, privateKey, propertyId);
+      gaLog("info", "connect.verified", { projectId: project.id, propertyId });
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      gaLog("error", "connect.verify-failed", { projectId: project.id, propertyId, error: msg });
+      const err = validationError(`Failed to verify GA4 credentials: ${msg}`);
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const existing = store.getConnection(project.name);
+    store.upsertConnection({
+      projectName: project.name,
+      propertyId,
+      clientEmail,
+      privateKey,
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now
+    });
+    writeAuditLog(app.db, {
+      projectId: project.id,
+      actor: "api",
+      action: "ga4.connected",
+      entityType: "ga_connection",
+      entityId: propertyId
+    });
+    return {
+      connected: true,
+      propertyId,
+      clientEmail
+    };
+  });
+  app.delete("/projects/:name/ga/disconnect", async (request, reply) => {
+    const store = requireCredentialStore(reply);
+    if (!store) return;
+    const project = resolveProject(app.db, request.params.name);
+    const conn = store.getConnection(project.name);
+    if (!conn) {
+      const err = notFound("GA4 connection", project.name);
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    app.db.delete(gaTrafficSnapshots).where(eq16(gaTrafficSnapshots.projectId, project.id)).run();
+    store.deleteConnection(project.name);
+    writeAuditLog(app.db, {
+      projectId: project.id,
+      actor: "api",
+      action: "ga4.disconnected",
+      entityType: "ga_connection",
+      entityId: conn.propertyId
+    });
+    return reply.status(204).send();
+  });
+  app.get("/projects/:name/ga/status", async (request, reply) => {
+    const store = requireCredentialStore(reply);
+    if (!store) return;
+    const project = resolveProject(app.db, request.params.name);
+    const conn = store.getConnection(project.name);
+    if (!conn) {
+      return { connected: false, propertyId: null, clientEmail: null, lastSyncedAt: null };
+    }
+    const latestSync = app.db.select({ syncedAt: gaTrafficSnapshots.syncedAt }).from(gaTrafficSnapshots).where(eq16(gaTrafficSnapshots.projectId, project.id)).orderBy(desc6(gaTrafficSnapshots.syncedAt)).limit(1).get();
+    return {
+      connected: true,
+      propertyId: conn.propertyId,
+      clientEmail: conn.clientEmail,
+      lastSyncedAt: latestSync?.syncedAt ?? null,
+      createdAt: conn.createdAt,
+      updatedAt: conn.updatedAt
+    };
+  });
+  app.post("/projects/:name/ga/sync", async (request, reply) => {
+    const store = requireCredentialStore(reply);
+    if (!store) return;
+    const project = resolveProject(app.db, request.params.name);
+    const conn = store.getConnection(project.name);
+    if (!conn) {
+      const err = validationError('No GA4 connection found. Run "canonry ga connect <project>" first.');
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const days = request.body?.days ?? 30;
+    let accessToken;
+    try {
+      accessToken = await getAccessToken(conn.clientEmail, conn.privateKey);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      gaLog("error", "sync.auth-failed", { projectId: project.id, error: msg });
+      const err = validationError(`GA4 authentication failed: ${msg}`);
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    let rows;
+    try {
+      rows = await fetchTrafficByLandingPage(accessToken, conn.propertyId, days);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      gaLog("error", "sync.fetch-failed", { projectId: project.id, error: msg });
+      throw e;
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    if (rows.length > 0) {
+      const dates = rows.map((r) => r.date);
+      const minDate = dates.reduce((a, b) => a < b ? a : b);
+      const maxDate = dates.reduce((a, b) => a > b ? a : b);
+      app.db.transaction((tx) => {
+        tx.delete(gaTrafficSnapshots).where(
+          and6(
+            eq16(gaTrafficSnapshots.projectId, project.id),
+            sql3`${gaTrafficSnapshots.date} >= ${minDate}`,
+            sql3`${gaTrafficSnapshots.date} <= ${maxDate}`
+          )
+        ).run();
+        for (const row of rows) {
+          tx.insert(gaTrafficSnapshots).values({
+            id: crypto16.randomUUID(),
+            projectId: project.id,
+            date: row.date,
+            landingPage: row.landingPage,
+            sessions: row.sessions,
+            organicSessions: row.organicSessions,
+            users: row.users,
+            syncedAt: now
+          }).run();
+        }
+      });
+    }
+    gaLog("info", "sync.complete", { projectId: project.id, rowCount: rows.length, days });
+    return {
+      synced: true,
+      rowCount: rows.length,
+      days,
+      syncedAt: now
+    };
+  });
+  app.get("/projects/:name/ga/traffic", async (request, reply) => {
+    const store = requireCredentialStore(reply);
+    if (!store) return;
+    const project = resolveProject(app.db, request.params.name);
+    const conn = store.getConnection(project.name);
+    if (!conn) {
+      const err = validationError('No GA4 connection found. Run "canonry ga connect <project>" first.');
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const limit = Math.max(1, Math.min(parseInt(request.query.limit ?? "50", 10) || 50, 500));
+    const totals = app.db.select({
+      totalSessions: sql3`SUM(${gaTrafficSnapshots.sessions})`,
+      totalOrganicSessions: sql3`SUM(${gaTrafficSnapshots.organicSessions})`,
+      totalUsers: sql3`SUM(${gaTrafficSnapshots.users})`
+    }).from(gaTrafficSnapshots).where(eq16(gaTrafficSnapshots.projectId, project.id)).get();
+    const rows = app.db.select({
+      landingPage: gaTrafficSnapshots.landingPage,
+      sessions: sql3`SUM(${gaTrafficSnapshots.sessions})`,
+      organicSessions: sql3`SUM(${gaTrafficSnapshots.organicSessions})`,
+      users: sql3`SUM(${gaTrafficSnapshots.users})`
+    }).from(gaTrafficSnapshots).where(eq16(gaTrafficSnapshots.projectId, project.id)).groupBy(gaTrafficSnapshots.landingPage).orderBy(sql3`SUM(${gaTrafficSnapshots.sessions}) DESC`).limit(limit).all();
+    const latestSync = app.db.select({ syncedAt: gaTrafficSnapshots.syncedAt }).from(gaTrafficSnapshots).where(eq16(gaTrafficSnapshots.projectId, project.id)).orderBy(desc6(gaTrafficSnapshots.syncedAt)).limit(1).get();
+    return {
+      totalSessions: totals?.totalSessions ?? 0,
+      totalOrganicSessions: totals?.totalOrganicSessions ?? 0,
+      totalUsers: totals?.totalUsers ?? 0,
+      topPages: rows.map((r) => ({
+        landingPage: r.landingPage,
+        sessions: r.sessions ?? 0,
+        organicSessions: r.organicSessions ?? 0,
+        users: r.users ?? 0
+      })),
+      lastSyncedAt: latestSync?.syncedAt ?? null
+    };
+  });
+  app.get("/projects/:name/ga/coverage", async (request, reply) => {
+    const store = requireCredentialStore(reply);
+    if (!store) return;
+    const project = resolveProject(app.db, request.params.name);
+    const conn = store.getConnection(project.name);
+    if (!conn) {
+      const err = validationError('No GA4 connection found. Run "canonry ga connect <project>" first.');
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const trafficPages = app.db.select({
+      landingPage: gaTrafficSnapshots.landingPage,
+      sessions: sql3`SUM(${gaTrafficSnapshots.sessions})`,
+      organicSessions: sql3`SUM(${gaTrafficSnapshots.organicSessions})`,
+      users: sql3`SUM(${gaTrafficSnapshots.users})`
+    }).from(gaTrafficSnapshots).where(eq16(gaTrafficSnapshots.projectId, project.id)).groupBy(gaTrafficSnapshots.landingPage).orderBy(sql3`SUM(${gaTrafficSnapshots.sessions}) DESC`).all();
+    return {
+      pages: trafficPages.map((r) => ({
+        landingPage: r.landingPage,
+        sessions: r.sessions ?? 0,
+        organicSessions: r.organicSessions ?? 0,
+        users: r.users ?? 0
+      }))
+    };
+  });
+}
+
 // ../api-routes/src/index.ts
 async function apiRoutes(app, opts) {
   app.decorate("db", opts.db);
@@ -6686,6 +7340,9 @@ async function apiRoutes(app, opts) {
       onCdpScreenshot: opts.onCdpScreenshot,
       onCdpConfigure: opts.onCdpConfigure
     });
+    await api.register(ga4Routes, {
+      ga4CredentialStore: opts.ga4CredentialStore
+    });
   }, { prefix: opts.routePrefix ?? "/api/v1" });
 }
 
@@ -8517,12 +9174,84 @@ function removeGoogleConnection(config, domain, connectionType) {
   return true;
 }
 
+// src/ga4-config.ts
+function ensureConnections2(config) {
+  if (!config.ga4) config.ga4 = {};
+  if (!config.ga4.connections) config.ga4.connections = [];
+  return config.ga4.connections;
+}
+function getGa4Connection(config, projectName) {
+  return (config.ga4?.connections ?? []).find((c) => c.projectName === projectName);
+}
+function upsertGa4Connection(config, connection) {
+  const connections = ensureConnections2(config);
+  const index2 = connections.findIndex((c) => c.projectName === connection.projectName);
+  if (index2 === -1) {
+    connections.push(connection);
+    return connection;
+  }
+  connections[index2] = connection;
+  return connection;
+}
+function removeGa4Connection(config, projectName) {
+  const connections = config.ga4?.connections;
+  if (!connections?.length) return false;
+  const next = connections.filter((c) => c.projectName !== projectName);
+  if (next.length === connections.length) return false;
+  if (!config.ga4) return false;
+  config.ga4.connections = next;
+  if (next.length === 0) {
+    delete config.ga4;
+  }
+  return true;
+}
+
 // src/job-runner.ts
-import crypto15 from "crypto";
+import crypto17 from "crypto";
 import fs4 from "fs";
 import path5 from "path";
 import os4 from "os";
-import { and as and6, eq as eq16, inArray as inArray3 } from "drizzle-orm";
+import { and as and7, eq as eq17, inArray as inArray3 } from "drizzle-orm";
+
+// src/logger.ts
+var IS_TTY = process.stdout.isTTY === true;
+function formatTTY(entry) {
+  const { ts, level, module, action, msg, ...ctx } = entry;
+  const time = ts.slice(11, 19);
+  const levelTag = level === "error" ? "\x1B[31mERR\x1B[0m" : level === "warn" ? "\x1B[33mWRN\x1B[0m" : "\x1B[36mINF\x1B[0m";
+  const ctxParts = Object.entries(ctx).filter(([, v]) => v !== void 0 && v !== null).map(([k, v]) => `${k}=${typeof v === "string" ? v : JSON.stringify(v)}`).join(" ");
+  const msgPart = msg ? ` ${msg}` : "";
+  const ctxPart = ctxParts ? ` ${ctxParts}` : "";
+  return `${time} ${levelTag} [${module}] ${action}${msgPart}${ctxPart}`;
+}
+function emit(entry) {
+  const stream = entry.level === "error" ? process.stderr : process.stdout;
+  if (IS_TTY) {
+    stream.write(formatTTY(entry) + "\n");
+  } else {
+    stream.write(JSON.stringify(entry) + "\n");
+  }
+}
+function createLogger(module) {
+  function log7(level, action, ctx) {
+    const entry = {
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      level,
+      module,
+      action,
+      ...ctx
+    };
+    emit(entry);
+  }
+  return {
+    info: (action, ctx) => log7("info", action, ctx),
+    warn: (action, ctx) => log7("warn", action, ctx),
+    error: (action, ctx) => log7("error", action, ctx)
+  };
+}
+
+// src/job-runner.ts
+var log = createLogger("JobRunner");
 var RunCancelledError = class extends Error {
   constructor(runId) {
     super(`Run ${runId} was cancelled`);
@@ -8604,8 +9333,8 @@ var JobRunner = class {
     if (stale.length === 0) return;
     const now = (/* @__PURE__ */ new Date()).toISOString();
     for (const run of stale) {
-      this.db.update(runs).set({ status: "failed", finishedAt: now, error: "Server restarted while run was in progress" }).where(eq16(runs.id, run.id)).run();
-      console.log(`[JobRunner] Recovered stale run ${run.id} (was ${run.status})`);
+      this.db.update(runs).set({ status: "failed", finishedAt: now, error: "Server restarted while run was in progress" }).where(eq17(runs.id, run.id)).run();
+      log.warn("run.recovered-stale", { runId: run.id, previousStatus: run.status });
     }
   }
   async executeRun(runId, projectId, providerOverride, locationOverride) {
@@ -8632,10 +9361,10 @@ var JobRunner = class {
         throw new Error(`Run ${runId} is not executable from status '${existingRun.status}'`);
       }
       if (existingRun.status === "queued") {
-        this.db.update(runs).set({ status: "running", startedAt: now }).where(and6(eq16(runs.id, runId), eq16(runs.status, "queued"))).run();
+        this.db.update(runs).set({ status: "running", startedAt: now }).where(and7(eq17(runs.id, runId), eq17(runs.status, "queued"))).run();
       }
       this.throwIfRunCancelled(runId);
-      const project = this.db.select().from(projects).where(eq16(projects.id, projectId)).get();
+      const project = this.db.select().from(projects).where(eq17(projects.id, projectId)).get();
       if (!project) {
         throw new Error(`Project ${projectId} not found`);
       }
@@ -8654,9 +9383,9 @@ var JobRunner = class {
       if (activeProviders.length === 0) {
         throw new Error("No providers configured. Add at least one provider API key.");
       }
-      console.log(`[JobRunner] Run ${runId}: dispatching to ${activeProviders.length} providers: ${activeProviders.map((p) => p.adapter.name).join(", ")}`);
-      projectKeywords = this.db.select().from(keywords).where(eq16(keywords.projectId, projectId)).all();
-      const projectCompetitors = this.db.select().from(competitors).where(eq16(competitors.projectId, projectId)).all();
+      log.info("run.dispatch", { runId, providerCount: activeProviders.length, providers: activeProviders.map((p) => p.adapter.name) });
+      projectKeywords = this.db.select().from(keywords).where(eq17(keywords.projectId, projectId)).all();
+      const projectCompetitors = this.db.select().from(competitors).where(eq17(competitors.projectId, projectId)).all();
       const competitorDomains = projectCompetitors.map((c) => c.domain);
       const allDomains = effectiveDomains({
         canonicalDomain: project.canonicalDomain,
@@ -8672,7 +9401,7 @@ var JobRunner = class {
       const todayPeriod = getCurrentUsageDay();
       for (const p of activeProviders) {
         const providerScope = `${projectId}:${p.adapter.name}`;
-        const providerUsage = this.db.select().from(usageCounters).where(eq16(usageCounters.scope, providerScope)).all().filter((r) => r.period === todayPeriod && r.metric === "queries").reduce((sum, r) => sum + r.count, 0);
+        const providerUsage = this.db.select().from(usageCounters).where(eq17(usageCounters.scope, providerScope)).all().filter((r) => r.period === todayPeriod && r.metric === "queries").reduce((sum, r) => sum + r.count, 0);
         const limit = p.config.quotaPolicy.maxRequestsPerDay;
         if (providerUsage + queriesPerProvider > limit) {
           throw new Error(
@@ -8716,12 +9445,12 @@ var JobRunner = class {
             );
             this.throwIfRunCancelled(runId);
             const normalized = adapter.normalizeResult(raw);
-            console.log(`[JobRunner] ${providerName}: "${kw.keyword}" citedDomains=${JSON.stringify(normalized.citedDomains)}, groundingSources=${JSON.stringify(normalized.groundingSources.map((s) => s.uri))}, domains=${JSON.stringify(allDomains)}`);
+            log.info("query.result", { runId, provider: providerName, keyword: kw.keyword, citedDomains: normalized.citedDomains, groundingSources: normalized.groundingSources.map((s) => s.uri), matchDomains: allDomains });
             const citationState = determineCitationState(normalized, allDomains);
             const overlap = computeCompetitorOverlap(normalized, competitorDomains);
             let screenshotRelPath = null;
             if (raw.screenshotPath && fs4.existsSync(raw.screenshotPath)) {
-              const snapshotId = crypto15.randomUUID();
+              const snapshotId = crypto17.randomUUID();
               const screenshotDir = path5.join(os4.homedir(), ".canonry", "screenshots", runId);
               if (!fs4.existsSync(screenshotDir)) fs4.mkdirSync(screenshotDir, { recursive: true });
               const destPath = path5.join(screenshotDir, `${snapshotId}.png`);
@@ -8749,7 +9478,7 @@ var JobRunner = class {
               }).run();
             } else {
               this.db.insert(querySnapshots).values({
-                id: crypto15.randomUUID(),
+                id: crypto17.randomUUID(),
                 runId,
                 keywordId: kw.id,
                 provider: providerName,
@@ -8769,14 +9498,15 @@ var JobRunner = class {
               }).run();
             }
             totalSnapshotsInserted++;
-            console.log(`[JobRunner] ${providerName}: keyword "${kw.keyword}" \u2192 ${citationState}`);
+            log.info("query.citation", { runId, provider: providerName, keyword: kw.keyword, citationState });
           });
         } catch (err) {
           if (err instanceof RunCancelledError) {
             throw err;
           }
           const msg = err instanceof Error ? err.message : String(err);
-          console.error(`[JobRunner] ${providerName}: keyword "${kw.keyword}" FAILED: ${msg}`);
+          const stack = err instanceof Error ? err.stack : void 0;
+          log.error("query.failed", { runId, provider: providerName, keyword: kw.keyword, error: msg, stack });
           if (!providerErrors.has(providerName)) {
             providerErrors.set(providerName, msg);
           }
@@ -8797,12 +9527,12 @@ var JobRunner = class {
       const someFailed = providerErrors.size > 0;
       if (allFailed) {
         const errorDetail = JSON.stringify(Object.fromEntries(providerErrors));
-        this.db.update(runs).set({ status: "failed", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq16(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "failed", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq17(runs.id, runId)).run();
       } else if (someFailed) {
         const errorDetail = JSON.stringify(Object.fromEntries(providerErrors));
-        this.db.update(runs).set({ status: "partial", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq16(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "partial", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq17(runs.id, runId)).run();
       } else {
-        this.db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq16(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq17(runs.id, runId)).run();
       }
       this.flushProviderUsage(projectId, providerDispatchCounts);
       const finalStatus = allFailed ? "failed" : someFailed ? "partial" : "completed";
@@ -8817,7 +9547,7 @@ var JobRunner = class {
       this.incrementUsage(projectId, "runs", 1);
       if (this.onRunCompleted) {
         this.onRunCompleted(runId, projectId).catch((err) => {
-          console.error("[JobRunner] Notification callback failed:", err);
+          log.error("notification.callback-failed", { runId, error: err instanceof Error ? err.message : String(err) });
         });
       }
     } catch (err) {
@@ -8837,7 +9567,7 @@ var JobRunner = class {
         status: "failed",
         finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
         error: errorMessage
-      }).where(eq16(runs.id, runId)).run();
+      }).where(eq17(runs.id, runId)).run();
       this.flushProviderUsage(projectId, providerDispatchCounts);
       trackEvent("run.completed", {
         status: "failed",
@@ -8857,10 +9587,10 @@ var JobRunner = class {
   incrementUsage(scope, metric, count) {
     const now = /* @__PURE__ */ new Date();
     const period = now.toISOString().slice(0, 10);
-    const id = crypto15.randomUUID();
-    const existing = this.db.select().from(usageCounters).where(eq16(usageCounters.scope, scope)).all().find((r) => r.period === period && r.metric === metric);
+    const id = crypto17.randomUUID();
+    const existing = this.db.select().from(usageCounters).where(eq17(usageCounters.scope, scope)).all().find((r) => r.period === period && r.metric === metric);
     if (existing) {
-      this.db.update(usageCounters).set({ count: existing.count + count, updatedAt: now.toISOString() }).where(eq16(usageCounters.id, existing.id)).run();
+      this.db.update(usageCounters).set({ count: existing.count + count, updatedAt: now.toISOString() }).where(eq17(usageCounters.id, existing.id)).run();
     } else {
       this.db.insert(usageCounters).values({
         id,
@@ -8883,7 +9613,7 @@ var JobRunner = class {
       status: runs.status,
       finishedAt: runs.finishedAt,
       error: runs.error
-    }).from(runs).where(eq16(runs.id, runId)).get();
+    }).from(runs).where(eq17(runs.id, runId)).get();
   }
   isRunCancelled(runId) {
     return this.getRunState(runId)?.status === "cancelled";
@@ -8899,7 +9629,7 @@ var JobRunner = class {
       this.db.update(runs).set({
         finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
         error: currentRun.error ?? "Cancelled by user"
-      }).where(eq16(runs.id, runId)).run();
+      }).where(eq17(runs.id, runId)).run();
     }
     trackEvent("run.completed", {
       status: "cancelled",
@@ -8911,7 +9641,7 @@ var JobRunner = class {
     });
     if (this.onRunCompleted) {
       this.onRunCompleted(runId, projectId).catch((err) => {
-        console.error("[JobRunner] Notification callback failed:", err);
+        log.error("notification.callback-failed", { runId, error: err instanceof Error ? err.message : String(err) });
       });
     }
   }
@@ -8982,9 +9712,10 @@ function computeCompetitorOverlap(normalized, competitorDomains) {
 }
 
 // src/gsc-sync.ts
-import crypto16 from "crypto";
-import { eq as eq17, and as and7, sql as sql3 } from "drizzle-orm";
-function formatDate(d) {
+import crypto18 from "crypto";
+import { eq as eq18, and as and8, sql as sql4 } from "drizzle-orm";
+var log2 = createLogger("GscSync");
+function formatDate2(d) {
   return d.toISOString().split("T")[0];
 }
 function daysAgo(n) {
@@ -8994,13 +9725,13 @@ function daysAgo(n) {
 }
 async function executeGscSync(db, runId, projectId, opts) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: "running", startedAt: now }).where(eq17(runs.id, runId)).run();
+  db.update(runs).set({ status: "running", startedAt: now }).where(eq18(runs.id, runId)).run();
   try {
     const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
     if (!googleClientId || !googleClientSecret) {
       throw new Error("Google OAuth is not configured in the local Canonry config");
     }
-    const project = db.select().from(projects).where(eq17(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq18(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -9024,20 +9755,20 @@ async function executeGscSync(db, runId, projectId, opts) {
       saveConfig(opts.config);
     }
     const lagOffset = GSC_DATA_LAG_DAYS;
-    const endDate = formatDate(daysAgo(lagOffset));
+    const endDate = formatDate2(daysAgo(lagOffset));
     const days = opts.full ? 480 : opts.days ?? 30;
-    const startDate = formatDate(daysAgo(days + lagOffset));
-    console.log(`[GSC Sync] Fetching search analytics for ${conn.propertyId} from ${startDate} to ${endDate}`);
+    const startDate = formatDate2(daysAgo(days + lagOffset));
+    log2.info("fetch.start", { runId, projectId, propertyId: conn.propertyId, startDate, endDate });
     const rows = await fetchSearchAnalytics(accessToken, conn.propertyId, {
       startDate,
       endDate
     });
-    console.log(`[GSC Sync] Received ${rows.length} rows`);
+    log2.info("fetch.complete", { runId, projectId, rowCount: rows.length });
     db.delete(gscSearchData).where(
-      and7(
-        eq17(gscSearchData.projectId, projectId),
-        sql3`${gscSearchData.date} >= ${startDate}`,
-        sql3`${gscSearchData.date} <= ${endDate}`
+      and8(
+        eq18(gscSearchData.projectId, projectId),
+        sql4`${gscSearchData.date} >= ${startDate}`,
+        sql4`${gscSearchData.date} <= ${endDate}`
       )
     ).run();
     const batchSize = 500;
@@ -9047,7 +9778,7 @@ async function executeGscSync(db, runId, projectId, opts) {
       for (const row of batch) {
         const [query, page, country, device, date] = row.keys;
         db.insert(gscSearchData).values({
-          id: crypto16.randomUUID(),
+          id: crypto18.randomUUID(),
           projectId,
           syncRunId: runId,
           date: date ?? "",
@@ -9071,7 +9802,7 @@ async function executeGscSync(db, runId, projectId, opts) {
       }
     }
     const topPages = [...pageClicks.entries()].sort((a, b) => b[1] - a[1]).slice(0, 50).map(([page]) => page);
-    console.log(`[GSC Sync] Inspecting ${topPages.length} URLs`);
+    log2.info("inspect.start", { runId, projectId, urlCount: topPages.length });
     for (const pageUrl of topPages) {
       try {
         const result = await inspectUrl(accessToken, pageUrl, conn.propertyId);
@@ -9081,7 +9812,7 @@ async function executeGscSync(db, runId, projectId, opts) {
         const rich = ir.richResultsResult;
         const inspectedAt = (/* @__PURE__ */ new Date()).toISOString();
         db.insert(gscUrlInspections).values({
-          id: crypto16.randomUUID(),
+          id: crypto18.randomUUID(),
           projectId,
           syncRunId: runId,
           url: pageUrl,
@@ -9099,10 +9830,10 @@ async function executeGscSync(db, runId, projectId, opts) {
           createdAt: inspectedAt
         }).run();
       } catch (err) {
-        console.error(`[GSC Sync] Failed to inspect ${pageUrl}:`, err instanceof Error ? err.message : err);
+        log2.error("inspect.url-failed", { runId, projectId, url: pageUrl, error: err instanceof Error ? err.message : String(err) });
       }
     }
-    const allInspections = db.select().from(gscUrlInspections).where(eq17(gscUrlInspections.projectId, projectId)).all();
+    const allInspections = db.select().from(gscUrlInspections).where(eq18(gscUrlInspections.projectId, projectId)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
       const existing = latestByUrl.get(row.url);
@@ -9122,10 +9853,10 @@ async function executeGscSync(db, runId, projectId, opts) {
         reasonCounts[reason] = (reasonCounts[reason] ?? 0) + 1;
       }
     }
-    const snapshotDate = formatDate(/* @__PURE__ */ new Date());
-    db.delete(gscCoverageSnapshots).where(and7(eq17(gscCoverageSnapshots.projectId, projectId), eq17(gscCoverageSnapshots.date, snapshotDate))).run();
+    const snapshotDate = formatDate2(/* @__PURE__ */ new Date());
+    db.delete(gscCoverageSnapshots).where(and8(eq18(gscCoverageSnapshots.projectId, projectId), eq18(gscCoverageSnapshots.date, snapshotDate))).run();
     db.insert(gscCoverageSnapshots).values({
-      id: crypto16.randomUUID(),
+      id: crypto18.randomUUID(),
       projectId,
       syncRunId: runId,
       date: snapshotDate,
@@ -9134,19 +9865,19 @@ async function executeGscSync(db, runId, projectId, opts) {
       reasonBreakdown: JSON.stringify(reasonCounts),
       createdAt: (/* @__PURE__ */ new Date()).toISOString()
     }).run();
-    db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq17(runs.id, runId)).run();
-    console.log(`[GSC Sync] Completed. ${rows.length} search data rows, ${topPages.length} URL inspections, coverage snapshot: ${snapIndexed} indexed / ${snapNotIndexed} not-indexed.`);
+    db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq18(runs.id, runId)).run();
+    log2.info("sync.completed", { runId, projectId, searchDataRows: rows.length, urlInspections: topPages.length, indexed: snapIndexed, notIndexed: snapNotIndexed });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq17(runs.id, runId)).run();
-    console.error(`[GSC Sync] Failed:`, errorMsg);
+    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq18(runs.id, runId)).run();
+    log2.error("sync.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
 }
 
 // src/gsc-inspect-sitemap.ts
-import crypto17 from "crypto";
-import { eq as eq18, and as and8 } from "drizzle-orm";
+import crypto19 from "crypto";
+import { eq as eq19, and as and9 } from "drizzle-orm";
 
 // src/sitemap-parser.ts
 var LOC_REGEX = /<loc>\s*([^<]+?)\s*<\/loc>/gi;
@@ -9212,15 +9943,16 @@ async function parseSitemapRecursive(url, urls, depth) {
 }
 
 // src/gsc-inspect-sitemap.ts
+var log3 = createLogger("InspectSitemap");
 async function executeInspectSitemap(db, runId, projectId, opts) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: "running", startedAt: now }).where(eq18(runs.id, runId)).run();
+  db.update(runs).set({ status: "running", startedAt: now }).where(eq19(runs.id, runId)).run();
   try {
     const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
     if (!googleClientId || !googleClientSecret) {
       throw new Error("Google OAuth is not configured in the local Canonry config");
     }
-    const project = db.select().from(projects).where(eq18(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq19(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -9244,9 +9976,9 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
       saveConfig(opts.config);
     }
     const sitemapUrl = opts.sitemapUrl || conn.sitemapUrl || `https://${project.canonicalDomain}/sitemap.xml`;
-    console.log(`[Inspect Sitemap] Fetching sitemap from ${sitemapUrl}`);
+    log3.info("sitemap.fetch", { runId, projectId, sitemapUrl });
     const urls = await fetchAndParseSitemap(sitemapUrl);
-    console.log(`[Inspect Sitemap] Found ${urls.length} URLs in sitemap`);
+    log3.info("sitemap.parsed", { runId, projectId, urlCount: urls.length, sitemapUrl });
     if (urls.length === 0) {
       throw new Error("No URLs found in sitemap");
     }
@@ -9261,7 +9993,7 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
         const rich = ir.richResultsResult;
         const inspectedAt = (/* @__PURE__ */ new Date()).toISOString();
         db.insert(gscUrlInspections).values({
-          id: crypto17.randomUUID(),
+          id: crypto19.randomUUID(),
           projectId,
           syncRunId: runId,
           url: pageUrl,
@@ -9279,16 +10011,16 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
           createdAt: inspectedAt
         }).run();
         inspected++;
-        console.log(`[Inspect Sitemap] ${inspected}/${urls.length} inspected: ${pageUrl}`);
+        log3.info("inspect.url-done", { runId, projectId, url: pageUrl, progress: `${inspected}/${urls.length}` });
       } catch (err) {
         errors++;
-        console.error(`[Inspect Sitemap] Failed to inspect ${pageUrl}:`, err instanceof Error ? err.message : err);
+        log3.error("inspect.url-failed", { runId, projectId, url: pageUrl, error: err instanceof Error ? err.message : String(err) });
       }
       if (inspected + errors < urls.length) {
         await new Promise((r) => setTimeout(r, 1e3));
       }
     }
-    const allInspections = db.select().from(gscUrlInspections).where(eq18(gscUrlInspections.projectId, projectId)).all();
+    const allInspections = db.select().from(gscUrlInspections).where(eq19(gscUrlInspections.projectId, projectId)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
       const existing = latestByUrl.get(row.url);
@@ -9309,9 +10041,9 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
       }
     }
     const snapshotDate = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-    db.delete(gscCoverageSnapshots).where(and8(eq18(gscCoverageSnapshots.projectId, projectId), eq18(gscCoverageSnapshots.date, snapshotDate))).run();
+    db.delete(gscCoverageSnapshots).where(and9(eq19(gscCoverageSnapshots.projectId, projectId), eq19(gscCoverageSnapshots.date, snapshotDate))).run();
     db.insert(gscCoverageSnapshots).values({
-      id: crypto17.randomUUID(),
+      id: crypto19.randomUUID(),
       projectId,
       syncRunId: runId,
       date: snapshotDate,
@@ -9321,12 +10053,12 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
       createdAt: (/* @__PURE__ */ new Date()).toISOString()
     }).run();
     const status = errors > 0 && inspected > 0 ? "partial" : errors === urls.length ? "failed" : "completed";
-    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq18(runs.id, runId)).run();
-    console.log(`[Inspect Sitemap] Done. ${inspected} inspected, ${errors} errors out of ${urls.length} URLs. Coverage: ${snapIndexed} indexed / ${snapNotIndexed} not-indexed.`);
+    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq19(runs.id, runId)).run();
+    log3.info("inspect.completed", { runId, projectId, inspected, errors, total: urls.length, indexed: snapIndexed, notIndexed: snapNotIndexed });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq18(runs.id, runId)).run();
-    console.error(`[Inspect Sitemap] Failed:`, errorMsg);
+    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq19(runs.id, runId)).run();
+    log3.error("inspect.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
 }
@@ -9384,7 +10116,8 @@ var ProviderRegistry = class {
 
 // src/scheduler.ts
 import cron from "node-cron";
-import { eq as eq19 } from "drizzle-orm";
+import { eq as eq20 } from "drizzle-orm";
+var log4 = createLogger("Scheduler");
 var Scheduler = class {
   db;
   callbacks;
@@ -9395,16 +10128,16 @@ var Scheduler = class {
   }
   /** Load all enabled schedules from DB and register cron jobs. */
   start() {
-    const allSchedules = this.db.select().from(schedules).where(eq19(schedules.enabled, 1)).all();
+    const allSchedules = this.db.select().from(schedules).where(eq20(schedules.enabled, 1)).all();
     for (const schedule of allSchedules) {
       const missedRunAt = schedule.nextRunAt;
       this.registerCronTask(schedule);
       if (missedRunAt && new Date(missedRunAt) < /* @__PURE__ */ new Date()) {
-        console.log(`[Scheduler] Catch-up run for project ${schedule.projectId} (missed ${missedRunAt})`);
+        log4.info("run.catch-up", { projectId: schedule.projectId, missedRunAt });
         this.triggerRun(schedule.id, schedule.projectId);
       }
     }
-    console.log(`[Scheduler] Started with ${allSchedules.length} schedule(s)`);
+    log4.info("started", { scheduleCount: allSchedules.length });
   }
   /** Stop all cron tasks for graceful shutdown. */
   stop() {
@@ -9420,7 +10153,7 @@ var Scheduler = class {
       this.stopTask(projectId, existing, "Stopped");
       this.tasks.delete(projectId);
     }
-    const schedule = this.db.select().from(schedules).where(eq19(schedules.projectId, projectId)).get();
+    const schedule = this.db.select().from(schedules).where(eq20(schedules.projectId, projectId)).get();
     if (schedule && schedule.enabled === 1) {
       this.registerCronTask(schedule);
     }
@@ -9436,12 +10169,12 @@ var Scheduler = class {
   stopTask(projectId, task, verb) {
     task.stop();
     task.destroy();
-    console.log(`[Scheduler] ${verb} task for project ${projectId}`);
+    log4.info(`task.${verb.toLowerCase()}`, { projectId });
   }
   registerCronTask(schedule) {
     const { id: scheduleId, projectId, cronExpr, timezone } = schedule;
     if (!cron.validate(cronExpr)) {
-      console.error(`[Scheduler] Invalid cron expression for project ${projectId}: ${cronExpr}`);
+      log4.error("cron.invalid", { projectId, cronExpr });
       return;
     }
     const task = cron.schedule(cronExpr, () => {
@@ -9453,23 +10186,23 @@ var Scheduler = class {
     this.db.update(schedules).set({
       nextRunAt: task.getNextRun()?.toISOString() ?? null,
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    }).where(eq19(schedules.id, scheduleId)).run();
+    }).where(eq20(schedules.id, scheduleId)).run();
     const label = schedule.preset ?? cronExpr;
-    console.log(`[Scheduler] Registered "${label}" (${timezone}) for project ${projectId}`);
+    log4.info("cron.registered", { projectId, schedule: label, timezone });
   }
   triggerRun(scheduleId, projectId) {
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    const currentSchedule = this.db.select().from(schedules).where(eq19(schedules.id, scheduleId)).get();
+    const currentSchedule = this.db.select().from(schedules).where(eq20(schedules.id, scheduleId)).get();
     if (!currentSchedule || currentSchedule.enabled !== 1) {
-      console.log(`[Scheduler] Schedule ${scheduleId} no longer exists or is disabled, removing task for project ${projectId}`);
+      log4.warn("schedule.stale", { scheduleId, projectId, msg: "schedule no longer exists or is disabled" });
       this.remove(projectId);
       return;
     }
     const task = this.tasks.get(projectId);
     const nextRunAt = task?.getNextRun()?.toISOString() ?? null;
-    const project = this.db.select().from(projects).where(eq19(projects.id, projectId)).get();
+    const project = this.db.select().from(projects).where(eq20(projects.id, projectId)).get();
     if (!project) {
-      console.error(`[Scheduler] Project ${projectId} not found, skipping scheduled run`);
+      log4.error("project.not-found", { projectId, msg: "skipping scheduled run" });
       this.remove(projectId);
       return;
     }
@@ -9480,11 +10213,11 @@ var Scheduler = class {
       trigger: "scheduled"
     });
     if (queueResult.conflict) {
-      console.log(`[Scheduler] Skipping scheduled run for ${project.name} \u2014 run ${queueResult.activeRunId} already active`);
+      log4.info("run.skipped-active", { projectName: project.name, activeRunId: queueResult.activeRunId });
       this.db.update(schedules).set({
         nextRunAt,
         updatedAt: now
-      }).where(eq19(schedules.id, currentSchedule.id)).run();
+      }).where(eq20(schedules.id, currentSchedule.id)).run();
       return;
     }
     const runId = queueResult.runId;
@@ -9492,17 +10225,18 @@ var Scheduler = class {
       lastRunAt: now,
       nextRunAt,
       updatedAt: now
-    }).where(eq19(schedules.id, currentSchedule.id)).run();
+    }).where(eq20(schedules.id, currentSchedule.id)).run();
     const scheduleProviders = JSON.parse(currentSchedule.providers);
     const providers = scheduleProviders.length > 0 ? scheduleProviders : void 0;
-    console.log(`[Scheduler] Triggered scheduled run ${runId} for project ${project.name}`);
+    log4.info("run.triggered", { runId, projectName: project.name, providers: providers ?? "all" });
     this.callbacks.onRunCreated(runId, projectId, providers);
   }
 };
 
 // src/notifier.ts
-import { eq as eq20, desc as desc6, and as and9, or as or2 } from "drizzle-orm";
-import crypto18 from "crypto";
+import { eq as eq21, desc as desc7, and as and10, or as or2 } from "drizzle-orm";
+import crypto20 from "crypto";
+var log5 = createLogger("Notifier");
 var Notifier = class {
   db;
   serverUrl;
@@ -9512,26 +10246,26 @@ var Notifier = class {
   }
   /** Called after a run completes (success, partial, or failed). */
   async onRunCompleted(runId, projectId) {
-    console.log(`[Notifier] onRunCompleted: runId=${runId} projectId=${projectId}`);
-    const notifs = this.db.select().from(notifications).where(eq20(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
+    log5.info("run.completed", { runId, projectId });
+    const notifs = this.db.select().from(notifications).where(eq21(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
     if (notifs.length === 0) {
-      console.log(`[Notifier] No enabled notifications for project ${projectId} \u2014 skipping`);
+      log5.info("notifications.none-enabled", { projectId });
       return;
     }
-    console.log(`[Notifier] Found ${notifs.length} enabled notification(s) for project ${projectId}`);
-    const run = this.db.select().from(runs).where(eq20(runs.id, runId)).get();
+    log5.info("notifications.found", { projectId, count: notifs.length });
+    const run = this.db.select().from(runs).where(eq21(runs.id, runId)).get();
     if (!run) {
-      console.error(`[Notifier] Run ${runId} not found \u2014 skipping notification dispatch`);
+      log5.error("run.not-found", { runId, msg: "skipping notification dispatch" });
       return;
     }
-    const project = this.db.select().from(projects).where(eq20(projects.id, projectId)).get();
+    const project = this.db.select().from(projects).where(eq21(projects.id, projectId)).get();
     if (!project) {
-      console.error(`[Notifier] Project ${projectId} not found \u2014 skipping notification dispatch`);
+      log5.error("project.not-found", { projectId, msg: "skipping notification dispatch" });
       return;
     }
     const transitions = this.computeTransitions(runId, projectId);
     const events = [];
-    console.log(`[Notifier] Run status: ${run.status}`);
+    log5.info("run.status", { runId: run.id, status: run.status, projectId });
     if (run.status === "completed" || run.status === "partial") {
       events.push("run.completed");
     }
@@ -9546,7 +10280,7 @@ var Notifier = class {
       const config = JSON.parse(notif.config);
       const subscribedEvents = config.events;
       const matchingEvents = events.filter((e) => subscribedEvents.includes(e));
-      console.log(`[Notifier] Notification ${notif.id}: subscribed=${JSON.stringify(subscribedEvents)} matched=${JSON.stringify(matchingEvents)}`);
+      log5.info("notification.match", { notificationId: notif.id, subscribedEvents, matchedEvents: matchingEvents });
       if (matchingEvents.length === 0) continue;
       for (const event of matchingEvents) {
         const relevantTransitions = event === "citation.lost" ? lostTransitions : event === "citation.gained" ? gainedTransitions : transitions;
@@ -9564,11 +10298,11 @@ var Notifier = class {
   }
   computeTransitions(runId, projectId) {
     const recentRuns = this.db.select().from(runs).where(
-      and9(
-        eq20(runs.projectId, projectId),
-        or2(eq20(runs.status, "completed"), eq20(runs.status, "partial"))
+      and10(
+        eq21(runs.projectId, projectId),
+        or2(eq21(runs.status, "completed"), eq21(runs.status, "partial"))
       )
-    ).orderBy(desc6(runs.createdAt)).limit(2).all();
+    ).orderBy(desc7(runs.createdAt)).limit(2).all();
     if (recentRuns.length < 2) return [];
     const currentRunId = recentRuns[0].id;
     const previousRunId = recentRuns[1].id;
@@ -9578,12 +10312,12 @@ var Notifier = class {
       keyword: keywords.keyword,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).leftJoin(keywords, eq20(querySnapshots.keywordId, keywords.id)).where(eq20(querySnapshots.runId, currentRunId)).all();
+    }).from(querySnapshots).leftJoin(keywords, eq21(querySnapshots.keywordId, keywords.id)).where(eq21(querySnapshots.runId, currentRunId)).all();
     const previousSnapshots = this.db.select({
       keywordId: querySnapshots.keywordId,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).where(eq20(querySnapshots.runId, previousRunId)).all();
+    }).from(querySnapshots).where(eq21(querySnapshots.runId, previousRunId)).all();
     const prevMap = /* @__PURE__ */ new Map();
     for (const s of previousSnapshots) {
       prevMap.set(`${s.keywordId}:${s.provider}`, s.citationState);
@@ -9606,23 +10340,23 @@ var Notifier = class {
   async sendWebhook(url, payload, notificationId, projectId, webhookSecret) {
     const targetCheck = await resolveWebhookTarget(url);
     if (!targetCheck.ok) {
-      console.error(`[Notifier] Webhook URL blocked by SSRF check: ${url}`);
+      log5.error("webhook.ssrf-blocked", { url, reason: targetCheck.message });
       this.logDelivery(projectId, notificationId, payload.event, "failed", `SSRF: ${targetCheck.message}`);
       return;
     }
-    console.log(`[Notifier] Sending webhook event="${payload.event}" to ${url}`);
+    log5.info("webhook.send", { event: payload.event, url });
     const maxRetries = 3;
     const delays = [1e3, 4e3, 16e3];
     for (let attempt = 0; attempt < maxRetries; attempt++) {
       try {
         const response = await deliverWebhook(targetCheck.target, payload, webhookSecret);
         if (response.status >= 200 && response.status < 300) {
-          console.log(`[Notifier] Webhook delivered: event="${payload.event}" status=${response.status}`);
+          log5.info("webhook.delivered", { event: payload.event, url, httpStatus: response.status });
           this.logDelivery(projectId, notificationId, payload.event, "sent", null);
           return;
         }
         const errorDetail = response.error ?? `HTTP ${response.status}`;
-        console.warn(`[Notifier] Webhook attempt ${attempt + 1}/${maxRetries} failed: ${errorDetail}`);
+        log5.warn("webhook.attempt-failed", { event: payload.event, url, attempt: attempt + 1, maxRetries, httpStatus: response.status, error: errorDetail });
         if (attempt === maxRetries - 1) {
           this.logDelivery(projectId, notificationId, payload.event, "failed", errorDetail);
         }
@@ -9630,7 +10364,7 @@ var Notifier = class {
         const errorDetail = err instanceof Error ? err.message : String(err);
         if (attempt === maxRetries - 1) {
           this.logDelivery(projectId, notificationId, payload.event, "failed", errorDetail);
-          console.error(`[Notifier] Failed to deliver webhook after ${maxRetries} attempts: ${errorDetail}`);
+          log5.error("webhook.exhausted", { event: payload.event, url, maxRetries, error: errorDetail });
         }
       }
       if (attempt < maxRetries - 1) {
@@ -9640,7 +10374,7 @@ var Notifier = class {
   }
   logDelivery(projectId, notificationId, event, status, error) {
     this.db.insert(auditLog).values({
-      id: crypto18.randomUUID(),
+      id: crypto20.randomUUID(),
       projectId,
       actor: "scheduler",
       action: `notification.${status}`,
@@ -9766,6 +10500,7 @@ function stripHtml(html) {
 // src/server.ts
 var _require2 = createRequire2(import.meta.url);
 var { version: PKG_VERSION } = _require2("../package.json");
+var log6 = createLogger("Server");
 var DEFAULT_QUOTA = {
   maxConcurrency: 2,
   maxRequestsPerMinute: 10,
@@ -9817,10 +10552,10 @@ async function createServer(opts) {
       quota: opts.config.geminiQuota
     };
   }
-  console.log("[Server] Configured providers:", Object.keys(providers).filter((k) => {
+  log6.info("providers.configured", { providers: Object.keys(providers).filter((k) => {
     const p = providers[k];
     return p?.apiKey || p?.baseUrl;
-  }));
+  }) });
   for (const adapter of API_ADAPTERS) {
     const entry = providers[adapter.name];
     if (!entry) continue;
@@ -9910,7 +10645,22 @@ async function createServer(opts) {
       return true;
     }
   };
-  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto19.randomBytes(32).toString("hex");
+  const ga4CredentialStore = {
+    getConnection: (projectName) => {
+      return getGa4Connection(opts.config, projectName);
+    },
+    upsertConnection: (connection) => {
+      const updated = upsertGa4Connection(opts.config, connection);
+      saveConfig(opts.config);
+      return updated;
+    },
+    deleteConnection: (projectName) => {
+      const removed = removeGa4Connection(opts.config, projectName);
+      if (removed) saveConfig(opts.config);
+      return removed;
+    }
+  };
+  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto21.randomBytes(32).toString("hex");
   const googleConnectionStore = {
     listConnections: (domain) => listGoogleConnections(opts.config, domain),
     getConnection: (domain, connectionType) => getGoogleConnection(opts.config, domain, connectionType),
@@ -9983,6 +10733,7 @@ async function createServer(opts) {
     googleSettingsSummary,
     bingSettingsSummary,
     bingConnectionStore,
+    ga4CredentialStore,
     onRunCreated: (runId, projectId, providers2, location) => {
       jobRunner.executeRun(runId, projectId, providers2, location).catch((err) => {
         app.log.error({ runId, err }, "Job runner failed");
@@ -10038,7 +10789,7 @@ async function createServer(opts) {
         const targetProjectIds = affectedProjectIds.length > 0 ? affectedProjectIds : [null];
         const createdAt = (/* @__PURE__ */ new Date()).toISOString();
         opts.db.insert(auditLog).values(targetProjectIds.map((projectId) => ({
-          id: crypto19.randomUUID(),
+          id: crypto21.randomUUID(),
           projectId,
           actor: "api",
           action: existing ? "provider.updated" : "provider.created",