@ainyc/canonry 1.33.0 → 1.35.0

package/dist/{chunk-WRNSBFNQ.js → chunk-ETP5IOHC.js}

@@ -1074,6 +1074,13 @@ var ga4TrafficSummaryDtoSchema = z11.object({
   aiReferrals: z11.array(ga4AiReferralDtoSchema),
   lastSyncedAt: z11.string().nullable()
 });
+var ga4AiReferralHistoryEntrySchema = z11.object({
+  date: z11.string(),
+  source: z11.string(),
+  medium: z11.string(),
+  sessions: z11.number(),
+  users: z11.number()
+});
 
 // ../contracts/src/answer-visibility.ts
 var GENERIC_TOKENS = /* @__PURE__ */ new Set([
@@ -1123,7 +1130,12 @@ function extractAnswerMentions(answerText, displayName, domains) {
     matchedTerms.push(...matchedTokens);
   }
   const unique = [...new Set(matchedTerms)];
-  return { mentioned: unique.length > 0, matchedTerms: unique };
+  const domainMatches3 = unique.filter((t) => t.includes("."));
+  const dedupedFinal = unique.filter((term) => {
+    if (term.includes(".")) return true;
+    return !domainMatches3.some((d) => d.toLowerCase().startsWith(term.toLowerCase() + "."));
+  });
+  return { mentioned: dedupedFinal.length > 0, matchedTerms: dedupedFinal };
 }
 function determineAnswerMentioned(answerText, displayName, domains) {
   return extractAnswerMentions(answerText, displayName, domains).mentioned;
@@ -1131,6 +1143,9 @@ function determineAnswerMentioned(answerText, displayName, domains) {
 function visibilityStateFromAnswerMentioned(answerMentioned) {
   return answerMentioned ? "visible" : "not-visible";
 }
+function brandKeyFromText(value) {
+  return value.toLowerCase().replace(/[^a-z0-9]/g, "");
+}
 function domainMentioned(lowerAnswer, normalizedDomain) {
   const escapedDomain = escapeRegExp(normalizedDomain.toLowerCase());
   const patterns = [
@@ -5746,6 +5761,18 @@ var routeCatalog = [
       404: { description: "Project not found." }
     }
   },
+  {
+    method: "get",
+    path: "/api/v1/projects/{name}/ga/ai-referral-history",
+    summary: "Get AI referral sessions per day grouped by source",
+    tags: ["ga4"],
+    parameters: [nameParameter],
+    responses: {
+      200: { description: "AI referral history returned." },
+      400: { description: "GA4 is not connected." },
+      404: { description: "Project not found." }
+    }
+  },
   {
     method: "get",
     path: "/api/v1/projects/{name}/ga/coverage",
@@ -6241,7 +6268,7 @@ function formatNotification(row) {
 }
 
 // ../api-routes/src/google.ts
-import crypto13 from "crypto";
+import crypto14 from "crypto";
 import { eq as eq13, and as and2, desc as desc4, sql as sql3 } from "drizzle-orm";
 
 // ../integration-google/src/constants.ts
@@ -6255,6 +6282,7 @@ var GSC_MAX_ROWS_PER_REQUEST = 25e3;
 var GSC_DATA_LAG_DAYS = 3;
 var INDEXING_API_BASE = "https://indexing.googleapis.com/v3";
 var INDEXING_API_DAILY_LIMIT = 200;
+var GOOGLE_REQUEST_TIMEOUT_MS = 3e4;
 
 // ../integration-google/src/types.ts
 var GoogleAuthError = class extends Error {
@@ -6295,7 +6323,8 @@ async function exchangeCode(clientId, clientSecret, code, redirectUri) {
       code,
       redirect_uri: redirectUri,
       grant_type: "authorization_code"
-    })
+    }),
+    signal: AbortSignal.timeout(GOOGLE_REQUEST_TIMEOUT_MS)
   });
   if (!res.ok) {
     const body = await res.text();
@@ -6312,7 +6341,8 @@ async function refreshAccessToken(clientId, clientSecret, currentRefreshToken) {
       client_secret: clientSecret,
       refresh_token: currentRefreshToken,
       grant_type: "refresh_token"
-    })
+    }),
+    signal: AbortSignal.timeout(GOOGLE_REQUEST_TIMEOUT_MS)
   });
   if (!res.ok) {
     const body = await res.text();
@@ -6336,7 +6366,8 @@ async function gscFetch(accessToken, url, opts) {
   const res = await fetch(url, {
     method,
     headers,
-    body: opts?.body != null ? JSON.stringify(opts.body) : void 0
+    body: opts?.body != null ? JSON.stringify(opts.body) : void 0,
+    signal: AbortSignal.timeout(GOOGLE_REQUEST_TIMEOUT_MS)
   });
   if (res.status === 401) {
     const body = await res.text().catch(() => "");
@@ -6429,89 +6460,424 @@ async function inspectUrl(accessToken, inspectionUrl, siteUrl) {
   );
 }
 
-// ../api-routes/src/google.ts
-function signState(payload, secret) {
-  return crypto13.createHmac("sha256", secret).update(payload).digest("hex");
+// ../integration-google-analytics/src/ga4-client.ts
+import crypto13 from "crypto";
+
+// ../integration-google-analytics/src/constants.ts
+var GA4_DATA_API_BASE = "https://analyticsdata.googleapis.com/v1beta";
+var GA4_SCOPE = "https://www.googleapis.com/auth/analytics.readonly";
+var GOOGLE_TOKEN_URL2 = "https://oauth2.googleapis.com/token";
+var GA4_DEFAULT_SYNC_DAYS = 30;
+var GA4_MAX_SYNC_DAYS = 90;
+var GA4_REQUEST_TIMEOUT_MS = 3e4;
+
+// ../integration-google-analytics/src/types.ts
+var GA4ApiError = class extends Error {
+  status;
+  constructor(message, status) {
+    super(message);
+    this.name = "GA4ApiError";
+    this.status = status;
+  }
+};
+
+// ../integration-google-analytics/src/ga4-client.ts
+function ga4Log(level, action, ctx) {
+  const entry = { ts: (/* @__PURE__ */ new Date()).toISOString(), level, module: "GA4Client", action, ...ctx };
+  const stream = level === "error" ? process.stderr : process.stdout;
+  stream.write(JSON.stringify(entry) + "\n");
 }
-function buildSignedState(data, secret) {
-  const payload = JSON.stringify(data);
-  const sig = signState(payload, secret);
-  return Buffer.from(JSON.stringify({ payload, sig })).toString("base64url");
+function createServiceAccountJwt(clientEmail, privateKey, scope) {
+  const now = Math.floor(Date.now() / 1e3);
+  const header = { alg: "RS256", typ: "JWT" };
+  const payload = {
+    iss: clientEmail,
+    scope,
+    aud: GOOGLE_TOKEN_URL2,
+    iat: now,
+    exp: now + 3600
+    // 1 hour
+  };
+  const encode = (obj) => Buffer.from(JSON.stringify(obj)).toString("base64url");
+  const headerB64 = encode(header);
+  const payloadB64 = encode(payload);
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const sign = crypto13.createSign("RSA-SHA256");
+  sign.update(signingInput);
+  const signature = sign.sign(privateKey, "base64url");
+  return `${signingInput}.${signature}`;
 }
-function verifySignedState(encoded, secret) {
-  try {
-    const { payload, sig } = JSON.parse(Buffer.from(encoded, "base64url").toString());
-    const expected = signState(payload, secret);
-    if (!crypto13.timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(expected, "hex"))) return null;
-    return JSON.parse(payload);
-  } catch {
-    return null;
+async function getAccessToken(clientEmail, privateKey) {
+  const jwt = createServiceAccountJwt(clientEmail, privateKey, GA4_SCOPE);
+  const res = await fetch(GOOGLE_TOKEN_URL2, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+      assertion: jwt
+    }),
+    signal: AbortSignal.timeout(GA4_REQUEST_TIMEOUT_MS)
+  });
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    ga4Log("error", "token.failed", { httpStatus: res.status, responseBody: body });
+    throw new GA4ApiError(`Failed to get access token: ${body}`, res.status);
   }
+  const data = await res.json();
+  return data.access_token;
 }
-async function getValidToken(store, domain, connectionType, clientId, clientSecret) {
-  const conn = store.getConnection(domain, connectionType);
-  if (!conn) {
-    throw notFound("Google connection", connectionType);
+async function runReport(accessToken, propertyId, request) {
+  const url = `${GA4_DATA_API_BASE}/properties/${propertyId}:runReport`;
+  const res = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Authorization": `Bearer ${accessToken}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify(request),
+    signal: AbortSignal.timeout(GA4_REQUEST_TIMEOUT_MS)
+  });
+  if (res.status === 401 || res.status === 403) {
+    const body = await res.text().catch(() => "");
+    let detail = "";
+    try {
+      const parsed = JSON.parse(body);
+      if (parsed.error?.status === "SERVICE_DISABLED") {
+        detail = " The Google Analytics Data API is not enabled for this GCP project. Enable it at: https://console.developers.google.com/apis/api/analyticsdata.googleapis.com/overview";
+      } else if (parsed.error?.message) {
+        detail = ` ${parsed.error.message}`;
+      }
+    } catch {
+      if (body.length < 200) detail = ` ${body}`;
+    }
+    ga4Log("error", "report.auth-failed", { propertyId, httpStatus: res.status, responseBody: body });
+    throw new GA4ApiError(
+      `GA4 API authentication failed \u2014 check service account permissions.${detail}`,
+      res.status
+    );
   }
-  if (!conn.accessToken || !conn.refreshToken) {
-    throw validationError("Google connection is incomplete \u2014 please reconnect");
+  if (res.status === 429) {
+    ga4Log("error", "report.rate-limited", { propertyId });
+    throw new GA4ApiError("GA4 API rate limit exceeded", 429);
   }
-  const expiresAt = conn.tokenExpiresAt ? new Date(conn.tokenExpiresAt).getTime() : 0;
-  const fiveMinutes = 5 * 60 * 1e3;
-  if (Date.now() > expiresAt - fiveMinutes) {
-    const tokens = await refreshAccessToken(clientId, clientSecret, conn.refreshToken);
-    const newExpiresAt = new Date(Date.now() + tokens.expires_in * 1e3).toISOString();
-    const updated = store.updateConnection(domain, connectionType, {
-      accessToken: tokens.access_token,
-      tokenExpiresAt: newExpiresAt,
-      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    });
-    return {
-      accessToken: tokens.access_token,
-      connectionId: `${domain}:${connectionType}`,
-      propertyId: updated?.propertyId ?? conn.propertyId ?? null
-    };
+  if (!res.ok) {
+    const body = await res.text();
+    ga4Log("error", "report.error", { propertyId, httpStatus: res.status, responseBody: body });
+    throw new GA4ApiError(`GA4 API error (${res.status}): ${body}`, res.status);
   }
-  return {
-    accessToken: conn.accessToken,
-    connectionId: `${domain}:${connectionType}`,
-    propertyId: conn.propertyId ?? null
-  };
+  return await res.json();
 }
-async function googleRoutes(app, opts) {
-  const stateSecret = opts.googleStateSecret ?? "insecure-default-secret";
-  function getAuthConfig() {
-    return opts.getGoogleAuthConfig?.() ?? {};
+async function batchRunReports(accessToken, propertyId, requests) {
+  const url = `${GA4_DATA_API_BASE}/properties/${propertyId}:batchRunReports`;
+  const res = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Authorization": `Bearer ${accessToken}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({ requests }),
+    signal: AbortSignal.timeout(GA4_REQUEST_TIMEOUT_MS)
+  });
+  if (res.status === 401 || res.status === 403) {
+    const body = await res.text().catch(() => "");
+    ga4Log("error", "batch-report.auth-failed", { propertyId, httpStatus: res.status });
+    throw new GA4ApiError(
+      `GA4 API authentication failed \u2014 check service account permissions. ${body}`,
+      res.status
+    );
   }
-  function requireConnectionStore(reply) {
-    if (opts.googleConnectionStore) return opts.googleConnectionStore;
-    const err = validationError("Google auth storage is not configured for this deployment");
-    reply.status(err.statusCode).send(err.toJSON());
-    return null;
+  if (res.status === 429) {
+    ga4Log("error", "batch-report.rate-limited", { propertyId });
+    throw new GA4ApiError("GA4 API rate limit exceeded", 429);
   }
-  app.get("/projects/:name/google/connections", async (request) => {
-    const project = resolveProject(app.db, request.params.name);
-    const conns = opts.googleConnectionStore?.listConnections(project.canonicalDomain) ?? [];
-    return conns.map((connection) => ({
-      id: `${connection.domain}:${connection.connectionType}`,
-      domain: connection.domain,
-      connectionType: connection.connectionType,
-      propertyId: connection.propertyId ?? null,
-      sitemapUrl: connection.sitemapUrl ?? null,
-      scopes: connection.scopes ?? [],
-      createdAt: connection.createdAt,
-      updatedAt: connection.updatedAt
+  if (!res.ok) {
+    const body = await res.text();
+    ga4Log("error", "batch-report.error", { propertyId, httpStatus: res.status });
+    throw new GA4ApiError(`GA4 API error (${res.status}): ${body}`, res.status);
+  }
+  const data = await res.json();
+  return data.reports;
+}
+function formatDate(d) {
+  return d.toISOString().split("T")[0];
+}
+var AI_REFERRAL_SOURCE_FILTERS = [
+  { matchType: "CONTAINS", value: "perplexity" },
+  { matchType: "CONTAINS", value: "gemini" },
+  { matchType: "CONTAINS", value: "chatgpt" },
+  { matchType: "CONTAINS", value: "openai" },
+  { matchType: "CONTAINS", value: "claude" },
+  { matchType: "CONTAINS", value: "anthropic" },
+  { matchType: "CONTAINS", value: "copilot" }
+];
+async function fetchTrafficByLandingPage(accessToken, propertyId, days) {
+  const syncDays = Math.min(Math.max(1, days ?? GA4_DEFAULT_SYNC_DAYS), GA4_MAX_SYNC_DAYS);
+  const endDate = /* @__PURE__ */ new Date();
+  const startDate = /* @__PURE__ */ new Date();
+  startDate.setDate(startDate.getDate() - syncDays);
+  ga4Log("info", "fetch-traffic.start", { propertyId, days: syncDays });
+  const PAGE_SIZE = 1e4;
+  const rows = [];
+  let offset = 0;
+  while (true) {
+    const request = {
+      dateRanges: [{ startDate: formatDate(startDate), endDate: formatDate(endDate) }],
+      dimensions: [
+        { name: "date" },
+        { name: "landingPagePlusQueryString" }
+      ],
+      metrics: [
+        { name: "sessions" },
+        { name: "totalUsers" }
+      ],
+      limit: PAGE_SIZE,
+      offset
+    };
+    const response = await runReport(accessToken, propertyId, request);
+    const pageRows = (response.rows ?? []).map((row) => ({
+      date: row.dimensionValues[0].value,
+      landingPage: row.dimensionValues[1].value,
+      sessions: parseInt(row.metricValues[0].value, 10) || 0,
+      organicSessions: 0,
+      // populated by organic-only pass below
+      users: parseInt(row.metricValues[1].value, 10) || 0
     }));
-  });
-  app.post("/projects/:name/google/connect", async (request, reply) => {
-    const { clientId: googleClientId, clientSecret: googleClientSecret } = getAuthConfig();
-    if (!googleClientId || !googleClientSecret) {
-      const err = validationError("Google OAuth is not configured. Set Google OAuth credentials in the local Canonry config.");
-      return reply.status(err.statusCode).send(err.toJSON());
-    }
-    const { type, propertyId, publicUrl } = request.body ?? {};
-    if (!type || type !== "gsc" && type !== "ga4") {
-      const err = validationError('type must be "gsc" or "ga4"');
+    rows.push(...pageRows);
+    const totalRows = response.rowCount ?? 0;
+    offset += pageRows.length;
+    if (pageRows.length < PAGE_SIZE || offset >= totalRows) break;
+  }
+  const organicMap = /* @__PURE__ */ new Map();
+  let organicOffset = 0;
+  while (true) {
+    const organicRequest = {
+      dateRanges: [{ startDate: formatDate(startDate), endDate: formatDate(endDate) }],
+      dimensions: [{ name: "date" }, { name: "landingPagePlusQueryString" }],
+      metrics: [{ name: "sessions" }],
+      dimensionFilter: {
+        filter: {
+          fieldName: "sessionDefaultChannelGrouping",
+          stringFilter: { matchType: "EXACT", value: "Organic Search" }
+        }
+      },
+      limit: 1e4,
+      offset: organicOffset
+    };
+    const organicResponse = await runReport(accessToken, propertyId, organicRequest);
+    for (const row of organicResponse.rows ?? []) {
+      const key = `${row.dimensionValues[0].value}::${row.dimensionValues[1].value}`;
+      organicMap.set(key, parseInt(row.metricValues[0].value, 10) || 0);
+    }
+    const total = organicResponse.rowCount ?? 0;
+    organicOffset += (organicResponse.rows ?? []).length;
+    if ((organicResponse.rows ?? []).length < 1e4 || organicOffset >= total) break;
+  }
+  for (const row of rows) {
+    const key = `${row.date}::${row.landingPage}`;
+    row.organicSessions = organicMap.get(key) ?? 0;
+  }
+  for (const row of rows) {
+    if (row.date.length === 8 && !row.date.includes("-")) {
+      row.date = `${row.date.slice(0, 4)}-${row.date.slice(4, 6)}-${row.date.slice(6, 8)}`;
+    }
+  }
+  ga4Log("info", "fetch-traffic.done", { propertyId, rowCount: rows.length });
+  return rows;
+}
+async function verifyConnection(clientEmail, privateKey, propertyId) {
+  const accessToken = await getAccessToken(clientEmail, privateKey);
+  return verifyConnectionWithToken(accessToken, propertyId);
+}
+async function verifyConnectionWithToken(accessToken, propertyId) {
+  const endDate = /* @__PURE__ */ new Date();
+  const startDate = /* @__PURE__ */ new Date();
+  startDate.setDate(startDate.getDate() - 1);
+  await runReport(accessToken, propertyId, {
+    dateRanges: [{ startDate: formatDate(startDate), endDate: formatDate(endDate) }],
+    dimensions: [{ name: "date" }],
+    metrics: [{ name: "sessions" }],
+    limit: 1
+  });
+  return true;
+}
+async function fetchAggregateSummary(accessToken, propertyId, days) {
+  const syncDays = Math.min(Math.max(1, days ?? GA4_DEFAULT_SYNC_DAYS), GA4_MAX_SYNC_DAYS);
+  const endDate = /* @__PURE__ */ new Date();
+  const startDate = /* @__PURE__ */ new Date();
+  startDate.setDate(startDate.getDate() - syncDays);
+  ga4Log("info", "fetch-aggregate.start", { propertyId, days: syncDays });
+  const dateRange = { startDate: formatDate(startDate), endDate: formatDate(endDate) };
+  const batchRes = await batchRunReports(accessToken, propertyId, [
+    {
+      dateRanges: [dateRange],
+      dimensions: [],
+      metrics: [{ name: "sessions" }, { name: "totalUsers" }],
+      limit: 1
+    },
+    {
+      dateRanges: [dateRange],
+      dimensions: [],
+      metrics: [{ name: "sessions" }],
+      dimensionFilter: {
+        filter: {
+          fieldName: "sessionDefaultChannelGrouping",
+          stringFilter: { matchType: "EXACT", value: "Organic Search" }
+        }
+      },
+      limit: 1
+    }
+  ]);
+  const totalRow = batchRes[0]?.rows?.[0];
+  const organicRow = batchRes[1]?.rows?.[0];
+  const summary = {
+    periodStart: formatDate(startDate),
+    periodEnd: formatDate(endDate),
+    totalSessions: parseInt(totalRow?.metricValues[0]?.value ?? "0", 10) || 0,
+    totalUsers: parseInt(totalRow?.metricValues[1]?.value ?? "0", 10) || 0,
+    totalOrganicSessions: parseInt(organicRow?.metricValues[0]?.value ?? "0", 10) || 0
+  };
+  ga4Log("info", "fetch-aggregate.done", { propertyId, ...summary });
+  return summary;
+}
+async function fetchAiReferrals(accessToken, propertyId, days) {
+  const syncDays = Math.min(Math.max(1, days ?? GA4_DEFAULT_SYNC_DAYS), GA4_MAX_SYNC_DAYS);
+  const endDate = /* @__PURE__ */ new Date();
+  const startDate = /* @__PURE__ */ new Date();
+  startDate.setDate(startDate.getDate() - syncDays);
+  ga4Log("info", "fetch-ai-referrals.start", { propertyId, days: syncDays });
+  const PAGE_SIZE = 1e3;
+  const rows = [];
+  let offset = 0;
+  while (true) {
+    const request = {
+      dateRanges: [{ startDate: formatDate(startDate), endDate: formatDate(endDate) }],
+      dimensions: [
+        { name: "date" },
+        { name: "sessionSource" },
+        { name: "sessionMedium" }
+      ],
+      metrics: [
+        { name: "sessions" },
+        { name: "totalUsers" }
+      ],
+      dimensionFilter: {
+        orGroup: {
+          expressions: AI_REFERRAL_SOURCE_FILTERS.map(({ matchType, value }) => ({
+            filter: {
+              fieldName: "sessionSource",
+              stringFilter: { matchType, value }
+            }
+          }))
+        }
+      },
+      limit: PAGE_SIZE,
+      offset
+    };
+    const response = await runReport(accessToken, propertyId, request);
+    const pageRows = (response.rows ?? []).map((row) => ({
+      date: row.dimensionValues[0].value,
+      source: row.dimensionValues[1].value,
+      medium: row.dimensionValues[2].value,
+      sessions: parseInt(row.metricValues[0].value, 10) || 0,
+      users: parseInt(row.metricValues[1].value, 10) || 0
+    }));
+    rows.push(...pageRows);
+    const totalRows = response.rowCount ?? 0;
+    offset += pageRows.length;
+    if (pageRows.length < PAGE_SIZE || offset >= totalRows) break;
+  }
+  for (const row of rows) {
+    if (row.date.length === 8 && !row.date.includes("-")) {
+      row.date = `${row.date.slice(0, 4)}-${row.date.slice(4, 6)}-${row.date.slice(6, 8)}`;
+    }
+  }
+  ga4Log("info", "fetch-ai-referrals.done", { propertyId, rowCount: rows.length });
+  return rows;
+}
+
+// ../api-routes/src/google.ts
+function signState(payload, secret) {
+  return crypto14.createHmac("sha256", secret).update(payload).digest("hex");
+}
+function buildSignedState(data, secret) {
+  const payload = JSON.stringify(data);
+  const sig = signState(payload, secret);
+  return Buffer.from(JSON.stringify({ payload, sig })).toString("base64url");
+}
+function verifySignedState(encoded, secret) {
+  try {
+    const { payload, sig } = JSON.parse(Buffer.from(encoded, "base64url").toString());
+    const expected = signState(payload, secret);
+    if (!crypto14.timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(expected, "hex"))) return null;
+    return JSON.parse(payload);
+  } catch {
+    return null;
+  }
+}
+async function getValidToken(store, domain, connectionType, clientId, clientSecret) {
+  const conn = store.getConnection(domain, connectionType);
+  if (!conn) {
+    throw notFound("Google connection", connectionType);
+  }
+  if (!conn.accessToken || !conn.refreshToken) {
+    throw validationError("Google connection is incomplete \u2014 please reconnect");
+  }
+  const expiresAt = conn.tokenExpiresAt ? new Date(conn.tokenExpiresAt).getTime() : 0;
+  const fiveMinutes = 5 * 60 * 1e3;
+  if (Date.now() > expiresAt - fiveMinutes) {
+    const tokens = await refreshAccessToken(clientId, clientSecret, conn.refreshToken);
+    const newExpiresAt = new Date(Date.now() + tokens.expires_in * 1e3).toISOString();
+    const updated = store.updateConnection(domain, connectionType, {
+      accessToken: tokens.access_token,
+      tokenExpiresAt: newExpiresAt,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    return {
+      accessToken: tokens.access_token,
+      connectionId: `${domain}:${connectionType}`,
+      propertyId: updated?.propertyId ?? conn.propertyId ?? null
+    };
+  }
+  return {
+    accessToken: conn.accessToken,
+    connectionId: `${domain}:${connectionType}`,
+    propertyId: conn.propertyId ?? null
+  };
+}
+async function googleRoutes(app, opts) {
+  const stateSecret = opts.googleStateSecret ?? "insecure-default-secret";
+  function getAuthConfig() {
+    return opts.getGoogleAuthConfig?.() ?? {};
+  }
+  function requireConnectionStore(reply) {
+    if (opts.googleConnectionStore) return opts.googleConnectionStore;
+    const err = validationError("Google auth storage is not configured for this deployment");
+    reply.status(err.statusCode).send(err.toJSON());
+    return null;
+  }
+  app.get("/projects/:name/google/connections", async (request) => {
+    const project = resolveProject(app.db, request.params.name);
+    const conns = opts.googleConnectionStore?.listConnections(project.canonicalDomain) ?? [];
+    return conns.map((connection) => ({
+      id: `${connection.domain}:${connection.connectionType}`,
+      domain: connection.domain,
+      connectionType: connection.connectionType,
+      propertyId: connection.propertyId ?? null,
+      sitemapUrl: connection.sitemapUrl ?? null,
+      scopes: connection.scopes ?? [],
+      createdAt: connection.createdAt,
+      updatedAt: connection.updatedAt
+    }));
+  });
+  app.post("/projects/:name/google/connect", async (request, reply) => {
+    const { clientId: googleClientId, clientSecret: googleClientSecret } = getAuthConfig();
+    if (!googleClientId || !googleClientSecret) {
+      const err = validationError("Google OAuth is not configured. Set Google OAuth credentials in the local Canonry config.");
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const { type, propertyId, publicUrl } = request.body ?? {};
+    if (!type || type !== "gsc" && type !== "ga4") {
+      const err = validationError('type must be "gsc" or "ga4"');
       return reply.status(err.statusCode).send(err.toJSON());
     }
     const project = resolveProject(app.db, request.params.name);
@@ -6525,7 +6891,7 @@ async function googleRoutes(app, opts) {
       const host = request.headers.host ?? "localhost:4100";
       redirectUri = `${proto}://${host}/api/v1/projects/${encodeURIComponent(request.params.name)}/google/callback`;
     }
-    const scopes = type === "gsc" ? [GSC_SCOPE, INDEXING_SCOPE] : [];
+    const scopes = type === "gsc" ? [GSC_SCOPE, INDEXING_SCOPE] : [GA4_SCOPE];
     const stateEncoded = buildSignedState(
       { domain: project.canonicalDomain, type, propertyId, redirectUri },
       stateSecret
@@ -6669,7 +7035,7 @@ async function googleRoutes(app, opts) {
       return reply.status(err.statusCode).send(err.toJSON());
     }
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    const runId = crypto13.randomUUID();
+    const runId = crypto14.randomUUID();
     app.db.insert(runs).values({
       id: runId,
       projectId: project.id,
@@ -6731,7 +7097,7 @@ async function googleRoutes(app, opts) {
     const mob = ir.mobileUsabilityResult;
     const rich = ir.richResultsResult;
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    const id = crypto13.randomUUID();
+    const id = crypto14.randomUUID();
     app.db.insert(gscUrlInspections).values({
       id,
       projectId: project.id,
@@ -6971,7 +7337,7 @@ async function googleRoutes(app, opts) {
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
     });
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    const runId = crypto13.randomUUID();
+    const runId = crypto14.randomUUID();
     app.db.insert(runs).values({
       id: runId,
       projectId: project.id,
@@ -7000,7 +7366,7 @@ async function googleRoutes(app, opts) {
       return reply.status(err.statusCode).send(err.toJSON());
     }
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    const runId = crypto13.randomUUID();
+    const runId = crypto14.randomUUID();
     app.db.insert(runs).values({
       id: runId,
       projectId: project.id,
@@ -7142,13 +7508,14 @@ async function googleRoutes(app, opts) {
 }
 
 // ../api-routes/src/bing.ts
-import crypto14 from "crypto";
+import crypto15 from "crypto";
 import { eq as eq14, and as and3, desc as desc5 } from "drizzle-orm";
 
 // ../integration-bing/src/constants.ts
 var BING_WMT_API_BASE = "https://ssl.bing.com/webmaster/api.svc/json";
 var BING_SUBMIT_URL_BATCH_LIMIT = 500;
 var BING_SUBMIT_URL_DAILY_LIMIT = 1e4;
+var BING_REQUEST_TIMEOUT_MS = 3e4;
 
 // ../integration-bing/src/types.ts
 var BingApiError = class extends Error {
@@ -7176,7 +7543,8 @@ async function bingFetch(apiKey, endpoint, opts) {
   const res = await fetch(url, {
     method,
     headers,
-    body: opts?.body != null ? JSON.stringify(opts.body) : void 0
+    body: opts?.body != null ? JSON.stringify(opts.body) : void 0,
+    signal: AbortSignal.timeout(BING_REQUEST_TIMEOUT_MS)
   });
   if (res.status === 401 || res.status === 403) {
     const body = await res.text().catch(() => "");
@@ -7489,7 +7857,7 @@ async function bingRoutes(app, opts) {
       throw e;
     }
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    const id = crypto14.randomUUID();
+    const id = crypto15.randomUUID();
     const httpCode = result.HttpStatus ?? result.HttpCode ?? null;
     let derivedInIndex = null;
     if (result.InIndex != null) {
@@ -7706,491 +8074,242 @@ async function cdpRoutes(app, opts) {
       const project = resolveProject(app.db, request.params.name);
       const { runId } = request.params;
       const run = app.db.select().from(runs).where(and4(eq15(runs.id, runId), eq15(runs.projectId, project.id))).get();
-      if (!run) {
-        const err = notFound("Run", runId);
-        return reply.code(err.statusCode).send(err.toJSON());
-      }
-      const snapshots = app.db.select({
-        id: querySnapshots.id,
-        keywordId: querySnapshots.keywordId,
-        provider: querySnapshots.provider,
-        citationState: querySnapshots.citationState,
-        citedDomains: querySnapshots.citedDomains,
-        screenshotPath: querySnapshots.screenshotPath,
-        rawResponse: querySnapshots.rawResponse
-      }).from(querySnapshots).where(eq15(querySnapshots.runId, runId)).all();
-      const keywordRows = app.db.select({ id: keywords.id, keyword: keywords.keyword }).from(keywords).where(eq15(keywords.projectId, project.id)).all();
-      const keywordMap = new Map(keywordRows.map((k) => [k.id, k.keyword]));
-      const byKeyword = /* @__PURE__ */ new Map();
-      for (const snap of snapshots) {
-        const kwName = keywordMap.get(snap.keywordId) ?? snap.keywordId;
-        if (!byKeyword.has(snap.keywordId)) {
-          byKeyword.set(snap.keywordId, { keyword: kwName, api: null, browser: null });
-        }
-        const entry = byKeyword.get(snap.keywordId);
-        if (snap.provider === "cdp:chatgpt") {
-          entry.browser = snap;
-        } else if (snap.provider === "openai") {
-          entry.api = snap;
-        }
-      }
-      let agreed = 0;
-      let apiOnlyCited = 0;
-      let browserOnlyCited = 0;
-      let disagreed = 0;
-      let total = 0;
-      const keywordResults = [...byKeyword.values()].map(({ keyword, api, browser }) => {
-        total++;
-        const apiCited = api?.citationState === "cited";
-        const browserCited = browser?.citationState === "cited";
-        let agreement;
-        if (!api && !browser) {
-          agreement = "no-data";
-        } else if (!api) {
-          agreement = "no-api";
-        } else if (!browser) {
-          agreement = "no-browser";
-        } else if (apiCited && browserCited) {
-          agreement = "agree-cited";
-          agreed++;
-        } else if (!apiCited && !browserCited) {
-          agreement = "agree-not-cited";
-          agreed++;
-        } else if (apiCited && !browserCited) {
-          agreement = "api-only-cited";
-          apiOnlyCited++;
-          disagreed++;
-        } else {
-          agreement = "browser-only-cited";
-          browserOnlyCited++;
-          disagreed++;
-        }
-        const parseGroundingSources2 = (snap) => {
-          if (!snap?.rawResponse) return [];
-          try {
-            const raw = JSON.parse(snap.rawResponse);
-            return raw.groundingSources ?? [];
-          } catch {
-            return [];
-          }
-        };
-        return {
-          keyword,
-          api: api ? {
-            provider: api.provider,
-            citationState: api.citationState,
-            citedDomains: JSON.parse(api.citedDomains || "[]"),
-            groundingSources: parseGroundingSources2(api)
-          } : null,
-          browser: browser ? {
-            provider: browser.provider,
-            citationState: browser.citationState,
-            citedDomains: JSON.parse(browser.citedDomains || "[]"),
-            groundingSources: parseGroundingSources2(browser),
-            screenshotUrl: browser.screenshotPath ? `/api/v1/screenshots/${browser.id}` : void 0
-          } : null,
-          agreement
-        };
-      });
-      return reply.send({
-        summary: { total, agreed, apiOnly: apiOnlyCited, browserOnly: browserOnlyCited, disagreed },
-        keywords: keywordResults
-      });
-    }
-  );
-}
-
-// ../api-routes/src/ga.ts
-import crypto16 from "crypto";
-import { eq as eq16, desc as desc6, and as and5, sql as sql4 } from "drizzle-orm";
-
-// ../integration-google-analytics/src/ga4-client.ts
-import crypto15 from "crypto";
-
-// ../integration-google-analytics/src/constants.ts
-var GA4_DATA_API_BASE = "https://analyticsdata.googleapis.com/v1beta";
-var GA4_SCOPE = "https://www.googleapis.com/auth/analytics.readonly";
-var GOOGLE_TOKEN_URL2 = "https://oauth2.googleapis.com/token";
-var GA4_DEFAULT_SYNC_DAYS = 30;
-var GA4_MAX_SYNC_DAYS = 90;
-
-// ../integration-google-analytics/src/types.ts
-var GA4ApiError = class extends Error {
-  status;
-  constructor(message, status) {
-    super(message);
-    this.name = "GA4ApiError";
-    this.status = status;
-  }
-};
-
-// ../integration-google-analytics/src/ga4-client.ts
-function ga4Log(level, action, ctx) {
-  const entry = { ts: (/* @__PURE__ */ new Date()).toISOString(), level, module: "GA4Client", action, ...ctx };
-  const stream = level === "error" ? process.stderr : process.stdout;
-  stream.write(JSON.stringify(entry) + "\n");
-}
-function createServiceAccountJwt(clientEmail, privateKey, scope) {
-  const now = Math.floor(Date.now() / 1e3);
-  const header = { alg: "RS256", typ: "JWT" };
-  const payload = {
-    iss: clientEmail,
-    scope,
-    aud: GOOGLE_TOKEN_URL2,
-    iat: now,
-    exp: now + 3600
-    // 1 hour
-  };
-  const encode = (obj) => Buffer.from(JSON.stringify(obj)).toString("base64url");
-  const headerB64 = encode(header);
-  const payloadB64 = encode(payload);
-  const signingInput = `${headerB64}.${payloadB64}`;
-  const sign = crypto15.createSign("RSA-SHA256");
-  sign.update(signingInput);
-  const signature = sign.sign(privateKey, "base64url");
-  return `${signingInput}.${signature}`;
-}
-async function getAccessToken(clientEmail, privateKey) {
-  const jwt = createServiceAccountJwt(clientEmail, privateKey, GA4_SCOPE);
-  const res = await fetch(GOOGLE_TOKEN_URL2, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body: new URLSearchParams({
-      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
-      assertion: jwt
-    })
-  });
-  if (!res.ok) {
-    const body = await res.text().catch(() => "");
-    ga4Log("error", "token.failed", { httpStatus: res.status, responseBody: body });
-    throw new GA4ApiError(`Failed to get access token: ${body}`, res.status);
-  }
-  const data = await res.json();
-  return data.access_token;
-}
-async function runReport(accessToken, propertyId, request) {
-  const url = `${GA4_DATA_API_BASE}/properties/${propertyId}:runReport`;
-  const res = await fetch(url, {
-    method: "POST",
-    headers: {
-      "Authorization": `Bearer ${accessToken}`,
-      "Content-Type": "application/json"
-    },
-    body: JSON.stringify(request)
-  });
-  if (res.status === 401 || res.status === 403) {
-    const body = await res.text().catch(() => "");
-    let detail = "";
-    try {
-      const parsed = JSON.parse(body);
-      if (parsed.error?.status === "SERVICE_DISABLED") {
-        detail = " The Google Analytics Data API is not enabled for this GCP project. Enable it at: https://console.developers.google.com/apis/api/analyticsdata.googleapis.com/overview";
-      } else if (parsed.error?.message) {
-        detail = ` ${parsed.error.message}`;
-      }
-    } catch {
-      if (body.length < 200) detail = ` ${body}`;
-    }
-    ga4Log("error", "report.auth-failed", { propertyId, httpStatus: res.status, responseBody: body });
-    throw new GA4ApiError(
-      `GA4 API authentication failed \u2014 check service account permissions.${detail}`,
-      res.status
-    );
-  }
-  if (res.status === 429) {
-    ga4Log("error", "report.rate-limited", { propertyId });
-    throw new GA4ApiError("GA4 API rate limit exceeded", 429);
-  }
-  if (!res.ok) {
-    const body = await res.text();
-    ga4Log("error", "report.error", { propertyId, httpStatus: res.status, responseBody: body });
-    throw new GA4ApiError(`GA4 API error (${res.status}): ${body}`, res.status);
-  }
-  return await res.json();
-}
-async function batchRunReports(accessToken, propertyId, requests) {
-  const url = `${GA4_DATA_API_BASE}/properties/${propertyId}:batchRunReports`;
-  const res = await fetch(url, {
-    method: "POST",
-    headers: {
-      "Authorization": `Bearer ${accessToken}`,
-      "Content-Type": "application/json"
-    },
-    body: JSON.stringify({ requests })
-  });
-  if (res.status === 401 || res.status === 403) {
-    const body = await res.text().catch(() => "");
-    ga4Log("error", "batch-report.auth-failed", { propertyId, httpStatus: res.status });
-    throw new GA4ApiError(
-      `GA4 API authentication failed \u2014 check service account permissions. ${body}`,
-      res.status
-    );
-  }
-  if (res.status === 429) {
-    ga4Log("error", "batch-report.rate-limited", { propertyId });
-    throw new GA4ApiError("GA4 API rate limit exceeded", 429);
-  }
-  if (!res.ok) {
-    const body = await res.text();
-    ga4Log("error", "batch-report.error", { propertyId, httpStatus: res.status });
-    throw new GA4ApiError(`GA4 API error (${res.status}): ${body}`, res.status);
-  }
-  const data = await res.json();
-  return data.reports;
-}
-function formatDate(d) {
-  return d.toISOString().split("T")[0];
-}
-var AI_REFERRAL_SOURCE_FILTERS = [
-  { matchType: "CONTAINS", value: "perplexity" },
-  { matchType: "CONTAINS", value: "gemini" },
-  { matchType: "CONTAINS", value: "chatgpt" },
-  { matchType: "CONTAINS", value: "openai" },
-  { matchType: "CONTAINS", value: "claude" },
-  { matchType: "CONTAINS", value: "anthropic" },
-  { matchType: "CONTAINS", value: "copilot" }
-];
-async function fetchTrafficByLandingPage(accessToken, propertyId, days) {
-  const syncDays = Math.min(Math.max(1, days ?? GA4_DEFAULT_SYNC_DAYS), GA4_MAX_SYNC_DAYS);
-  const endDate = /* @__PURE__ */ new Date();
-  const startDate = /* @__PURE__ */ new Date();
-  startDate.setDate(startDate.getDate() - syncDays);
-  ga4Log("info", "fetch-traffic.start", { propertyId, days: syncDays });
-  const PAGE_SIZE = 1e4;
-  const rows = [];
-  let offset = 0;
-  while (true) {
-    const request = {
-      dateRanges: [{ startDate: formatDate(startDate), endDate: formatDate(endDate) }],
-      dimensions: [
-        { name: "date" },
-        { name: "landingPagePlusQueryString" }
-      ],
-      metrics: [
-        { name: "sessions" },
-        { name: "totalUsers" }
-      ],
-      limit: PAGE_SIZE,
-      offset
-    };
-    const response = await runReport(accessToken, propertyId, request);
-    const pageRows = (response.rows ?? []).map((row) => ({
-      date: row.dimensionValues[0].value,
-      landingPage: row.dimensionValues[1].value,
-      sessions: parseInt(row.metricValues[0].value, 10) || 0,
-      organicSessions: 0,
-      // populated by organic-only pass below
-      users: parseInt(row.metricValues[1].value, 10) || 0
-    }));
-    rows.push(...pageRows);
-    const totalRows = response.rowCount ?? 0;
-    offset += pageRows.length;
-    if (pageRows.length < PAGE_SIZE || offset >= totalRows) break;
-  }
-  const organicMap = /* @__PURE__ */ new Map();
-  let organicOffset = 0;
-  while (true) {
-    const organicRequest = {
-      dateRanges: [{ startDate: formatDate(startDate), endDate: formatDate(endDate) }],
-      dimensions: [{ name: "date" }, { name: "landingPagePlusQueryString" }],
-      metrics: [{ name: "sessions" }],
-      dimensionFilter: {
-        filter: {
-          fieldName: "sessionDefaultChannelGrouping",
-          stringFilter: { matchType: "EXACT", value: "Organic Search" }
-        }
-      },
-      limit: 1e4,
-      offset: organicOffset
-    };
-    const organicResponse = await runReport(accessToken, propertyId, organicRequest);
-    for (const row of organicResponse.rows ?? []) {
-      const key = `${row.dimensionValues[0].value}::${row.dimensionValues[1].value}`;
-      organicMap.set(key, parseInt(row.metricValues[0].value, 10) || 0);
-    }
-    const total = organicResponse.rowCount ?? 0;
-    organicOffset += (organicResponse.rows ?? []).length;
-    if ((organicResponse.rows ?? []).length < 1e4 || organicOffset >= total) break;
-  }
-  for (const row of rows) {
-    const key = `${row.date}::${row.landingPage}`;
-    row.organicSessions = organicMap.get(key) ?? 0;
-  }
-  for (const row of rows) {
-    if (row.date.length === 8 && !row.date.includes("-")) {
-      row.date = `${row.date.slice(0, 4)}-${row.date.slice(4, 6)}-${row.date.slice(6, 8)}`;
-    }
-  }
-  ga4Log("info", "fetch-traffic.done", { propertyId, rowCount: rows.length });
-  return rows;
-}
-async function verifyConnection(clientEmail, privateKey, propertyId) {
-  const accessToken = await getAccessToken(clientEmail, privateKey);
-  const endDate = /* @__PURE__ */ new Date();
-  const startDate = /* @__PURE__ */ new Date();
-  startDate.setDate(startDate.getDate() - 1);
-  await runReport(accessToken, propertyId, {
-    dateRanges: [{ startDate: formatDate(startDate), endDate: formatDate(endDate) }],
-    dimensions: [{ name: "date" }],
-    metrics: [{ name: "sessions" }],
-    limit: 1
-  });
-  return true;
-}
-async function fetchAggregateSummary(accessToken, propertyId, days) {
-  const syncDays = Math.min(Math.max(1, days ?? GA4_DEFAULT_SYNC_DAYS), GA4_MAX_SYNC_DAYS);
-  const endDate = /* @__PURE__ */ new Date();
-  const startDate = /* @__PURE__ */ new Date();
-  startDate.setDate(startDate.getDate() - syncDays);
-  ga4Log("info", "fetch-aggregate.start", { propertyId, days: syncDays });
-  const dateRange = { startDate: formatDate(startDate), endDate: formatDate(endDate) };
-  const batchRes = await batchRunReports(accessToken, propertyId, [
-    {
-      dateRanges: [dateRange],
-      dimensions: [],
-      metrics: [{ name: "sessions" }, { name: "totalUsers" }],
-      limit: 1
-    },
-    {
-      dateRanges: [dateRange],
-      dimensions: [],
-      metrics: [{ name: "sessions" }],
-      dimensionFilter: {
-        filter: {
-          fieldName: "sessionDefaultChannelGrouping",
-          stringFilter: { matchType: "EXACT", value: "Organic Search" }
+      if (!run) {
+        const err = notFound("Run", runId);
+        return reply.code(err.statusCode).send(err.toJSON());
+      }
+      const snapshots = app.db.select({
+        id: querySnapshots.id,
+        keywordId: querySnapshots.keywordId,
+        provider: querySnapshots.provider,
+        citationState: querySnapshots.citationState,
+        citedDomains: querySnapshots.citedDomains,
+        screenshotPath: querySnapshots.screenshotPath,
+        rawResponse: querySnapshots.rawResponse
+      }).from(querySnapshots).where(eq15(querySnapshots.runId, runId)).all();
+      const keywordRows = app.db.select({ id: keywords.id, keyword: keywords.keyword }).from(keywords).where(eq15(keywords.projectId, project.id)).all();
+      const keywordMap = new Map(keywordRows.map((k) => [k.id, k.keyword]));
+      const byKeyword = /* @__PURE__ */ new Map();
+      for (const snap of snapshots) {
+        const kwName = keywordMap.get(snap.keywordId) ?? snap.keywordId;
+        if (!byKeyword.has(snap.keywordId)) {
+          byKeyword.set(snap.keywordId, { keyword: kwName, api: null, browser: null });
         }
-      },
-      limit: 1
-    }
-  ]);
-  const totalRow = batchRes[0]?.rows?.[0];
-  const organicRow = batchRes[1]?.rows?.[0];
-  const summary = {
-    periodStart: formatDate(startDate),
-    periodEnd: formatDate(endDate),
-    totalSessions: parseInt(totalRow?.metricValues[0]?.value ?? "0", 10) || 0,
-    totalUsers: parseInt(totalRow?.metricValues[1]?.value ?? "0", 10) || 0,
-    totalOrganicSessions: parseInt(organicRow?.metricValues[0]?.value ?? "0", 10) || 0
-  };
-  ga4Log("info", "fetch-aggregate.done", { propertyId, ...summary });
-  return summary;
-}
-async function fetchAiReferrals(accessToken, propertyId, days) {
-  const syncDays = Math.min(Math.max(1, days ?? GA4_DEFAULT_SYNC_DAYS), GA4_MAX_SYNC_DAYS);
-  const endDate = /* @__PURE__ */ new Date();
-  const startDate = /* @__PURE__ */ new Date();
-  startDate.setDate(startDate.getDate() - syncDays);
-  ga4Log("info", "fetch-ai-referrals.start", { propertyId, days: syncDays });
-  const PAGE_SIZE = 1e3;
-  const rows = [];
-  let offset = 0;
-  while (true) {
-    const request = {
-      dateRanges: [{ startDate: formatDate(startDate), endDate: formatDate(endDate) }],
-      dimensions: [
-        { name: "date" },
-        { name: "sessionSource" },
-        { name: "sessionMedium" }
-      ],
-      metrics: [
-        { name: "sessions" },
-        { name: "totalUsers" }
-      ],
-      dimensionFilter: {
-        orGroup: {
-          expressions: AI_REFERRAL_SOURCE_FILTERS.map(({ matchType, value }) => ({
-            filter: {
-              fieldName: "sessionSource",
-              stringFilter: { matchType, value }
-            }
-          }))
+        const entry = byKeyword.get(snap.keywordId);
+        if (snap.provider === "cdp:chatgpt") {
+          entry.browser = snap;
+        } else if (snap.provider === "openai") {
+          entry.api = snap;
         }
-      },
-      limit: PAGE_SIZE,
-      offset
-    };
-    const response = await runReport(accessToken, propertyId, request);
-    const pageRows = (response.rows ?? []).map((row) => ({
-      date: row.dimensionValues[0].value,
-      source: row.dimensionValues[1].value,
-      medium: row.dimensionValues[2].value,
-      sessions: parseInt(row.metricValues[0].value, 10) || 0,
-      users: parseInt(row.metricValues[1].value, 10) || 0
-    }));
-    rows.push(...pageRows);
-    const totalRows = response.rowCount ?? 0;
-    offset += pageRows.length;
-    if (pageRows.length < PAGE_SIZE || offset >= totalRows) break;
-  }
-  for (const row of rows) {
-    if (row.date.length === 8 && !row.date.includes("-")) {
-      row.date = `${row.date.slice(0, 4)}-${row.date.slice(4, 6)}-${row.date.slice(6, 8)}`;
+      }
+      let agreed = 0;
+      let apiOnlyCited = 0;
+      let browserOnlyCited = 0;
+      let disagreed = 0;
+      let total = 0;
+      const keywordResults = [...byKeyword.values()].map(({ keyword, api, browser }) => {
+        total++;
+        const apiCited = api?.citationState === "cited";
+        const browserCited = browser?.citationState === "cited";
+        let agreement;
+        if (!api && !browser) {
+          agreement = "no-data";
+        } else if (!api) {
+          agreement = "no-api";
+        } else if (!browser) {
+          agreement = "no-browser";
+        } else if (apiCited && browserCited) {
+          agreement = "agree-cited";
+          agreed++;
+        } else if (!apiCited && !browserCited) {
+          agreement = "agree-not-cited";
+          agreed++;
+        } else if (apiCited && !browserCited) {
+          agreement = "api-only-cited";
+          apiOnlyCited++;
+          disagreed++;
+        } else {
+          agreement = "browser-only-cited";
+          browserOnlyCited++;
+          disagreed++;
+        }
+        const parseGroundingSources2 = (snap) => {
+          if (!snap?.rawResponse) return [];
+          try {
+            const raw = JSON.parse(snap.rawResponse);
+            return raw.groundingSources ?? [];
+          } catch {
+            return [];
+          }
+        };
+        return {
+          keyword,
+          api: api ? {
+            provider: api.provider,
+            citationState: api.citationState,
+            citedDomains: JSON.parse(api.citedDomains || "[]"),
+            groundingSources: parseGroundingSources2(api)
+          } : null,
+          browser: browser ? {
+            provider: browser.provider,
+            citationState: browser.citationState,
+            citedDomains: JSON.parse(browser.citedDomains || "[]"),
+            groundingSources: parseGroundingSources2(browser),
+            screenshotUrl: browser.screenshotPath ? `/api/v1/screenshots/${browser.id}` : void 0
+          } : null,
+          agreement
+        };
+      });
+      return reply.send({
+        summary: { total, agreed, apiOnly: apiOnlyCited, browserOnly: browserOnlyCited, disagreed },
+        keywords: keywordResults
+      });
     }
-  }
-  ga4Log("info", "fetch-ai-referrals.done", { propertyId, rowCount: rows.length });
-  return rows;
+  );
 }
 
 // ../api-routes/src/ga.ts
+import crypto16 from "crypto";
+import { eq as eq16, desc as desc6, and as and5, sql as sql4 } from "drizzle-orm";
 function gaLog(level, action, ctx) {
   const entry = { ts: (/* @__PURE__ */ new Date()).toISOString(), level, module: "GA4Routes", action, ...ctx };
   const stream = level === "error" ? process.stderr : process.stdout;
   stream.write(JSON.stringify(entry) + "\n");
 }
-async function ga4Routes(app, opts) {
-  function requireCredentialStore(reply) {
-    if (opts.ga4CredentialStore) return opts.ga4CredentialStore;
-    const err = validationError("GA4 credential storage is not configured for this deployment");
-    reply.status(err.statusCode).send(err.toJSON());
-    return null;
+async function refreshOAuthTokenIfNeeded(googleStore, authConfig, canonicalDomain, oauthConn) {
+  const expiresAt = oauthConn.tokenExpiresAt ? new Date(oauthConn.tokenExpiresAt).getTime() : 0;
+  const fiveMinutes = 5 * 60 * 1e3;
+  if (Date.now() > expiresAt - fiveMinutes) {
+    if (!authConfig.clientId || !authConfig.clientSecret) {
+      throw validationError("Google OAuth client credentials are not configured \u2014 cannot refresh GA4 token.");
+    }
+    const tokens = await refreshAccessToken(authConfig.clientId, authConfig.clientSecret, oauthConn.refreshToken);
+    const newExpiresAt = new Date(Date.now() + tokens.expires_in * 1e3).toISOString();
+    googleStore.updateConnection(canonicalDomain, "ga4", {
+      accessToken: tokens.access_token,
+      tokenExpiresAt: newExpiresAt,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    return tokens.access_token;
   }
-  app.post("/projects/:name/ga/connect", async (request, reply) => {
-    const store = requireCredentialStore(reply);
-    if (!store) return;
+  return oauthConn.accessToken;
+}
+async function resolveGa4AccessToken(opts, projectName, canonicalDomain) {
+  const saConn = opts.ga4CredentialStore?.getConnection(projectName);
+  if (saConn?.clientEmail && saConn?.privateKey && saConn?.propertyId) {
+    const token = await getAccessToken(saConn.clientEmail, saConn.privateKey);
+    return { accessToken: token, propertyId: saConn.propertyId };
+  }
+  const googleStore = opts.googleConnectionStore;
+  const authConfig = opts.getGoogleAuthConfig?.();
+  if (!googleStore || !authConfig) {
+    throw validationError(
+      'No GA4 credentials found. Run "canonry ga connect <project> --key-file <path>" or "canonry google connect <project> --type ga4" to authenticate.'
+    );
+  }
+  const oauthConn = googleStore.getConnection(canonicalDomain, "ga4");
+  if (!oauthConn?.accessToken || !oauthConn?.refreshToken) {
+    throw validationError(
+      'No GA4 credentials found. Run "canonry ga connect <project> --key-file <path>" or "canonry google connect <project> --type ga4" to authenticate.'
+    );
+  }
+  if (!oauthConn.propertyId) {
+    throw validationError(
+      'GA4 property ID not set. Run "canonry ga set-property <project> <propertyId>" to configure it.'
+    );
+  }
+  const accessToken = await refreshOAuthTokenIfNeeded(googleStore, authConfig, canonicalDomain, {
+    accessToken: oauthConn.accessToken,
+    refreshToken: oauthConn.refreshToken,
+    tokenExpiresAt: oauthConn.tokenExpiresAt
+  });
+  return { accessToken, propertyId: oauthConn.propertyId };
+}
+function requireGa4Connection(opts, projectName, canonicalDomain) {
+  const saConn = opts.ga4CredentialStore?.getConnection(projectName);
+  const oauthConn = opts.googleConnectionStore?.getConnection(canonicalDomain, "ga4");
+  if (!saConn && !(oauthConn?.accessToken && oauthConn?.propertyId)) {
+    throw validationError('No GA4 connection found. Run "canonry ga connect <project>" first.');
+  }
+}
+async function ga4Routes(app, opts) {
+  app.post("/projects/:name/ga/connect", async (request, _reply) => {
     const project = resolveProject(app.db, request.params.name);
     const { propertyId, keyJson } = request.body ?? {};
     if (!propertyId || typeof propertyId !== "string") {
-      const err = validationError("propertyId is required");
-      return reply.status(err.statusCode).send(err.toJSON());
+      throw validationError("propertyId is required");
     }
-    let clientEmail;
-    let privateKey;
     if (keyJson && typeof keyJson === "string") {
+      if (!opts.ga4CredentialStore) {
+        throw validationError("GA4 credential storage is not configured for this deployment");
+      }
+      let parsed;
       try {
-        const parsed = JSON.parse(keyJson);
-        if (!parsed.client_email || !parsed.private_key) {
-          const err = validationError("Service account JSON must contain client_email and private_key");
-          return reply.status(err.statusCode).send(err.toJSON());
-        }
-        clientEmail = parsed.client_email;
-        privateKey = parsed.private_key;
+        parsed = JSON.parse(keyJson);
       } catch {
-        const err = validationError("Invalid JSON in keyJson");
-        return reply.status(err.statusCode).send(err.toJSON());
+        throw validationError("Invalid JSON in keyJson");
       }
-    } else {
-      const err = validationError("keyJson is required");
-      return reply.status(err.statusCode).send(err.toJSON());
+      if (!parsed.client_email || !parsed.private_key) {
+        throw validationError("Service account JSON must contain client_email and private_key");
+      }
+      const clientEmail = parsed.client_email;
+      const privateKey = parsed.private_key;
+      try {
+        await verifyConnection(clientEmail, privateKey, propertyId);
+        gaLog("info", "connect.verified.service-account", { projectId: project.id, propertyId });
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        gaLog("error", "connect.verify-failed", { projectId: project.id, propertyId, error: msg });
+        throw validationError(`Failed to verify GA4 credentials: ${msg}`);
+      }
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      const existing = opts.ga4CredentialStore.getConnection(project.name);
+      opts.ga4CredentialStore.upsertConnection({
+        projectName: project.name,
+        propertyId,
+        clientEmail,
+        privateKey,
+        createdAt: existing?.createdAt ?? now,
+        updatedAt: now
+      });
+      writeAuditLog(app.db, {
+        projectId: project.id,
+        actor: "api",
+        action: "ga4.connected",
+        entityType: "ga_connection",
+        entityId: propertyId
+      });
+      return { connected: true, propertyId, authMethod: "service-account", clientEmail };
+    }
+    const googleStore = opts.googleConnectionStore;
+    const authConfig = opts.getGoogleAuthConfig?.();
+    if (!googleStore || !authConfig) {
+      throw validationError(
+        'No service account key provided and OAuth storage is not configured. Pass --key-file or run "canonry google connect <project> --type ga4" first.'
+      );
     }
+    const oauthConn = googleStore.getConnection(project.canonicalDomain, "ga4");
+    if (!oauthConn?.accessToken || !oauthConn?.refreshToken) {
+      throw validationError(
+        'No GA4 OAuth token found. Run "canonry google connect <project> --type ga4" first, or pass --key-file to use a service account.'
+      );
+    }
+    const accessToken = await refreshOAuthTokenIfNeeded(googleStore, authConfig, project.canonicalDomain, {
+      accessToken: oauthConn.accessToken,
+      refreshToken: oauthConn.refreshToken,
+      tokenExpiresAt: oauthConn.tokenExpiresAt
+    });
     try {
-      await verifyConnection(clientEmail, privateKey, propertyId);
-      gaLog("info", "connect.verified", { projectId: project.id, propertyId });
+      await verifyConnectionWithToken(accessToken, propertyId);
+      gaLog("info", "connect.verified.oauth", { projectId: project.id, propertyId });
     } catch (e) {
       const msg = e instanceof Error ? e.message : String(e);
-      gaLog("error", "connect.verify-failed", { projectId: project.id, propertyId, error: msg });
-      const err = validationError(`Failed to verify GA4 credentials: ${msg}`);
-      return reply.status(err.statusCode).send(err.toJSON());
+      gaLog("error", "connect.verify-failed.oauth", { projectId: project.id, propertyId, error: msg });
+      throw validationError(`Failed to verify GA4 access: ${msg}`);
     }
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const existing = store.getConnection(project.name);
-    store.upsertConnection({
-      projectName: project.name,
+    googleStore.updateConnection(project.canonicalDomain, "ga4", {
       propertyId,
-      clientEmail,
-      privateKey,
-      createdAt: existing?.createdAt ?? now,
-      updatedAt: now
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
     });
     writeAuditLog(app.db, {
       projectId: project.id,
@@ -8199,80 +8318,62 @@ async function ga4Routes(app, opts) {
       entityType: "ga_connection",
       entityId: propertyId
     });
-    return {
-      connected: true,
-      propertyId,
-      clientEmail
-    };
+    return { connected: true, propertyId, authMethod: "oauth" };
   });
   app.delete("/projects/:name/ga/disconnect", async (request, reply) => {
-    const store = requireCredentialStore(reply);
-    if (!store) return;
     const project = resolveProject(app.db, request.params.name);
-    const conn = store.getConnection(project.name);
-    if (!conn) {
-      const err = notFound("GA4 connection", project.name);
-      return reply.status(err.statusCode).send(err.toJSON());
+    const saConn = opts.ga4CredentialStore?.getConnection(project.name);
+    const oauthConn = opts.googleConnectionStore?.getConnection(project.canonicalDomain, "ga4");
+    if (!saConn && !oauthConn) {
+      throw notFound("GA4 connection", project.name);
     }
     app.db.delete(gaTrafficSnapshots).where(eq16(gaTrafficSnapshots.projectId, project.id)).run();
     app.db.delete(gaTrafficSummaries).where(eq16(gaTrafficSummaries.projectId, project.id)).run();
     app.db.delete(gaAiReferrals).where(eq16(gaAiReferrals.projectId, project.id)).run();
-    store.deleteConnection(project.name);
+    const propertyId = saConn?.propertyId ?? oauthConn?.propertyId ?? null;
+    opts.ga4CredentialStore?.deleteConnection(project.name);
+    opts.googleConnectionStore?.deleteConnection(project.canonicalDomain, "ga4");
     writeAuditLog(app.db, {
       projectId: project.id,
       actor: "api",
       action: "ga4.disconnected",
       entityType: "ga_connection",
-      entityId: conn.propertyId
+      entityId: propertyId
     });
     return reply.status(204).send();
   });
-  app.get("/projects/:name/ga/status", async (request, reply) => {
-    const store = requireCredentialStore(reply);
-    if (!store) return;
+  app.get("/projects/:name/ga/status", async (request, _reply) => {
     const project = resolveProject(app.db, request.params.name);
-    const conn = store.getConnection(project.name);
-    if (!conn) {
-      return { connected: false, propertyId: null, clientEmail: null, lastSyncedAt: null };
+    const saConn = opts.ga4CredentialStore?.getConnection(project.name);
+    const oauthConn = opts.googleConnectionStore?.getConnection(project.canonicalDomain, "ga4");
+    const connected = !!(saConn || oauthConn?.accessToken && oauthConn?.propertyId);
+    if (!connected) {
+      return { connected: false, propertyId: null, clientEmail: null, authMethod: null, lastSyncedAt: null };
     }
     const latestSync = app.db.select({ syncedAt: gaTrafficSummaries.syncedAt }).from(gaTrafficSummaries).where(eq16(gaTrafficSummaries.projectId, project.id)).orderBy(desc6(gaTrafficSummaries.syncedAt)).limit(1).get();
     return {
       connected: true,
-      propertyId: conn.propertyId,
-      clientEmail: conn.clientEmail,
+      propertyId: saConn?.propertyId ?? oauthConn?.propertyId ?? null,
+      clientEmail: saConn?.clientEmail ?? null,
+      authMethod: saConn ? "service-account" : "oauth",
       lastSyncedAt: latestSync?.syncedAt ?? null,
-      createdAt: conn.createdAt,
-      updatedAt: conn.updatedAt
+      createdAt: saConn?.createdAt ?? oauthConn?.createdAt ?? null,
+      updatedAt: saConn?.updatedAt ?? oauthConn?.updatedAt ?? null
     };
   });
-  app.post("/projects/:name/ga/sync", async (request, reply) => {
-    const store = requireCredentialStore(reply);
-    if (!store) return;
+  app.post("/projects/:name/ga/sync", async (request, _reply) => {
     const project = resolveProject(app.db, request.params.name);
-    const conn = store.getConnection(project.name);
-    if (!conn) {
-      const err = validationError('No GA4 connection found. Run "canonry ga connect <project>" first.');
-      return reply.status(err.statusCode).send(err.toJSON());
-    }
     const days = request.body?.days ?? 30;
-    let accessToken;
-    try {
-      accessToken = await getAccessToken(conn.clientEmail, conn.privateKey);
-    } catch (e) {
-      const msg = e instanceof Error ? e.message : String(e);
-      gaLog("error", "sync.auth-failed", { projectId: project.id, error: msg });
-      const err = validationError(`GA4 authentication failed: ${msg}`);
-      return reply.status(err.statusCode).send(err.toJSON());
-    }
+    const { accessToken, propertyId } = await resolveGa4AccessToken(opts, project.name, project.canonicalDomain);
     let rows;
     let summary;
     let aiReferrals;
     try {
       ;
       [rows, summary, aiReferrals] = await Promise.all([
-        fetchTrafficByLandingPage(accessToken, conn.propertyId, days),
-        fetchAggregateSummary(accessToken, conn.propertyId, days),
-        fetchAiReferrals(accessToken, conn.propertyId, days)
+        fetchTrafficByLandingPage(accessToken, propertyId, days),
+        fetchAggregateSummary(accessToken, propertyId, days),
+        fetchAiReferrals(accessToken, propertyId, days)
       ]);
     } catch (e) {
       const msg = e instanceof Error ? e.message : String(e);
@@ -8350,15 +8451,9 @@ async function ga4Routes(app, opts) {
       syncedAt: now
     };
   });
-  app.get("/projects/:name/ga/traffic", async (request, reply) => {
-    const store = requireCredentialStore(reply);
-    if (!store) return;
+  app.get("/projects/:name/ga/traffic", async (request, _reply) => {
     const project = resolveProject(app.db, request.params.name);
-    const conn = store.getConnection(project.name);
-    if (!conn) {
-      const err = validationError('No GA4 connection found. Run "canonry ga connect <project>" first.');
-      return reply.status(err.statusCode).send(err.toJSON());
-    }
+    requireGa4Connection(opts, project.name, project.canonicalDomain);
     const limit = Math.max(1, Math.min(parseInt(request.query.limit ?? "50", 10) || 50, 500));
     const summary = app.db.select({
       totalSessions: gaTrafficSummaries.totalSessions,
@@ -8397,15 +8492,21 @@ async function ga4Routes(app, opts) {
       lastSyncedAt: latestSync?.syncedAt ?? null
     };
   });
-  app.get("/projects/:name/ga/coverage", async (request, reply) => {
-    const store = requireCredentialStore(reply);
-    if (!store) return;
+  app.get("/projects/:name/ga/ai-referral-history", async (request, _reply) => {
     const project = resolveProject(app.db, request.params.name);
-    const conn = store.getConnection(project.name);
-    if (!conn) {
-      const err = validationError('No GA4 connection found. Run "canonry ga connect <project>" first.');
-      return reply.status(err.statusCode).send(err.toJSON());
-    }
+    requireGa4Connection(opts, project.name, project.canonicalDomain);
+    const rows = app.db.select({
+      date: gaAiReferrals.date,
+      source: gaAiReferrals.source,
+      medium: gaAiReferrals.medium,
+      sessions: gaAiReferrals.sessions,
+      users: gaAiReferrals.users
+    }).from(gaAiReferrals).where(eq16(gaAiReferrals.projectId, project.id)).orderBy(gaAiReferrals.date).all();
+    return rows;
+  });
+  app.get("/projects/:name/ga/coverage", async (request, _reply) => {
+    const project = resolveProject(app.db, request.params.name);
+    requireGa4Connection(opts, project.name, project.canonicalDomain);
     const trafficPages = app.db.select({
       landingPage: gaTrafficSnapshots.landingPage,
       sessions: sql4`SUM(${gaTrafficSnapshots.sessions})`,
@@ -8546,6 +8647,8 @@ function parseSchemaPageEntry(entry) {
 
 // ../integration-wordpress/src/wordpress-client.ts
 import crypto17 from "crypto";
+var WP_REQUEST_TIMEOUT_MS = 3e4;
+var WP_FETCH_TEXT_TIMEOUT_MS = 15e3;
 var PAGE_FIELDS = "id,slug,status,link,modified,modified_gmt,title,content,meta";
 var PAGE_LIST_FIELDS = "id,slug,status,link,modified,modified_gmt,title";
 var VERIFY_PAGE_FIELDS = "id,status";
@@ -8602,7 +8705,8 @@ async function fetchJson(connection, siteUrl, path7, init) {
       "Authorization": `Basic ${encodeBasicAuth(connection.username, connection.appPassword)}`,
       ...init?.body != null ? { "Content-Type": "application/json" } : {},
       ...init?.headers ?? {}
-    }
+    },
+    signal: AbortSignal.timeout(WP_REQUEST_TIMEOUT_MS)
   });
   if (res.status === 401 || res.status === 403) {
     const text2 = await res.text().catch(() => "");
@@ -8645,7 +8749,7 @@ async function fetchPageCollectionSummary(connection, siteUrl, options) {
 }
 async function fetchText(url) {
   try {
-    const res = await fetch(url);
+    const res = await fetch(url, { signal: AbortSignal.timeout(WP_FETCH_TEXT_TIMEOUT_MS) });
     if (!res.ok) return null;
     return await res.text();
   } catch {
@@ -10162,7 +10266,9 @@ async function apiRoutes(app, opts) {
       onCdpConfigure: opts.onCdpConfigure
     });
     await api.register(ga4Routes, {
-      ga4CredentialStore: opts.ga4CredentialStore
+      ga4CredentialStore: opts.ga4CredentialStore,
+      googleConnectionStore: opts.googleConnectionStore,
+      getGoogleAuthConfig: opts.getGoogleAuthConfig
     });
   }, { prefix: opts.routePrefix ?? "/api/v1" });
 }
@@ -12706,9 +12812,6 @@ function extractRecommendedCompetitors(answerText, ownDomains, citedDomains, com
 function cleanCandidateName(candidate) {
   return candidate.replace(/^[\s"'`]+|[\s"'`.,:;!?]+$/g, "").replace(/\s+/g, " ").trim();
 }
-function brandKeyFromText(value) {
-  return value.toLowerCase().replace(/[^a-z0-9]/g, "");
-}
 function collectBrandKeysFromDomain(domain) {
   const hostname = normalizeProjectDomain(domain).split("/")[0] ?? "";
   const labels = hostname.split(".").filter(Boolean);