@ainyc/canonry 1.37.1 → 1.39.0

package/dist/{chunk-U2ZNKIWK.js → chunk-4W7EW7SN.js}

@@ -243,11 +243,11 @@ function trackEvent(event, properties) {
 
 // src/server.ts
 import { createRequire as createRequire2 } from "module";
-import crypto22 from "crypto";
+import crypto23 from "crypto";
 import fs5 from "fs";
 import path6 from "path";
 import { fileURLToPath } from "url";
-import { eq as eq22 } from "drizzle-orm";
+import { eq as eq24 } from "drizzle-orm";
 import Fastify from "fastify";
 
 // ../contracts/src/config-schema.ts
@@ -1224,6 +1224,8 @@ __export(schema_exports, {
   gscCoverageSnapshots: () => gscCoverageSnapshots,
   gscSearchData: () => gscSearchData,
   gscUrlInspections: () => gscUrlInspections,
+  healthSnapshots: () => healthSnapshots,
+  insights: () => insights,
   keywords: () => keywords,
   notifications: () => notifications,
   projects: () => projects,
@@ -1528,6 +1530,39 @@ var usageCounters = sqliteTable("usage_counters", {
   uniqueIndex("idx_usage_scope_period_metric").on(table.scope, table.period, table.metric),
   index("idx_usage_scope_period").on(table.scope, table.period)
 ]);
+var insights = sqliteTable("insights", {
+  id: text("id").primaryKey(),
+  projectId: text("project_id").notNull().references(() => projects.id, { onDelete: "cascade" }),
+  runId: text("run_id").references(() => runs.id, { onDelete: "cascade" }),
+  type: text("type").notNull(),
+  severity: text("severity").notNull(),
+  title: text("title").notNull(),
+  keyword: text("keyword").notNull(),
+  provider: text("provider").notNull(),
+  recommendation: text("recommendation"),
+  cause: text("cause"),
+  dismissed: integer("dismissed", { mode: "boolean" }).notNull().default(false),
+  createdAt: text("created_at").notNull()
+}, (table) => [
+  index("idx_insights_project").on(table.projectId),
+  index("idx_insights_run").on(table.runId),
+  index("idx_insights_created").on(table.createdAt),
+  index("idx_insights_keyword_provider").on(table.keyword, table.provider)
+]);
+var healthSnapshots = sqliteTable("health_snapshots", {
+  id: text("id").primaryKey(),
+  projectId: text("project_id").notNull().references(() => projects.id, { onDelete: "cascade" }),
+  runId: text("run_id").references(() => runs.id, { onDelete: "cascade" }),
+  overallCitedRate: text("overall_cited_rate").notNull(),
+  totalPairs: integer("total_pairs").notNull(),
+  citedPairs: integer("cited_pairs").notNull(),
+  providerBreakdown: text("provider_breakdown").notNull().default("{}"),
+  createdAt: text("created_at").notNull()
+}, (table) => [
+  index("idx_health_snapshots_project").on(table.projectId),
+  index("idx_health_snapshots_run").on(table.runId),
+  index("idx_health_snapshots_created").on(table.createdAt)
+]);
 
 // ../db/src/client.ts
 function createClient(databasePath) {
@@ -1692,6 +1727,7 @@ var MIGRATIONS = [
   // v5b: Backfill model from rawResponse JSON for existing snapshots
   `UPDATE query_snapshots SET model = json_extract(raw_response, '$.model') WHERE model IS NULL AND raw_response IS NOT NULL AND json_extract(raw_response, '$.model') IS NOT NULL`,
   // v6: Google Search Console integration — google_connections table (domain-scoped)
+  // WARNING: access_token, refresh_token are authentication material; consider storing in config.yaml per CLAUDE.md
   `CREATE TABLE IF NOT EXISTS google_connections (
     id              TEXT PRIMARY KEY,
     domain          TEXT NOT NULL,
@@ -1807,6 +1843,7 @@ var MIGRATIONS = [
   `CREATE INDEX IF NOT EXISTS idx_bing_keyword_project ON bing_keyword_stats(project_id)`,
   `CREATE INDEX IF NOT EXISTS idx_bing_keyword_query ON bing_keyword_stats(query)`,
   // v13: Google Analytics 4 — ga_connections table (service account auth)
+  // WARNING: private_key is authentication material; consider storing in config.yaml per CLAUDE.md
   `CREATE TABLE IF NOT EXISTS ga_connections (
     id            TEXT PRIMARY KEY,
     project_id    TEXT NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
@@ -1876,8 +1913,52 @@ var MIGRATIONS = [
   `ALTER TABLE ga_ai_referrals ADD COLUMN source_dimension TEXT NOT NULL DEFAULT 'session'`,
   // Replace old unique index with one that includes source_dimension
   `DROP INDEX IF EXISTS idx_ga_ai_ref_unique`,
-  `CREATE UNIQUE INDEX IF NOT EXISTS idx_ga_ai_ref_unique_v2 ON ga_ai_referrals(project_id, date, source, medium, source_dimension)`
+  `CREATE UNIQUE INDEX IF NOT EXISTS idx_ga_ai_ref_unique_v2 ON ga_ai_referrals(project_id, date, source, medium, source_dimension)`,
+  // v21: Add missing indexes for query_snapshots filtering
+  `CREATE INDEX IF NOT EXISTS idx_snapshots_citation_state ON query_snapshots(citation_state)`,
+  `CREATE INDEX IF NOT EXISTS idx_snapshots_provider_model ON query_snapshots(provider, model)`,
+  `CREATE INDEX IF NOT EXISTS idx_snapshots_location ON query_snapshots(location)`,
+  // v22: Intelligence — insights table for regression/gain/opportunity tracking
+  `CREATE TABLE IF NOT EXISTS insights (
+    id              TEXT PRIMARY KEY,
+    project_id      TEXT NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
+    type            TEXT NOT NULL,
+    severity        TEXT NOT NULL,
+    title           TEXT NOT NULL,
+    keyword         TEXT NOT NULL,
+    provider        TEXT NOT NULL,
+    recommendation  TEXT,
+    cause           TEXT,
+    dismissed       INTEGER NOT NULL DEFAULT 0,
+    created_at      TEXT NOT NULL
+  )`,
+  `CREATE INDEX IF NOT EXISTS idx_insights_project ON insights(project_id)`,
+  `CREATE INDEX IF NOT EXISTS idx_insights_created ON insights(created_at)`,
+  `CREATE INDEX IF NOT EXISTS idx_insights_keyword_provider ON insights(keyword, provider)`,
+  // v23: Intelligence — health_snapshots table for citation health over time
+  `CREATE TABLE IF NOT EXISTS health_snapshots (
+    id                  TEXT PRIMARY KEY,
+    project_id          TEXT NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
+    overall_cited_rate  TEXT NOT NULL,
+    total_pairs         INTEGER NOT NULL,
+    cited_pairs         INTEGER NOT NULL,
+    provider_breakdown  TEXT NOT NULL DEFAULT '{}',
+    created_at          TEXT NOT NULL
+  )`,
+  `CREATE INDEX IF NOT EXISTS idx_health_snapshots_project ON health_snapshots(project_id)`,
+  `CREATE INDEX IF NOT EXISTS idx_health_snapshots_created ON health_snapshots(created_at)`,
+  // v24: Intelligence — add run_id to insights and health_snapshots for per-run correlation and idempotency
+  `ALTER TABLE insights ADD COLUMN run_id TEXT REFERENCES runs(id) ON DELETE CASCADE`,
+  `CREATE INDEX IF NOT EXISTS idx_insights_run ON insights(run_id)`,
+  `ALTER TABLE health_snapshots ADD COLUMN run_id TEXT REFERENCES runs(id) ON DELETE CASCADE`,
+  `CREATE INDEX IF NOT EXISTS idx_health_snapshots_run ON health_snapshots(run_id)`
 ];
+function isDuplicateColumnError(err) {
+  if (!(err instanceof Error)) return false;
+  if (err.message.includes("duplicate column name")) return true;
+  if (err.cause instanceof Error && err.cause.message.includes("duplicate column name")) return true;
+  return false;
+}
 function migrate(db) {
   const statements = MIGRATION_SQL.split(";").map((s) => s.trim()).filter((s) => s.length > 0);
   for (const statement of statements) {
@@ -1886,7 +1967,9 @@ function migrate(db) {
   for (const migration of MIGRATIONS) {
     try {
       db.run(sql.raw(migration));
-    } catch {
+    } catch (err) {
+      if (isDuplicateColumnError(err)) continue;
+      throw err;
     }
   }
 }
@@ -3805,6 +3888,81 @@ function buildCategoryCounts(counts) {
   return result;
 }
 
+// ../api-routes/src/intelligence.ts
+import { eq as eq11, desc as desc4, and as and2 } from "drizzle-orm";
+function mapInsightRow(r) {
+  return {
+    id: r.id,
+    projectId: r.projectId,
+    runId: r.runId ?? null,
+    type: r.type,
+    severity: r.severity,
+    title: r.title,
+    keyword: r.keyword,
+    provider: r.provider,
+    recommendation: parseJsonColumn(r.recommendation, void 0),
+    cause: parseJsonColumn(r.cause, void 0),
+    dismissed: r.dismissed,
+    createdAt: r.createdAt
+  };
+}
+function mapHealthRow(r) {
+  return {
+    id: r.id,
+    projectId: r.projectId,
+    runId: r.runId ?? null,
+    overallCitedRate: Number(r.overallCitedRate),
+    totalPairs: r.totalPairs,
+    citedPairs: r.citedPairs,
+    providerBreakdown: parseJsonColumn(r.providerBreakdown, {}),
+    createdAt: r.createdAt
+  };
+}
+async function intelligenceRoutes(app) {
+  app.get("/projects/:name/insights", async (request, reply) => {
+    const project = resolveProject(app.db, request.params.name);
+    const conditions = [eq11(insights.projectId, project.id)];
+    if (request.query.runId) {
+      conditions.push(eq11(insights.runId, request.query.runId));
+    }
+    const rows = app.db.select().from(insights).where(conditions.length === 1 ? conditions[0] : and2(...conditions)).orderBy(desc4(insights.createdAt)).all();
+    const showDismissed = request.query.dismissed === "true";
+    const result = rows.filter((r) => showDismissed || !r.dismissed).map(mapInsightRow);
+    return reply.send(result);
+  });
+  app.get("/projects/:name/insights/:id", async (request, reply) => {
+    const project = resolveProject(app.db, request.params.name);
+    const row = app.db.select().from(insights).where(eq11(insights.id, request.params.id)).get();
+    if (!row || row.projectId !== project.id) {
+      throw notFound("Insight", request.params.id);
+    }
+    return reply.send(mapInsightRow(row));
+  });
+  app.post("/projects/:name/insights/:id/dismiss", async (request, reply) => {
+    const project = resolveProject(app.db, request.params.name);
+    const row = app.db.select().from(insights).where(eq11(insights.id, request.params.id)).get();
+    if (!row || row.projectId !== project.id) {
+      throw notFound("Insight", request.params.id);
+    }
+    app.db.update(insights).set({ dismissed: true }).where(eq11(insights.id, request.params.id)).run();
+    return reply.send({ ok: true });
+  });
+  app.get("/projects/:name/health/latest", async (request, reply) => {
+    const project = resolveProject(app.db, request.params.name);
+    const row = app.db.select().from(healthSnapshots).where(eq11(healthSnapshots.projectId, project.id)).orderBy(desc4(healthSnapshots.createdAt)).limit(1).get();
+    if (!row) {
+      throw notFound("Health data for project", request.params.name);
+    }
+    return reply.send(mapHealthRow(row));
+  });
+  app.get("/projects/:name/health/history", async (request, reply) => {
+    const project = resolveProject(app.db, request.params.name);
+    const limit = request.query.limit ? Math.min(Number(request.query.limit), 100) : 30;
+    const rows = app.db.select().from(healthSnapshots).where(eq11(healthSnapshots.projectId, project.id)).orderBy(desc4(healthSnapshots.createdAt)).limit(limit).all();
+    return reply.send(rows.map(mapHealthRow));
+  });
+}
+
 // ../api-routes/src/openapi.ts
 var stringSchema = { type: "string" };
 var booleanSchema = { type: "boolean" };
@@ -5826,6 +5984,75 @@ var routeCatalog = [
       400: { description: "GA4 is not connected." },
       404: { description: "Project not found." }
     }
+  },
+  // Intelligence
+  {
+    method: "get",
+    path: "/api/v1/projects/{name}/insights",
+    summary: "List intelligence insights for a project",
+    tags: ["intelligence"],
+    parameters: [
+      nameParameter,
+      { name: "dismissed", in: "query", description: "Include dismissed insights (true/false).", schema: stringSchema },
+      { name: "runId", in: "query", description: "Filter by run ID.", schema: stringSchema }
+    ],
+    responses: {
+      200: { description: "Insights returned." },
+      404: { description: "Project not found." }
+    }
+  },
+  {
+    method: "get",
+    path: "/api/v1/projects/{name}/insights/{id}",
+    summary: "Get a single insight",
+    tags: ["intelligence"],
+    parameters: [
+      nameParameter,
+      { name: "id", in: "path", required: true, description: "Insight ID.", schema: stringSchema }
+    ],
+    responses: {
+      200: { description: "Insight returned." },
+      404: { description: "Insight not found." }
+    }
+  },
+  {
+    method: "post",
+    path: "/api/v1/projects/{name}/insights/{id}/dismiss",
+    summary: "Dismiss an insight",
+    tags: ["intelligence"],
+    parameters: [
+      nameParameter,
+      { name: "id", in: "path", required: true, description: "Insight ID.", schema: stringSchema }
+    ],
+    responses: {
+      200: { description: "Insight dismissed." },
+      404: { description: "Insight not found." }
+    }
+  },
+  {
+    method: "get",
+    path: "/api/v1/projects/{name}/health/latest",
+    summary: "Get latest health snapshot",
+    tags: ["intelligence"],
+    parameters: [nameParameter],
+    responses: {
+      200: { description: "Health snapshot returned." },
+      404: { description: "Project not found." }
+    }
+  },
+  {
+    method: "get",
+    path: "/api/v1/projects/{name}/health/history",
+    summary: "Get health trend over time",
+    tags: ["intelligence"],
+    parameters: [
+      nameParameter,
+      { name: "limit", in: "query", description: "Max results.", schema: stringSchema }
+    ],
+    responses: {
+      200: { description: "Health history returned." },
+      404: { description: "Project not found." }
+    }
   }
 ];
 function buildOpenApiDocument(info = {}) {
@@ -6072,7 +6299,7 @@ async function telemetryRoutes(app, opts) {
 
 // ../api-routes/src/schedules.ts
 import crypto11 from "crypto";
-import { eq as eq11 } from "drizzle-orm";
+import { eq as eq12 } from "drizzle-orm";
 async function scheduleRoutes(app, opts) {
   app.put("/projects/:name/schedule", async (request, reply) => {
     const project = resolveProject(app.db, request.params.name);
@@ -6115,7 +6342,7 @@ async function scheduleRoutes(app, opts) {
     }
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const enabledInt = enabled === false ? 0 : 1;
-    const existing = app.db.select().from(schedules).where(eq11(schedules.projectId, project.id)).get();
+    const existing = app.db.select().from(schedules).where(eq12(schedules.projectId, project.id)).get();
     if (existing) {
       app.db.update(schedules).set({
         cronExpr,
@@ -6124,7 +6351,7 @@ async function scheduleRoutes(app, opts) {
         providers: JSON.stringify(providers),
         enabled: enabledInt,
         updatedAt: now
-      }).where(eq11(schedules.id, existing.id)).run();
+      }).where(eq12(schedules.id, existing.id)).run();
     } else {
       app.db.insert(schedules).values({
         id: crypto11.randomUUID(),
@@ -6146,12 +6373,12 @@ async function scheduleRoutes(app, opts) {
       diff: { cronExpr, preset, timezone, providers }
     });
     opts.onScheduleUpdated?.("upsert", project.id);
-    const schedule = app.db.select().from(schedules).where(eq11(schedules.projectId, project.id)).get();
+    const schedule = app.db.select().from(schedules).where(eq12(schedules.projectId, project.id)).get();
     return reply.status(existing ? 200 : 201).send(formatSchedule(schedule));
   });
   app.get("/projects/:name/schedule", async (request, reply) => {
     const project = resolveProject(app.db, request.params.name);
-    const schedule = app.db.select().from(schedules).where(eq11(schedules.projectId, project.id)).get();
+    const schedule = app.db.select().from(schedules).where(eq12(schedules.projectId, project.id)).get();
     if (!schedule) {
       throw notFound("Schedule", request.params.name);
     }
@@ -6159,11 +6386,11 @@ async function scheduleRoutes(app, opts) {
   });
   app.delete("/projects/:name/schedule", async (request, reply) => {
     const project = resolveProject(app.db, request.params.name);
-    const schedule = app.db.select().from(schedules).where(eq11(schedules.projectId, project.id)).get();
+    const schedule = app.db.select().from(schedules).where(eq12(schedules.projectId, project.id)).get();
     if (!schedule) {
       throw notFound("Schedule", request.params.name);
     }
-    app.db.delete(schedules).where(eq11(schedules.id, schedule.id)).run();
+    app.db.delete(schedules).where(eq12(schedules.id, schedule.id)).run();
     writeAuditLog(app.db, {
       projectId: project.id,
       actor: "api",
@@ -6193,7 +6420,7 @@ function formatSchedule(row) {
 
 // ../api-routes/src/notifications.ts
 import crypto12 from "crypto";
-import { eq as eq12 } from "drizzle-orm";
+import { eq as eq13 } from "drizzle-orm";
 var VALID_EVENTS = ["citation.lost", "citation.gained", "run.completed", "run.failed"];
 async function notificationRoutes(app) {
   app.get("/notifications/events", async (_request, reply) => {
@@ -6232,22 +6459,22 @@ async function notificationRoutes(app) {
       diff: { channel, ...redactNotificationUrl(url), events }
     });
     return reply.status(201).send({
-      ...formatNotification(app.db.select().from(notifications).where(eq12(notifications.id, id)).get()),
+      ...formatNotification(app.db.select().from(notifications).where(eq13(notifications.id, id)).get()),
       webhookSecret
     });
   });
   app.get("/projects/:name/notifications", async (request, reply) => {
     const project = resolveProject(app.db, request.params.name);
-    const rows = app.db.select().from(notifications).where(eq12(notifications.projectId, project.id)).all();
+    const rows = app.db.select().from(notifications).where(eq13(notifications.projectId, project.id)).all();
     return reply.send(rows.map(formatNotification));
   });
   app.delete("/projects/:name/notifications/:id", async (request, reply) => {
     const project = resolveProject(app.db, request.params.name);
-    const notification = app.db.select().from(notifications).where(eq12(notifications.id, request.params.id)).get();
+    const notification = app.db.select().from(notifications).where(eq13(notifications.id, request.params.id)).get();
     if (!notification || notification.projectId !== project.id) {
       throw notFound("Notification", request.params.id);
     }
-    app.db.delete(notifications).where(eq12(notifications.id, notification.id)).run();
+    app.db.delete(notifications).where(eq13(notifications.id, notification.id)).run();
     writeAuditLog(app.db, {
       projectId: project.id,
       actor: "api",
@@ -6259,7 +6486,7 @@ async function notificationRoutes(app) {
   });
   app.post("/projects/:name/notifications/:id/test", async (request, reply) => {
     const project = resolveProject(app.db, request.params.name);
-    const notification = app.db.select().from(notifications).where(eq12(notifications.id, request.params.id)).get();
+    const notification = app.db.select().from(notifications).where(eq13(notifications.id, request.params.id)).get();
     if (!notification || notification.projectId !== project.id) {
       throw notFound("Notification", request.params.id);
     }
@@ -6311,7 +6538,7 @@ function formatNotification(row) {
 
 // ../api-routes/src/google.ts
 import crypto14 from "crypto";
-import { eq as eq13, and as and2, desc as desc4, sql as sql3 } from "drizzle-orm";
+import { eq as eq14, and as and3, desc as desc5, sql as sql3 } from "drizzle-orm";
 
 // ../integration-google/src/constants.ts
 var GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
@@ -6343,7 +6570,56 @@ var GoogleApiError = class extends Error {
 };
 
 // ../integration-google/src/oauth.ts
+function validateClientId(clientId) {
+  if (!clientId || typeof clientId !== "string" || clientId.trim().length === 0) {
+    throw new GoogleAuthError("Client ID is required and must be a non-empty string");
+  }
+}
+function validateClientSecret(clientSecret) {
+  if (!clientSecret || typeof clientSecret !== "string" || clientSecret.trim().length === 0) {
+    throw new GoogleAuthError("Client secret is required and must be a non-empty string");
+  }
+}
+function validateRedirectUri(redirectUri) {
+  if (!redirectUri || typeof redirectUri !== "string" || redirectUri.trim().length === 0) {
+    throw new GoogleAuthError("Redirect URI is required and must be a non-empty string");
+  }
+  try {
+    const url = new URL(redirectUri);
+    if (!url.protocol.startsWith("http")) {
+      throw new GoogleAuthError("Redirect URI must be an HTTP or HTTPS URL");
+    }
+  } catch {
+    throw new GoogleAuthError("Redirect URI must be a valid URL");
+  }
+}
+function validateCode(code) {
+  if (!code || typeof code !== "string" || code.trim().length === 0) {
+    throw new GoogleAuthError("Authorization code is required and must be a non-empty string");
+  }
+}
+function validateScopes(scopes) {
+  if (!Array.isArray(scopes) || scopes.length === 0) {
+    throw new GoogleAuthError("At least one scope is required");
+  }
+  for (const scope of scopes) {
+    if (!scope || typeof scope !== "string" || scope.trim().length === 0) {
+      throw new GoogleAuthError("Scope must be a non-empty string");
+    }
+  }
+}
+function validateRefreshToken(refreshToken) {
+  if (!refreshToken || typeof refreshToken !== "string" || refreshToken.trim().length === 0) {
+    throw new GoogleAuthError("Refresh token is required and must be a non-empty string");
+  }
+}
 function getAuthUrl(clientId, redirectUri, scopes, state) {
+  validateClientId(clientId);
+  validateRedirectUri(redirectUri);
+  validateScopes(scopes);
+  if (state && (typeof state !== "string" || state.trim().length === 0)) {
+    throw new GoogleAuthError("State must be a non-empty string if provided");
+  }
   const params = new URLSearchParams({
     client_id: clientId,
     redirect_uri: redirectUri,
@@ -6356,6 +6632,10 @@ function getAuthUrl(clientId, redirectUri, scopes, state) {
   return `${GOOGLE_AUTH_URL}?${params.toString()}`;
 }
 async function exchangeCode(clientId, clientSecret, code, redirectUri) {
+  validateClientId(clientId);
+  validateClientSecret(clientSecret);
+  validateCode(code);
+  validateRedirectUri(redirectUri);
   const res = await fetch(GOOGLE_TOKEN_URL, {
     method: "POST",
     headers: { "Content-Type": "application/x-www-form-urlencoded" },
@@ -6375,6 +6655,9 @@ async function exchangeCode(clientId, clientSecret, code, redirectUri) {
   return await res.json();
 }
 async function refreshAccessToken(clientId, clientSecret, currentRefreshToken) {
+  validateClientId(clientId);
+  validateClientSecret(clientSecret);
+  validateRefreshToken(currentRefreshToken);
   const res = await fetch(GOOGLE_TOKEN_URL, {
     method: "POST",
     headers: { "Content-Type": "application/x-www-form-urlencoded" },
@@ -6394,6 +6677,47 @@ async function refreshAccessToken(clientId, clientSecret, currentRefreshToken) {
 }
 
 // ../integration-google/src/gsc-client.ts
+function validateAccessToken(accessToken) {
+  if (!accessToken || typeof accessToken !== "string" || accessToken.trim().length === 0) {
+    throw new GoogleApiError("Access token is required and must be a non-empty string", 400);
+  }
+}
+function validateSiteUrl(siteUrl) {
+  if (!siteUrl || typeof siteUrl !== "string" || siteUrl.trim().length === 0) {
+    throw new GoogleApiError("Site URL is required and must be a non-empty string", 400);
+  }
+  if (siteUrl.startsWith("sc-domain:")) {
+    const domain = siteUrl.slice("sc-domain:".length);
+    if (!domain) {
+      throw new GoogleApiError("Site URL sc-domain must include a domain", 400);
+    }
+    if (!domain.includes(".")) {
+      throw new GoogleApiError("Site URL sc-domain must be a valid domain", 400);
+    }
+  } else {
+    try {
+      const url = new URL(siteUrl);
+      if (!url.protocol.startsWith("http")) {
+        throw new GoogleApiError("Site URL must be an HTTP or HTTPS URL", 400);
+      }
+    } catch {
+      throw new GoogleApiError("Site URL must be a valid URL", 400);
+    }
+  }
+}
+function validateUrl(urlParam) {
+  if (!urlParam || typeof urlParam !== "string" || urlParam.trim().length === 0) {
+    throw new GoogleApiError("URL is required and must be a non-empty string", 400);
+  }
+  try {
+    const url = new URL(urlParam);
+    if (!url.protocol.startsWith("http")) {
+      throw new GoogleApiError("URL must be an HTTP or HTTPS URL", 400);
+    }
+  } catch {
+    throw new GoogleApiError("URL must be a valid URL", 400);
+  }
+}
 function gscClientLog(level, action, ctx) {
   const entry = { ts: (/* @__PURE__ */ new Date()).toISOString(), level, module: "GscClient", action, ...ctx };
   const stream = level === "error" ? process.stderr : process.stdout;
@@ -6429,6 +6753,7 @@ async function gscFetch(accessToken, url, opts) {
   return await res.json();
 }
 async function listSites(accessToken) {
+  validateAccessToken(accessToken);
   const data = await gscFetch(
     accessToken,
     `${GSC_API_BASE}/sites`
@@ -6436,6 +6761,8 @@ async function listSites(accessToken) {
   return data.siteEntry ?? [];
 }
 async function listSitemaps(accessToken, siteUrl) {
+  validateAccessToken(accessToken);
+  validateSiteUrl(siteUrl);
   const encodedSiteUrl = encodeURIComponent(siteUrl);
   const data = await gscFetch(
     accessToken,
@@ -6444,6 +6771,8 @@ async function listSitemaps(accessToken, siteUrl) {
   return data.sitemap ?? [];
 }
 async function fetchSearchAnalytics(accessToken, siteUrl, opts) {
+  validateAccessToken(accessToken);
+  validateSiteUrl(siteUrl);
   const allRows = [];
   let startRow = 0;
   const dimensions = opts.dimensions ?? ["query", "page", "country", "device", "date"];
@@ -6479,6 +6808,8 @@ async function fetchSearchAnalytics(accessToken, siteUrl, opts) {
   return allRows;
 }
 async function publishUrlNotification(accessToken, url, type = "URL_UPDATED") {
+  validateAccessToken(accessToken);
+  validateUrl(url);
   return gscFetch(
     accessToken,
     `${INDEXING_API_BASE}/urlNotifications:publish`,
@@ -6489,6 +6820,9 @@ async function publishUrlNotification(accessToken, url, type = "URL_UPDATED") {
   );
 }
 async function inspectUrl(accessToken, inspectionUrl, siteUrl) {
+  validateAccessToken(accessToken);
+  validateUrl(inspectionUrl);
+  validateSiteUrl(siteUrl);
   return gscFetch(
     accessToken,
     URL_INSPECTION_API,
@@ -6524,12 +6858,46 @@ var GA4ApiError = class extends Error {
 };
 
 // ../integration-google-analytics/src/ga4-client.ts
+function validateClientEmail(clientEmail) {
+  if (!clientEmail || typeof clientEmail !== "string" || clientEmail.trim().length === 0) {
+    throw new GA4ApiError("Client email is required and must be a non-empty string", 400);
+  }
+  if (!clientEmail.includes("@")) {
+    throw new GA4ApiError("Client email must be a valid email address", 400);
+  }
+}
+function validatePrivateKey(privateKey) {
+  if (!privateKey || typeof privateKey !== "string" || privateKey.trim().length === 0) {
+    throw new GA4ApiError("Private key is required and must be a non-empty string", 400);
+  }
+}
+function validatePropertyId(propertyId) {
+  if (!propertyId || typeof propertyId !== "string" || propertyId.trim().length === 0) {
+    throw new GA4ApiError("Property ID is required and must be a non-empty string", 400);
+  }
+  if (!/^\d+$/.test(propertyId)) {
+    throw new GA4ApiError("Property ID must be a numeric string", 400);
+  }
+}
+function validateAccessToken2(accessToken) {
+  if (!accessToken || typeof accessToken !== "string" || accessToken.trim().length === 0) {
+    throw new GA4ApiError("Access token is required and must be a non-empty string", 400);
+  }
+}
+function validateScope(scope) {
+  if (!scope || typeof scope !== "string" || scope.trim().length === 0) {
+    throw new GA4ApiError("Scope is required and must be a non-empty string", 400);
+  }
+}
 function ga4Log(level, action, ctx) {
   const entry = { ts: (/* @__PURE__ */ new Date()).toISOString(), level, module: "GA4Client", action, ...ctx };
   const stream = level === "error" ? process.stderr : process.stdout;
   stream.write(JSON.stringify(entry) + "\n");
 }
 function createServiceAccountJwt(clientEmail, privateKey, scope) {
+  validateClientEmail(clientEmail);
+  validatePrivateKey(privateKey);
+  validateScope(scope);
   const now = Math.floor(Date.now() / 1e3);
   const header = { alg: "RS256", typ: "JWT" };
   const payload = {
@@ -6656,6 +7024,8 @@ var AI_REFERRAL_SOURCE_FILTERS = [
   { matchType: "CONTAINS", value: "meta.ai" }
 ];
 async function fetchTrafficByLandingPage(accessToken, propertyId, days) {
+  validateAccessToken2(accessToken);
+  validatePropertyId(propertyId);
   const syncDays = Math.min(Math.max(1, days ?? GA4_DEFAULT_SYNC_DAYS), GA4_MAX_SYNC_DAYS);
   const endDate = /* @__PURE__ */ new Date();
   const startDate = /* @__PURE__ */ new Date();
@@ -6730,10 +7100,15 @@ async function fetchTrafficByLandingPage(accessToken, propertyId, days) {
   return rows;
 }
 async function verifyConnection(clientEmail, privateKey, propertyId) {
+  validateClientEmail(clientEmail);
+  validatePrivateKey(privateKey);
+  validatePropertyId(propertyId);
   const accessToken = await getAccessToken(clientEmail, privateKey);
   return verifyConnectionWithToken(accessToken, propertyId);
 }
 async function verifyConnectionWithToken(accessToken, propertyId) {
+  validateAccessToken2(accessToken);
+  validatePropertyId(propertyId);
   const endDate = /* @__PURE__ */ new Date();
   const startDate = /* @__PURE__ */ new Date();
   startDate.setDate(startDate.getDate() - 1);
@@ -6746,6 +7121,8 @@ async function verifyConnectionWithToken(accessToken, propertyId) {
   return true;
 }
 async function fetchAggregateSummary(accessToken, propertyId, days) {
+  validateAccessToken2(accessToken);
+  validatePropertyId(propertyId);
   const syncDays = Math.min(Math.max(1, days ?? GA4_DEFAULT_SYNC_DAYS), GA4_MAX_SYNC_DAYS);
   const endDate = /* @__PURE__ */ new Date();
   const startDate = /* @__PURE__ */ new Date();
@@ -6785,6 +7162,8 @@ async function fetchAggregateSummary(accessToken, propertyId, days) {
   return summary;
 }
 async function fetchAiReferrals(accessToken, propertyId, days) {
+  validateAccessToken2(accessToken);
+  validatePropertyId(propertyId);
   const syncDays = Math.min(Math.max(1, days ?? GA4_DEFAULT_SYNC_DAYS), GA4_MAX_SYNC_DAYS);
   const endDate = /* @__PURE__ */ new Date();
   const startDate = /* @__PURE__ */ new Date();
@@ -7116,18 +7495,18 @@ async function googleRoutes(app, opts) {
     if (opts.onGscSyncRequested) {
       opts.onGscSyncRequested(runId, project.id, { days, full });
     }
-    const run = app.db.select().from(runs).where(eq13(runs.id, runId)).get();
+    const run = app.db.select().from(runs).where(eq14(runs.id, runId)).get();
     return run;
   });
   app.get("/projects/:name/google/gsc/performance", async (request) => {
     const project = resolveProject(app.db, request.params.name);
     const { startDate, endDate, query, page, limit } = request.query;
-    const conditions = [eq13(gscSearchData.projectId, project.id)];
+    const conditions = [eq14(gscSearchData.projectId, project.id)];
     if (startDate) conditions.push(sql3`${gscSearchData.date} >= ${startDate}`);
     if (endDate) conditions.push(sql3`${gscSearchData.date} <= ${endDate}`);
     if (query) conditions.push(sql3`${gscSearchData.query} LIKE ${"%" + query + "%"}`);
     if (page) conditions.push(sql3`${gscSearchData.page} LIKE ${"%" + page + "%"}`);
-    const rows = app.db.select().from(gscSearchData).where(and2(...conditions)).orderBy(desc4(gscSearchData.date)).limit(parseInt(limit ?? "500", 10)).all();
+    const rows = app.db.select().from(gscSearchData).where(and3(...conditions)).orderBy(desc5(gscSearchData.date)).limit(parseInt(limit ?? "500", 10)).all();
     return rows.map((r) => ({
       date: r.date,
       query: r.query,
@@ -7203,9 +7582,9 @@ async function googleRoutes(app, opts) {
   app.get("/projects/:name/google/gsc/inspections", async (request) => {
     const project = resolveProject(app.db, request.params.name);
     const { url, limit } = request.query;
-    const conditions = [eq13(gscUrlInspections.projectId, project.id)];
-    if (url) conditions.push(eq13(gscUrlInspections.url, url));
-    const rows = app.db.select().from(gscUrlInspections).where(and2(...conditions)).orderBy(desc4(gscUrlInspections.inspectedAt)).limit(parseInt(limit ?? "100", 10)).all();
+    const conditions = [eq14(gscUrlInspections.projectId, project.id)];
+    if (url) conditions.push(eq14(gscUrlInspections.url, url));
+    const rows = app.db.select().from(gscUrlInspections).where(and3(...conditions)).orderBy(desc5(gscUrlInspections.inspectedAt)).limit(parseInt(limit ?? "100", 10)).all();
     return rows.map((r) => ({
       id: r.id,
       url: r.url,
@@ -7224,7 +7603,7 @@ async function googleRoutes(app, opts) {
   });
   app.get("/projects/:name/google/gsc/deindexed", async (request) => {
     const project = resolveProject(app.db, request.params.name);
-    const allInspections = app.db.select().from(gscUrlInspections).where(eq13(gscUrlInspections.projectId, project.id)).orderBy(desc4(gscUrlInspections.inspectedAt)).all();
+    const allInspections = app.db.select().from(gscUrlInspections).where(eq14(gscUrlInspections.projectId, project.id)).orderBy(desc5(gscUrlInspections.inspectedAt)).all();
     const byUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
       const existing = byUrl.get(row.url);
@@ -7252,7 +7631,7 @@ async function googleRoutes(app, opts) {
   });
   app.get("/projects/:name/google/gsc/coverage", async (request) => {
     const project = resolveProject(app.db, request.params.name);
-    const allInspections = app.db.select().from(gscUrlInspections).where(eq13(gscUrlInspections.projectId, project.id)).orderBy(desc4(gscUrlInspections.inspectedAt)).all();
+    const allInspections = app.db.select().from(gscUrlInspections).where(eq14(gscUrlInspections.projectId, project.id)).orderBy(desc5(gscUrlInspections.inspectedAt)).all();
     const canonicalUrl = (url) => url.replace(/^http:\/\//, "https://");
     const latestByUrl = /* @__PURE__ */ new Map();
     const historyByUrl = /* @__PURE__ */ new Map();
@@ -7349,7 +7728,7 @@ async function googleRoutes(app, opts) {
     const project = resolveProject(app.db, request.params.name);
     const parsed = parseInt(request.query.limit ?? "90", 10);
     const limit = Number.isNaN(parsed) || parsed <= 0 ? 90 : parsed;
-    const rows = app.db.select().from(gscCoverageSnapshots).where(eq13(gscCoverageSnapshots.projectId, project.id)).orderBy(desc4(gscCoverageSnapshots.date)).limit(limit).all();
+    const rows = app.db.select().from(gscCoverageSnapshots).where(eq14(gscCoverageSnapshots.projectId, project.id)).orderBy(desc5(gscCoverageSnapshots.date)).limit(limit).all();
     return rows.map((r) => ({
       date: r.date,
       indexed: r.indexed,
@@ -7417,7 +7796,7 @@ async function googleRoutes(app, opts) {
     if (opts.onInspectSitemapRequested) {
       opts.onInspectSitemapRequested(runId, project.id, { sitemapUrl });
     }
-    const run = app.db.select().from(runs).where(eq13(runs.id, runId)).get();
+    const run = app.db.select().from(runs).where(eq14(runs.id, runId)).get();
     return { sitemaps, primarySitemapUrl: sitemapUrl, run };
   });
   app.post("/projects/:name/google/gsc/inspect-sitemap", async (request, reply) => {
@@ -7447,7 +7826,7 @@ async function googleRoutes(app, opts) {
     if (opts.onInspectSitemapRequested) {
       opts.onInspectSitemapRequested(runId, project.id, { sitemapUrl: sitemapUrl ?? void 0 });
     }
-    const run = app.db.select().from(runs).where(eq13(runs.id, runId)).get();
+    const run = app.db.select().from(runs).where(eq14(runs.id, runId)).get();
     return run;
   });
   app.put("/projects/:name/google/connections/:type/sitemap", async (request, reply) => {
@@ -7502,7 +7881,7 @@ async function googleRoutes(app, opts) {
     const { accessToken } = await getValidToken(store, project.canonicalDomain, "gsc", googleClientId, googleClientSecret);
     let urlsToNotify = request.body?.urls ?? [];
     if (request.body?.allUnindexed) {
-      const allInspections = app.db.select().from(gscUrlInspections).where(eq13(gscUrlInspections.projectId, project.id)).orderBy(desc4(gscUrlInspections.inspectedAt)).all();
+      const allInspections = app.db.select().from(gscUrlInspections).where(eq14(gscUrlInspections.projectId, project.id)).orderBy(desc5(gscUrlInspections.inspectedAt)).all();
       const latestByUrl = /* @__PURE__ */ new Map();
       for (const row of allInspections) {
         if (!latestByUrl.has(row.url)) {
@@ -7577,7 +7956,7 @@ async function googleRoutes(app, opts) {
 
 // ../api-routes/src/bing.ts
 import crypto15 from "crypto";
-import { eq as eq14, and as and3, desc as desc5 } from "drizzle-orm";
+import { eq as eq15, and as and4, desc as desc6 } from "drizzle-orm";
 
 // ../integration-bing/src/constants.ts
 var BING_WMT_API_BASE = "https://ssl.bing.com/webmaster/api.svc/json";
@@ -7596,6 +7975,45 @@ var BingApiError = class extends Error {
 };
 
 // ../integration-bing/src/bing-client.ts
+function validateApiKey(apiKey) {
+  if (!apiKey || typeof apiKey !== "string" || apiKey.trim().length === 0) {
+    throw new BingApiError("API key is required and must be a non-empty string", 400);
+  }
+}
+function validateSiteUrl2(siteUrl) {
+  if (!siteUrl || typeof siteUrl !== "string" || siteUrl.trim().length === 0) {
+    throw new BingApiError("Site URL is required and must be a non-empty string", 400);
+  }
+  try {
+    const url = new URL(siteUrl);
+    if (!url.protocol.startsWith("http")) {
+      throw new BingApiError("Site URL must be an HTTP or HTTPS URL", 400);
+    }
+  } catch {
+    throw new BingApiError("Site URL must be a valid URL", 400);
+  }
+}
+function validateUrl2(urlParam) {
+  if (!urlParam || typeof urlParam !== "string" || urlParam.trim().length === 0) {
+    throw new BingApiError("URL is required and must be a non-empty string", 400);
+  }
+  try {
+    const url = new URL(urlParam);
+    if (!url.protocol.startsWith("http")) {
+      throw new BingApiError("URL must be an HTTP or HTTPS URL", 400);
+    }
+  } catch {
+    throw new BingApiError("URL must be a valid URL", 400);
+  }
+}
+function validateUrls(urls) {
+  if (!Array.isArray(urls)) {
+    throw new BingApiError("URLs must be an array", 400);
+  }
+  for (const url of urls) {
+    validateUrl2(url);
+  }
+}
 function bingClientLog(level, action, ctx) {
   const entry = { ts: (/* @__PURE__ */ new Date()).toISOString(), level, module: "BingClient", action, ...ctx };
   const stream = level === "error" ? process.stderr : process.stdout;
@@ -7644,21 +8062,31 @@ async function bingFetch(apiKey, endpoint, opts) {
   }
 }
 async function getSites(apiKey) {
+  validateApiKey(apiKey);
   const data = await bingFetch(apiKey, "GetUserSites");
   return data ?? [];
 }
 async function getUrlInfo(apiKey, siteUrl, url) {
+  validateApiKey(apiKey);
+  validateSiteUrl2(siteUrl);
+  validateUrl2(url);
   const encodedSite = encodeURIComponent(siteUrl);
   const encodedUrl = encodeURIComponent(url);
   return bingFetch(apiKey, `GetUrlInfo?siteUrl=${encodedSite}&url=${encodedUrl}`);
 }
 async function submitUrl(apiKey, siteUrl, url) {
+  validateApiKey(apiKey);
+  validateSiteUrl2(siteUrl);
+  validateUrl2(url);
   await bingFetch(apiKey, "SubmitUrl", {
     method: "POST",
     body: { siteUrl, url }
   });
 }
 async function submitUrlBatch(apiKey, siteUrl, urls) {
+  validateApiKey(apiKey);
+  validateSiteUrl2(siteUrl);
+  validateUrls(urls);
   for (let i = 0; i < urls.length; i += BING_SUBMIT_URL_BATCH_LIMIT) {
     const batch = urls.slice(i, i + BING_SUBMIT_URL_BATCH_LIMIT);
     await bingFetch(apiKey, "SubmitUrlbatch", {
@@ -7668,6 +8096,8 @@ async function submitUrlBatch(apiKey, siteUrl, urls) {
   }
 }
 async function getKeywordStats(apiKey, siteUrl) {
+  validateApiKey(apiKey);
+  validateSiteUrl2(siteUrl);
   const encodedSite = encodeURIComponent(siteUrl);
   const data = await bingFetch(apiKey, `GetQueryStats?siteUrl=${encodedSite}`);
   return data ?? [];
@@ -7808,7 +8238,7 @@ async function bingRoutes(app, opts) {
     const project = resolveProject(app.db, request.params.name);
     const conn = requireConnection(store, project.canonicalDomain, reply);
     if (!conn) return;
-    const allInspections = app.db.select().from(bingUrlInspections).where(eq14(bingUrlInspections.projectId, project.id)).orderBy(desc5(bingUrlInspections.inspectedAt)).all();
+    const allInspections = app.db.select().from(bingUrlInspections).where(eq15(bingUrlInspections.projectId, project.id)).orderBy(desc6(bingUrlInspections.inspectedAt)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     const definitiveByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
@@ -7878,8 +8308,8 @@ async function bingRoutes(app, opts) {
     if (!store) return;
     const project = resolveProject(app.db, request.params.name);
     const { url, limit } = request.query;
-    const whereClause = url ? and3(eq14(bingUrlInspections.projectId, project.id), eq14(bingUrlInspections.url, url)) : eq14(bingUrlInspections.projectId, project.id);
-    const filtered = app.db.select().from(bingUrlInspections).where(whereClause).orderBy(desc5(bingUrlInspections.inspectedAt)).limit(Math.max(1, Math.min(parseInt(limit ?? "100", 10) || 100, 1e3))).all();
+    const whereClause = url ? and4(eq15(bingUrlInspections.projectId, project.id), eq15(bingUrlInspections.url, url)) : eq15(bingUrlInspections.projectId, project.id);
+    const filtered = app.db.select().from(bingUrlInspections).where(whereClause).orderBy(desc6(bingUrlInspections.inspectedAt)).limit(Math.max(1, Math.min(parseInt(limit ?? "100", 10) || 100, 1e3))).all();
     return filtered.map((r) => ({
       id: r.id,
       url: r.url,
@@ -7975,7 +8405,7 @@ async function bingRoutes(app, opts) {
     }
     let urlsToSubmit = request.body?.urls ?? [];
     if (request.body?.allUnindexed) {
-      const allInspections = app.db.select().from(bingUrlInspections).where(eq14(bingUrlInspections.projectId, project.id)).orderBy(desc5(bingUrlInspections.inspectedAt)).all();
+      const allInspections = app.db.select().from(bingUrlInspections).where(eq15(bingUrlInspections.projectId, project.id)).orderBy(desc6(bingUrlInspections.inspectedAt)).all();
       const latestByUrl = /* @__PURE__ */ new Map();
       for (const row of allInspections) {
         if (!latestByUrl.has(row.url)) {
@@ -8068,14 +8498,14 @@ async function bingRoutes(app, opts) {
 import fs2 from "fs";
 import path2 from "path";
 import os2 from "os";
-import { eq as eq15, and as and4 } from "drizzle-orm";
+import { eq as eq16, and as and5 } from "drizzle-orm";
 function getScreenshotDir() {
   return path2.join(os2.homedir(), ".canonry", "screenshots");
 }
 async function cdpRoutes(app, opts) {
   app.get("/screenshots/:snapshotId", async (request, reply) => {
     const { snapshotId } = request.params;
-    const snapshot = app.db.select({ screenshotPath: querySnapshots.screenshotPath }).from(querySnapshots).where(eq15(querySnapshots.id, snapshotId)).get();
+    const snapshot = app.db.select({ screenshotPath: querySnapshots.screenshotPath }).from(querySnapshots).where(eq16(querySnapshots.id, snapshotId)).get();
     if (!snapshot?.screenshotPath) {
       const err = notFound("Screenshot", snapshotId);
       return reply.code(err.statusCode).send(err.toJSON());
@@ -8141,7 +8571,7 @@ async function cdpRoutes(app, opts) {
     async (request, reply) => {
       const project = resolveProject(app.db, request.params.name);
       const { runId } = request.params;
-      const run = app.db.select().from(runs).where(and4(eq15(runs.id, runId), eq15(runs.projectId, project.id))).get();
+      const run = app.db.select().from(runs).where(and5(eq16(runs.id, runId), eq16(runs.projectId, project.id))).get();
       if (!run) {
         const err = notFound("Run", runId);
         return reply.code(err.statusCode).send(err.toJSON());
@@ -8154,8 +8584,8 @@ async function cdpRoutes(app, opts) {
         citedDomains: querySnapshots.citedDomains,
         screenshotPath: querySnapshots.screenshotPath,
         rawResponse: querySnapshots.rawResponse
-      }).from(querySnapshots).where(eq15(querySnapshots.runId, runId)).all();
-      const keywordRows = app.db.select({ id: keywords.id, keyword: keywords.keyword }).from(keywords).where(eq15(keywords.projectId, project.id)).all();
+      }).from(querySnapshots).where(eq16(querySnapshots.runId, runId)).all();
+      const keywordRows = app.db.select({ id: keywords.id, keyword: keywords.keyword }).from(keywords).where(eq16(keywords.projectId, project.id)).all();
       const keywordMap = new Map(keywordRows.map((k) => [k.id, k.keyword]));
       const byKeyword = /* @__PURE__ */ new Map();
       for (const snap of snapshots) {
@@ -8238,7 +8668,7 @@ async function cdpRoutes(app, opts) {
 
 // ../api-routes/src/ga.ts
 import crypto16 from "crypto";
-import { eq as eq16, desc as desc6, and as and5, sql as sql4 } from "drizzle-orm";
+import { eq as eq17, desc as desc7, and as and6, sql as sql4 } from "drizzle-orm";
 function gaLog(level, action, ctx) {
   const entry = { ts: (/* @__PURE__ */ new Date()).toISOString(), level, module: "GA4Routes", action, ...ctx };
   const stream = level === "error" ? process.stderr : process.stdout;
@@ -8395,9 +8825,9 @@ async function ga4Routes(app, opts) {
     if (!saConn && !oauthConn) {
       throw notFound("GA4 connection", project.name);
     }
-    app.db.delete(gaTrafficSnapshots).where(eq16(gaTrafficSnapshots.projectId, project.id)).run();
-    app.db.delete(gaTrafficSummaries).where(eq16(gaTrafficSummaries.projectId, project.id)).run();
-    app.db.delete(gaAiReferrals).where(eq16(gaAiReferrals.projectId, project.id)).run();
+    app.db.delete(gaTrafficSnapshots).where(eq17(gaTrafficSnapshots.projectId, project.id)).run();
+    app.db.delete(gaTrafficSummaries).where(eq17(gaTrafficSummaries.projectId, project.id)).run();
+    app.db.delete(gaAiReferrals).where(eq17(gaAiReferrals.projectId, project.id)).run();
     const propertyId = saConn?.propertyId ?? oauthConn?.propertyId ?? null;
     opts.ga4CredentialStore?.deleteConnection(project.name);
     opts.googleConnectionStore?.deleteConnection(project.canonicalDomain, "ga4");
@@ -8418,7 +8848,7 @@ async function ga4Routes(app, opts) {
     if (!connected) {
       return { connected: false, propertyId: null, clientEmail: null, authMethod: null, lastSyncedAt: null };
     }
-    const latestSync = app.db.select({ syncedAt: gaTrafficSummaries.syncedAt }).from(gaTrafficSummaries).where(eq16(gaTrafficSummaries.projectId, project.id)).orderBy(desc6(gaTrafficSummaries.syncedAt)).limit(1).get();
+    const latestSync = app.db.select({ syncedAt: gaTrafficSummaries.syncedAt }).from(gaTrafficSummaries).where(eq17(gaTrafficSummaries.projectId, project.id)).orderBy(desc7(gaTrafficSummaries.syncedAt)).limit(1).get();
     return {
       connected: true,
       propertyId: saConn?.propertyId ?? oauthConn?.propertyId ?? null,
@@ -8451,8 +8881,8 @@ async function ga4Routes(app, opts) {
     const now = (/* @__PURE__ */ new Date()).toISOString();
     app.db.transaction((tx) => {
       tx.delete(gaTrafficSnapshots).where(
-        and5(
-          eq16(gaTrafficSnapshots.projectId, project.id),
+        and6(
+          eq17(gaTrafficSnapshots.projectId, project.id),
           sql4`${gaTrafficSnapshots.date} >= ${summary.periodStart}`,
           sql4`${gaTrafficSnapshots.date} <= ${summary.periodEnd}`
         )
@@ -8472,8 +8902,8 @@ async function ga4Routes(app, opts) {
         }
       }
       tx.delete(gaAiReferrals).where(
-        and5(
-          eq16(gaAiReferrals.projectId, project.id),
+        and6(
+          eq17(gaAiReferrals.projectId, project.id),
           sql4`${gaAiReferrals.date} >= ${summary.periodStart}`,
           sql4`${gaAiReferrals.date} <= ${summary.periodEnd}`
         )
@@ -8493,7 +8923,7 @@ async function ga4Routes(app, opts) {
           }).run();
         }
       }
-      tx.delete(gaTrafficSummaries).where(eq16(gaTrafficSummaries.projectId, project.id)).run();
+      tx.delete(gaTrafficSummaries).where(eq17(gaTrafficSummaries.projectId, project.id)).run();
       tx.insert(gaTrafficSummaries).values({
         id: crypto16.randomUUID(),
         projectId: project.id,
@@ -8528,20 +8958,20 @@ async function ga4Routes(app, opts) {
       totalSessions: gaTrafficSummaries.totalSessions,
       totalOrganicSessions: gaTrafficSummaries.totalOrganicSessions,
       totalUsers: gaTrafficSummaries.totalUsers
-    }).from(gaTrafficSummaries).where(eq16(gaTrafficSummaries.projectId, project.id)).get();
+    }).from(gaTrafficSummaries).where(eq17(gaTrafficSummaries.projectId, project.id)).get();
     const rows = app.db.select({
       landingPage: gaTrafficSnapshots.landingPage,
       sessions: sql4`SUM(${gaTrafficSnapshots.sessions})`,
       organicSessions: sql4`SUM(${gaTrafficSnapshots.organicSessions})`,
       users: sql4`SUM(${gaTrafficSnapshots.users})`
-    }).from(gaTrafficSnapshots).where(eq16(gaTrafficSnapshots.projectId, project.id)).groupBy(gaTrafficSnapshots.landingPage).orderBy(sql4`SUM(${gaTrafficSnapshots.sessions}) DESC`).limit(limit).all();
+    }).from(gaTrafficSnapshots).where(eq17(gaTrafficSnapshots.projectId, project.id)).groupBy(gaTrafficSnapshots.landingPage).orderBy(sql4`SUM(${gaTrafficSnapshots.sessions}) DESC`).limit(limit).all();
     const aiReferrals = app.db.select({
       source: gaAiReferrals.source,
       medium: gaAiReferrals.medium,
       sourceDimension: gaAiReferrals.sourceDimension,
       sessions: sql4`SUM(${gaAiReferrals.sessions})`,
       users: sql4`SUM(${gaAiReferrals.users})`
-    }).from(gaAiReferrals).where(eq16(gaAiReferrals.projectId, project.id)).groupBy(gaAiReferrals.source, gaAiReferrals.medium, gaAiReferrals.sourceDimension).orderBy(sql4`SUM(${gaAiReferrals.sessions}) DESC`).all();
+    }).from(gaAiReferrals).where(eq17(gaAiReferrals.projectId, project.id)).groupBy(gaAiReferrals.source, gaAiReferrals.medium, gaAiReferrals.sourceDimension).orderBy(sql4`SUM(${gaAiReferrals.sessions}) DESC`).all();
     const aiDeduped = app.db.select({
       sessions: sql4`SUM(max_sessions)`,
       users: sql4`SUM(max_users)`
@@ -8555,7 +8985,7 @@ async function ga4Routes(app, opts) {
           GROUP BY date, source, medium
         )`
     ).get();
-    const latestSync = app.db.select({ syncedAt: gaTrafficSummaries.syncedAt }).from(gaTrafficSummaries).where(eq16(gaTrafficSummaries.projectId, project.id)).orderBy(desc6(gaTrafficSummaries.syncedAt)).limit(1).get();
+    const latestSync = app.db.select({ syncedAt: gaTrafficSummaries.syncedAt }).from(gaTrafficSummaries).where(eq17(gaTrafficSummaries.projectId, project.id)).orderBy(desc7(gaTrafficSummaries.syncedAt)).limit(1).get();
     return {
       totalSessions: summary?.totalSessions ?? 0,
       totalOrganicSessions: summary?.totalOrganicSessions ?? 0,
@@ -8588,7 +9018,7 @@ async function ga4Routes(app, opts) {
       sourceDimension: gaAiReferrals.sourceDimension,
       sessions: gaAiReferrals.sessions,
       users: gaAiReferrals.users
-    }).from(gaAiReferrals).where(eq16(gaAiReferrals.projectId, project.id)).orderBy(gaAiReferrals.date).all();
+    }).from(gaAiReferrals).where(eq17(gaAiReferrals.projectId, project.id)).orderBy(gaAiReferrals.date).all();
     return rows;
   });
   app.get("/projects/:name/ga/session-history", async (request, _reply) => {
@@ -8599,7 +9029,7 @@ async function ga4Routes(app, opts) {
       sessions: sql4`SUM(${gaTrafficSnapshots.sessions})`,
       organicSessions: sql4`SUM(${gaTrafficSnapshots.organicSessions})`,
       users: sql4`SUM(${gaTrafficSnapshots.users})`
-    }).from(gaTrafficSnapshots).where(eq16(gaTrafficSnapshots.projectId, project.id)).groupBy(gaTrafficSnapshots.date).orderBy(gaTrafficSnapshots.date).all();
+    }).from(gaTrafficSnapshots).where(eq17(gaTrafficSnapshots.projectId, project.id)).groupBy(gaTrafficSnapshots.date).orderBy(gaTrafficSnapshots.date).all();
     return rows.map((r) => ({
       date: r.date,
       sessions: r.sessions ?? 0,
@@ -8615,7 +9045,7 @@ async function ga4Routes(app, opts) {
       sessions: sql4`SUM(${gaTrafficSnapshots.sessions})`,
       organicSessions: sql4`SUM(${gaTrafficSnapshots.organicSessions})`,
       users: sql4`SUM(${gaTrafficSnapshots.users})`
-    }).from(gaTrafficSnapshots).where(eq16(gaTrafficSnapshots.projectId, project.id)).groupBy(gaTrafficSnapshots.landingPage).orderBy(sql4`SUM(${gaTrafficSnapshots.sessions}) DESC`).all();
+    }).from(gaTrafficSnapshots).where(eq17(gaTrafficSnapshots.projectId, project.id)).groupBy(gaTrafficSnapshots.landingPage).orderBy(sql4`SUM(${gaTrafficSnapshots.sessions}) DESC`).all();
     return {
       pages: trafficPages.map((r) => ({
         landingPage: r.landingPage,
@@ -8750,6 +9180,36 @@ function parseSchemaPageEntry(entry) {
 
 // ../integration-wordpress/src/wordpress-client.ts
 import crypto17 from "crypto";
+function validateUsername(username) {
+  if (!username || typeof username !== "string" || username.trim().length === 0) {
+    throw new WordpressApiError("AUTH_INVALID", "Username is required and must be a non-empty string", 400);
+  }
+}
+function validateAppPassword(appPassword) {
+  if (!appPassword || typeof appPassword !== "string" || appPassword.trim().length === 0) {
+    throw new WordpressApiError("AUTH_INVALID", "Application password is required and must be a non-empty string", 400);
+  }
+}
+function validateSiteUrl3(siteUrl) {
+  if (!siteUrl || typeof siteUrl !== "string" || siteUrl.trim().length === 0) {
+    throw new WordpressApiError("AUTH_INVALID", "Site URL is required and must be a non-empty string", 400);
+  }
+  try {
+    const url = new URL(siteUrl);
+    if (!url.protocol.startsWith("http")) {
+      throw new WordpressApiError("AUTH_INVALID", "Site URL must be an HTTP or HTTPS URL", 400);
+    }
+    if (url.protocol !== "https:") {
+    }
+  } catch {
+    throw new WordpressApiError("AUTH_INVALID", "Site URL must be a valid URL", 400);
+  }
+}
+function validateConnection(connection, siteUrl) {
+  validateUsername(connection.username);
+  validateAppPassword(connection.appPassword);
+  validateSiteUrl3(siteUrl);
+}
 var WP_REQUEST_TIMEOUT_MS = 3e4;
 var WP_FETCH_TEXT_TIMEOUT_MS = 15e3;
 var PAGE_FIELDS = "id,slug,status,link,modified,modified_gmt,title,content,meta";
@@ -8991,6 +9451,7 @@ function getWpStagingAdminUrl(url) {
 }
 async function verifyWordpressConnection(connection) {
   const site = resolveEnvironment({ ...connection, defaultEnv: "live" }, "live");
+  validateConnection(connection, site.siteUrl);
   const userInfo = await verifyAuthenticatedRestAccess(connection, site.siteUrl);
   const response = await fetchPageCollectionSummary(connection, site.siteUrl, { context: "view" });
   const homeHtml = await fetchText(site.siteUrl);
@@ -9005,6 +9466,7 @@ async function verifyWordpressConnection(connection) {
 }
 async function getSiteStatus(connection, env) {
   const site = resolveEnvironment(connection, env);
+  validateConnection(connection, site.siteUrl);
   try {
     const userInfo = await verifyAuthenticatedRestAccess(connection, site.siteUrl);
     const response = await fetchPageCollectionSummary(connection, site.siteUrl, { context: "view" });
@@ -10335,6 +10797,7 @@ async function apiRoutes(app, opts) {
     });
     await api.register(historyRoutes);
     await api.register(analyticsRoutes);
+    await api.register(intelligenceRoutes);
     await api.register(settingsRoutes, {
       providerSummary: opts.providerSummary,
       providerAdapters: opts.providerAdapters,
@@ -10386,6 +10849,27 @@ async function apiRoutes(app, opts) {
 
 // ../provider-gemini/src/normalize.ts
 import { GoogleGenAI } from "@google/genai";
+
+// ../provider-gemini/src/utils.ts
+async function withRetry(fn, options = {}) {
+  const { maxRetries = 3, initialDelay = 1e3 } = options;
+  let lastError;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      if (attempt < maxRetries) {
+        const delay = initialDelay * Math.pow(2, attempt);
+        console.warn(`[provider] Attempt ${attempt + 1} failed, retrying in ${delay}ms...`, err instanceof Error ? err.message : String(err));
+        await new Promise((resolve) => setTimeout(resolve, delay));
+      }
+    }
+  }
+  throw lastError;
+}
+
+// ../provider-gemini/src/normalize.ts
 var DEFAULT_MODEL = "gemini-3-flash";
 function isVertexConfig(config) {
   return !!config.vertexProject;
@@ -10434,10 +10918,12 @@ async function healthcheck(config) {
   try {
     const model = resolveModel(config);
     const client = createClient2(config);
-    const result = await client.models.generateContent({
-      model,
-      contents: 'Say "ok"'
-    });
+    const result = await withRetry(
+      () => client.models.generateContent({
+        model,
+        contents: 'Say "ok"'
+      })
+    );
     const text2 = result.text ?? "";
     const backend = isVertexConfig(config) ? "vertex ai" : "api key";
     return {
@@ -10459,22 +10945,29 @@ async function executeTrackedQuery(input) {
   const model = resolveModel(input.config);
   const prompt = buildPrompt(input.keyword, input.location);
   const client = createClient2(input.config);
-  const result = await client.models.generateContent({
-    model,
-    contents: prompt,
-    config: {
-      tools: [{ googleSearch: {} }]
-    }
-  });
-  const groundingSources = extractGroundingMetadata(result);
-  const searchQueries = extractSearchQueries(result);
-  return {
-    provider: "gemini",
-    rawResponse: responseToRecord(result),
-    model,
-    groundingSources,
-    searchQueries
-  };
+  try {
+    const result = await withRetry(
+      () => client.models.generateContent({
+        model,
+        contents: prompt,
+        config: {
+          tools: [{ googleSearch: {} }]
+        }
+      })
+    );
+    const groundingSources = extractGroundingMetadata(result);
+    const searchQueries = extractSearchQueries(result);
+    return {
+      provider: "gemini",
+      rawResponse: responseToRecord(result),
+      model,
+      groundingSources,
+      searchQueries
+    };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new Error(`[provider-gemini] ${msg}`);
+  }
 }
 function normalizeResult(raw) {
   const answerText = extractAnswerText(raw.rawResponse);
@@ -10576,10 +11069,12 @@ function extractDomainFromUri(uri) {
 async function generateText(prompt, config) {
   const model = resolveModel(config);
   const client = createClient2(config);
-  const result = await client.models.generateContent({
-    model,
-    contents: prompt
-  });
+  const result = await withRetry(
+    () => client.models.generateContent({
+      model,
+      contents: prompt
+    })
+  );
   return result.text ?? "";
 }
 function responseToRecord(response) {
@@ -10688,6 +11183,27 @@ var geminiAdapter = {
 
 // ../provider-openai/src/normalize.ts
 import OpenAI from "openai";
+
+// ../provider-openai/src/utils.ts
+async function withRetry2(fn, options = {}) {
+  const { maxRetries = 3, initialDelay = 1e3 } = options;
+  let lastError;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      if (attempt < maxRetries) {
+        const delay = initialDelay * Math.pow(2, attempt);
+        console.warn(`[provider] Attempt ${attempt + 1} failed, retrying in ${delay}ms...`, err instanceof Error ? err.message : String(err));
+        await new Promise((resolve) => setTimeout(resolve, delay));
+      }
+    }
+  }
+  throw lastError;
+}
+
+// ../provider-openai/src/normalize.ts
 var DEFAULT_MODEL2 = "gpt-5.4";
 function validateConfig2(config) {
   if (!config.apiKey || config.apiKey.length === 0) {
@@ -10705,10 +11221,12 @@ async function healthcheck2(config) {
   if (!validation.ok) return validation;
   try {
     const client = new OpenAI({ apiKey: config.apiKey });
-    const response = await client.responses.create({
-      model: config.model ?? DEFAULT_MODEL2,
-      input: 'Say "ok"'
-    });
+    const response = await withRetry2(
+      () => client.responses.create({
+        model: config.model ?? DEFAULT_MODEL2,
+        input: 'Say "ok"'
+      })
+    );
     const text2 = extractResponseText(response);
     return {
       ok: text2.length > 0,
@@ -10738,21 +11256,28 @@ async function executeTrackedQuery2(input) {
       ...input.location.timezone ? { timezone: input.location.timezone } : {}
     };
   }
-  const response = await client.responses.create({
-    model,
-    tools: [webSearchTool],
-    tool_choice: "required",
-    input: buildPrompt2(input.keyword)
-  });
-  const groundingSources = extractGroundingSources(response);
-  const searchQueries = extractSearchQueries2(response);
-  return {
-    provider: "openai",
-    rawResponse: responseToRecord2(response),
-    model,
-    groundingSources,
-    searchQueries
-  };
+  try {
+    const response = await withRetry2(
+      () => client.responses.create({
+        model,
+        tools: [webSearchTool],
+        tool_choice: "required",
+        input: buildPrompt2(input.keyword)
+      })
+    );
+    const groundingSources = extractGroundingSources(response);
+    const searchQueries = extractSearchQueries2(response);
+    return {
+      provider: "openai",
+      rawResponse: responseToRecord2(response),
+      model,
+      groundingSources,
+      searchQueries
+    };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new Error(`[provider-openai] ${msg}`);
+  }
 }
 function normalizeResult2(raw) {
   const answerText = extractAnswerTextFromRaw(raw.rawResponse);
@@ -10863,10 +11388,12 @@ function extractDomainFromUri2(uri) {
 async function generateText2(prompt, config) {
   const model = config.model ?? DEFAULT_MODEL2;
   const client = new OpenAI({ apiKey: config.apiKey });
-  const response = await client.responses.create({
-    model,
-    input: prompt
-  });
+  const response = await withRetry2(
+    () => client.responses.create({
+      model,
+      input: prompt
+    })
+  );
   return extractResponseText(response);
 }
 function responseToRecord2(response) {
@@ -10962,6 +11489,27 @@ var openaiAdapter = {
 
 // ../provider-claude/src/normalize.ts
 import Anthropic from "@anthropic-ai/sdk";
+
+// ../provider-claude/src/utils.ts
+async function withRetry3(fn, options = {}) {
+  const { maxRetries = 3, initialDelay = 1e3 } = options;
+  let lastError;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      if (attempt < maxRetries) {
+        const delay = initialDelay * Math.pow(2, attempt);
+        console.warn(`[provider] Attempt ${attempt + 1} failed, retrying in ${delay}ms...`, err instanceof Error ? err.message : String(err));
+        await new Promise((resolve) => setTimeout(resolve, delay));
+      }
+    }
+  }
+  throw lastError;
+}
+
+// ../provider-claude/src/normalize.ts
 var DEFAULT_MODEL3 = "claude-sonnet-4-6";
 var VALIDATION_PATTERN = /^claude-/;
 function resolveModel2(config) {
@@ -10992,11 +11540,13 @@ async function healthcheck3(config) {
   try {
     const model = resolveModel2(config);
     const client = new Anthropic({ apiKey: config.apiKey });
-    const response = await client.messages.create({
-      model,
-      max_tokens: 32,
-      messages: [{ role: "user", content: 'Say "ok"' }]
-    });
+    const response = await withRetry3(
+      () => client.messages.create({
+        model,
+        max_tokens: 32,
+        messages: [{ role: "user", content: 'Say "ok"' }]
+      })
+    );
     const text2 = extractTextFromResponse(response);
     return {
       ok: text2.length > 0,
@@ -11030,21 +11580,28 @@ async function executeTrackedQuery3(input) {
       ...input.location.timezone ? { timezone: input.location.timezone } : {}
     };
   }
-  const response = await client.messages.create({
-    model,
-    max_tokens: 4096,
-    tools: [webSearchTool],
-    messages: [{ role: "user", content: input.keyword }]
-  });
-  const groundingSources = extractGroundingSources2(response);
-  const searchQueries = extractSearchQueries3(response);
-  return {
-    provider: "claude",
-    rawResponse: responseToRecord3(response),
-    model,
-    groundingSources,
-    searchQueries
-  };
+  try {
+    const response = await withRetry3(
+      () => client.messages.create({
+        model,
+        max_tokens: 4096,
+        tools: [webSearchTool],
+        messages: [{ role: "user", content: input.keyword }]
+      })
+    );
+    const groundingSources = extractGroundingSources2(response);
+    const searchQueries = extractSearchQueries3(response);
+    return {
+      provider: "claude",
+      rawResponse: responseToRecord3(response),
+      model,
+      groundingSources,
+      searchQueries
+    };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new Error(`[provider-claude] ${msg}`);
+  }
 }
 function normalizeResult3(raw) {
   const answerText = extractAnswerTextFromRaw2(raw.rawResponse);
@@ -11138,11 +11695,13 @@ function extractDomainFromUri3(uri) {
 async function generateText3(prompt, config) {
   const model = resolveModel2(config);
   const client = new Anthropic({ apiKey: config.apiKey });
-  const response = await client.messages.create({
-    model,
-    max_tokens: 2048,
-    messages: [{ role: "user", content: prompt }]
-  });
+  const response = await withRetry3(
+    () => client.messages.create({
+      model,
+      max_tokens: 2048,
+      messages: [{ role: "user", content: prompt }]
+    })
+  );
   return extractTextFromResponse(response);
 }
 function responseToRecord3(response) {
@@ -11235,6 +11794,27 @@ var claudeAdapter = {
 
 // ../provider-local/src/normalize.ts
 import OpenAI2 from "openai";
+
+// ../provider-local/src/utils.ts
+async function withRetry4(fn, options = {}) {
+  const { maxRetries = 3, initialDelay = 1e3 } = options;
+  let lastError;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      if (attempt < maxRetries) {
+        const delay = initialDelay * Math.pow(2, attempt);
+        console.warn(`[provider] Attempt ${attempt + 1} failed, retrying in ${delay}ms...`, err instanceof Error ? err.message : String(err));
+        await new Promise((resolve) => setTimeout(resolve, delay));
+      }
+    }
+  }
+  throw lastError;
+}
+
+// ../provider-local/src/normalize.ts
 var DEFAULT_MODEL4 = "llama3";
 function validateConfig4(config) {
   if (!config.baseUrl || config.baseUrl.length === 0) {
@@ -11255,16 +11835,19 @@ async function healthcheck4(config) {
       baseURL: config.baseUrl,
       apiKey: config.apiKey || "not-needed"
     });
-    const models = await client.models.list();
-    const modelList = [];
-    for await (const m of models) {
-      modelList.push(m.id);
-      if (modelList.length >= 5) break;
-    }
+    const models = await withRetry4(async () => {
+      const list = await client.models.list();
+      const items = [];
+      for await (const m of list) {
+        items.push(m.id);
+        if (items.length >= 5) break;
+      }
+      return items;
+    });
     return {
       ok: true,
       provider: "local",
-      message: `connected, ${modelList.length} model(s) available`,
+      message: `connected, ${models.length} model(s) available`,
       model: config.model ?? DEFAULT_MODEL4
     };
   } catch (err) {
@@ -11282,26 +11865,33 @@ async function executeTrackedQuery4(input) {
     baseURL: input.config.baseUrl,
     apiKey: input.config.apiKey || "not-needed"
   });
-  const response = await client.chat.completions.create({
-    model,
-    messages: [
-      {
-        role: "system",
-        content: "You are a helpful assistant. Provide comprehensive, factual answers. When mentioning websites or services, include their domain names."
-      },
-      {
-        role: "user",
-        content: buildPrompt3(input.keyword, input.location)
-      }
-    ]
-  });
-  return {
-    provider: "local",
-    rawResponse: responseToRecord4(response),
-    model,
-    groundingSources: [],
-    searchQueries: []
-  };
+  try {
+    const response = await withRetry4(
+      () => client.chat.completions.create({
+        model,
+        messages: [
+          {
+            role: "system",
+            content: "You are a helpful assistant. Provide comprehensive, factual answers. When mentioning websites or services, include their domain names."
+          },
+          {
+            role: "user",
+            content: buildPrompt3(input.keyword, input.location)
+          }
+        ]
+      })
+    );
+    return {
+      provider: "local",
+      rawResponse: responseToRecord4(response),
+      model,
+      groundingSources: [],
+      searchQueries: []
+    };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new Error(`[provider-local] ${msg}`);
+  }
 }
 function normalizeResult4(raw) {
   const answerText = extractAnswerText2(raw.rawResponse);
@@ -11333,10 +11923,12 @@ async function generateText4(prompt, config) {
     baseURL: config.baseUrl,
     apiKey: config.apiKey || "not-needed"
   });
-  const response = await client.chat.completions.create({
-    model,
-    messages: [{ role: "user", content: prompt }]
-  });
+  const response = await withRetry4(
+    () => client.chat.completions.create({
+      model,
+      messages: [{ role: "user", content: prompt }]
+    })
+  );
   return response.choices[0]?.message?.content ?? "";
 }
 function extractDomainMentions(text2) {
@@ -11952,35 +12544,40 @@ var cdpChatgptAdapter = {
   async executeTrackedQuery(input, config) {
     const conn = getConnection(config);
     const target = chatgptTarget;
-    const client = await conn.prepareForQuery(target);
-    await target.submitQuery(client, input.keyword);
-    await target.waitForResponse(client);
-    const answerText = await target.extractAnswer(client);
-    const groundingSources = await target.extractCitations(client);
-    const screenshotId = `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
-    const screenshotPath = path4.join(getScreenshotDir2(), `${screenshotId}.png`);
-    let capturedScreenshotPath;
     try {
-      capturedScreenshotPath = await captureElementScreenshot(
-        client,
-        target.responseSelector,
-        screenshotPath
-      );
-    } catch {
-    }
-    return {
-      provider: "cdp:chatgpt",
-      rawResponse: {
-        answerText,
+      const client = await conn.prepareForQuery(target);
+      await target.submitQuery(client, input.keyword);
+      await target.waitForResponse(client);
+      const answerText = await target.extractAnswer(client);
+      const groundingSources = await target.extractCitations(client);
+      const screenshotId = `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+      const screenshotPath = path4.join(getScreenshotDir2(), `${screenshotId}.png`);
+      let capturedScreenshotPath;
+      try {
+        capturedScreenshotPath = await captureElementScreenshot(
+          client,
+          target.responseSelector,
+          screenshotPath
+        );
+      } catch {
+      }
+      return {
+        provider: "cdp:chatgpt",
+        rawResponse: {
+          answerText,
+          groundingSources,
+          extractedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          targetUrl: target.newConversationUrl
+        },
+        model: "chatgpt-web",
         groundingSources,
-        extractedAt: (/* @__PURE__ */ new Date()).toISOString(),
-        targetUrl: target.newConversationUrl
-      },
-      model: "chatgpt-web",
-      groundingSources,
-      searchQueries: [input.keyword],
-      screenshotPath: capturedScreenshotPath
-    };
+        searchQueries: [input.keyword],
+        screenshotPath: capturedScreenshotPath
+      };
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      throw new Error(`[provider-cdp] ${msg}`);
+    }
   },
   normalizeResult(raw) {
     return normalizeResult5(raw);
@@ -11992,6 +12589,27 @@ var cdpChatgptAdapter = {
 
 // ../provider-perplexity/src/normalize.ts
 import OpenAI3 from "openai";
+
+// ../provider-perplexity/src/utils.ts
+async function withRetry5(fn, options = {}) {
+  const { maxRetries = 3, initialDelay = 1e3 } = options;
+  let lastError;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      if (attempt < maxRetries) {
+        const delay = initialDelay * Math.pow(2, attempt);
+        console.warn(`[provider] Attempt ${attempt + 1} failed, retrying in ${delay}ms...`, err instanceof Error ? err.message : String(err));
+        await new Promise((resolve) => setTimeout(resolve, delay));
+      }
+    }
+  }
+  throw lastError;
+}
+
+// ../provider-perplexity/src/normalize.ts
 var DEFAULT_MODEL5 = "sonar";
 var BASE_URL = "https://api.perplexity.ai";
 function validateConfig5(config) {
@@ -12010,10 +12628,12 @@ async function healthcheck5(config) {
   if (!validation.ok) return validation;
   try {
     const client = new OpenAI3({ apiKey: config.apiKey, baseURL: BASE_URL });
-    const response = await client.chat.completions.create({
-      model: config.model ?? DEFAULT_MODEL5,
-      messages: [{ role: "user", content: 'Say "ok"' }]
-    });
+    const response = await withRetry5(
+      () => client.chat.completions.create({
+        model: config.model ?? DEFAULT_MODEL5,
+        messages: [{ role: "user", content: 'Say "ok"' }]
+      })
+    );
     const text2 = response.choices[0]?.message?.content ?? "";
     return {
       ok: text2.length > 0,
@@ -12034,25 +12654,30 @@ async function executeTrackedQuery5(input) {
   const model = input.config.model ?? DEFAULT_MODEL5;
   const client = new OpenAI3({ apiKey: input.config.apiKey, baseURL: BASE_URL });
   const prompt = buildPrompt4(input.keyword, input.location);
-  const response = await client.chat.completions.create({
-    model,
-    messages: [
-      { role: "user", content: prompt }
-    ]
-  });
-  const rawResponse = responseToRecord5(response);
-  const citations = extractCitations(rawResponse);
-  const groundingSources = citations.map((url) => ({
-    uri: url,
-    title: ""
-  }));
-  return {
-    provider: "perplexity",
-    rawResponse,
-    model,
-    groundingSources,
-    searchQueries: [input.keyword]
-  };
+  try {
+    const response = await withRetry5(
+      () => client.chat.completions.create({
+        model,
+        messages: [{ role: "user", content: prompt }]
+      })
+    );
+    const rawResponse = responseToRecord5(response);
+    const citations = extractCitations(rawResponse);
+    const groundingSources = citations.map((url) => ({
+      uri: url,
+      title: ""
+    }));
+    return {
+      provider: "perplexity",
+      rawResponse,
+      model,
+      groundingSources,
+      searchQueries: [input.keyword]
+    };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new Error(`[provider-perplexity] ${msg}`);
+  }
 }
 function normalizeResult6(raw) {
   const answerText = extractAnswerText3(raw.rawResponse);
@@ -12112,10 +12737,12 @@ function extractDomainFromUri4(uri) {
 async function generateText5(prompt, config) {
   const model = config.model ?? DEFAULT_MODEL5;
   const client = new OpenAI3({ apiKey: config.apiKey, baseURL: BASE_URL });
-  const response = await client.chat.completions.create({
-    model,
-    messages: [{ role: "user", content: prompt }]
-  });
+  const response = await withRetry5(
+    () => client.chat.completions.create({
+      model,
+      messages: [{ role: "user", content: prompt }]
+    })
+  );
   return response.choices[0]?.message?.content ?? "";
 }
 function responseToRecord5(response) {
@@ -12368,7 +12995,7 @@ import crypto18 from "crypto";
 import fs4 from "fs";
 import path5 from "path";
 import os4 from "os";
-import { and as and6, eq as eq17, inArray as inArray3, sql as sql5 } from "drizzle-orm";
+import { and as and7, eq as eq18, inArray as inArray3, sql as sql5 } from "drizzle-orm";
 
 // src/logger.ts
 var IS_TTY = process.stdout.isTTY === true;
@@ -12390,7 +13017,7 @@ function emit(entry) {
   }
 }
 function createLogger(module) {
-  function log8(level, action, ctx) {
+  function log10(level, action, ctx) {
     const entry = {
       ts: (/* @__PURE__ */ new Date()).toISOString(),
       level,
@@ -12401,9 +13028,9 @@ function createLogger(module) {
     emit(entry);
   }
   return {
-    info: (action, ctx) => log8("info", action, ctx),
-    warn: (action, ctx) => log8("warn", action, ctx),
-    error: (action, ctx) => log8("error", action, ctx)
+    info: (action, ctx) => log10("info", action, ctx),
+    warn: (action, ctx) => log10("warn", action, ctx),
+    error: (action, ctx) => log10("error", action, ctx)
   };
 }
 
@@ -12490,7 +13117,7 @@ var JobRunner = class {
     if (stale.length === 0) return;
     const now = (/* @__PURE__ */ new Date()).toISOString();
     for (const run of stale) {
-      this.db.update(runs).set({ status: "failed", finishedAt: now, error: "Server restarted while run was in progress" }).where(eq17(runs.id, run.id)).run();
+      this.db.update(runs).set({ status: "failed", finishedAt: now, error: "Server restarted while run was in progress" }).where(eq18(runs.id, run.id)).run();
       log.warn("run.recovered-stale", { runId: run.id, previousStatus: run.status });
     }
   }
@@ -12518,10 +13145,10 @@ var JobRunner = class {
         throw new Error(`Run ${runId} is not executable from status '${existingRun.status}'`);
       }
       if (existingRun.status === "queued") {
-        this.db.update(runs).set({ status: "running", startedAt: now }).where(and6(eq17(runs.id, runId), eq17(runs.status, "queued"))).run();
+        this.db.update(runs).set({ status: "running", startedAt: now }).where(and7(eq18(runs.id, runId), eq18(runs.status, "queued"))).run();
       }
       this.throwIfRunCancelled(runId);
-      const project = this.db.select().from(projects).where(eq17(projects.id, projectId)).get();
+      const project = this.db.select().from(projects).where(eq18(projects.id, projectId)).get();
       if (!project) {
         throw new Error(`Project ${projectId} not found`);
       }
@@ -12541,8 +13168,8 @@ var JobRunner = class {
         throw new Error("No providers configured. Add at least one provider API key.");
       }
       log.info("run.dispatch", { runId, providerCount: activeProviders.length, providers: activeProviders.map((p) => p.adapter.name) });
-      projectKeywords = this.db.select().from(keywords).where(eq17(keywords.projectId, projectId)).all();
-      const projectCompetitors = this.db.select().from(competitors).where(eq17(competitors.projectId, projectId)).all();
+      projectKeywords = this.db.select().from(keywords).where(eq18(keywords.projectId, projectId)).all();
+      const projectCompetitors = this.db.select().from(competitors).where(eq18(competitors.projectId, projectId)).all();
       const competitorDomains = projectCompetitors.map((c) => c.domain);
       const allDomains = effectiveDomains({
         canonicalDomain: project.canonicalDomain,
@@ -12558,7 +13185,7 @@ var JobRunner = class {
       const todayPeriod = getCurrentUsageDay();
       for (const p of activeProviders) {
         const providerScope = `${projectId}:${p.adapter.name}`;
-        const providerUsage = this.db.select().from(usageCounters).where(eq17(usageCounters.scope, providerScope)).all().filter((r) => r.period === todayPeriod && r.metric === "queries").reduce((sum, r) => sum + r.count, 0);
+        const providerUsage = this.db.select().from(usageCounters).where(eq18(usageCounters.scope, providerScope)).all().filter((r) => r.period === todayPeriod && r.metric === "queries").reduce((sum, r) => sum + r.count, 0);
         const limit = p.config.quotaPolicy.maxRequestsPerDay;
         if (providerUsage + queriesPerProvider > limit) {
           throw new Error(
@@ -12699,12 +13326,12 @@ var JobRunner = class {
       const someFailed = providerErrors.size > 0;
       if (allFailed) {
         const errorDetail = JSON.stringify(Object.fromEntries(providerErrors));
-        this.db.update(runs).set({ status: "failed", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq17(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "failed", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq18(runs.id, runId)).run();
       } else if (someFailed) {
         const errorDetail = JSON.stringify(Object.fromEntries(providerErrors));
-        this.db.update(runs).set({ status: "partial", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq17(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "partial", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq18(runs.id, runId)).run();
       } else {
-        this.db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq17(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq18(runs.id, runId)).run();
       }
       this.flushProviderUsage(projectId, providerDispatchCounts);
       const finalStatus = allFailed ? "failed" : someFailed ? "partial" : "completed";
@@ -12739,7 +13366,7 @@ var JobRunner = class {
         status: "failed",
         finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
         error: errorMessage
-      }).where(eq17(runs.id, runId)).run();
+      }).where(eq18(runs.id, runId)).run();
       this.flushProviderUsage(projectId, providerDispatchCounts);
       trackEvent("run.completed", {
         status: "failed",
@@ -12782,7 +13409,7 @@ var JobRunner = class {
       status: runs.status,
       finishedAt: runs.finishedAt,
       error: runs.error
-    }).from(runs).where(eq17(runs.id, runId)).get();
+    }).from(runs).where(eq18(runs.id, runId)).get();
   }
   isRunCancelled(runId) {
     return this.getRunState(runId)?.status === "cancelled";
@@ -12798,7 +13425,7 @@ var JobRunner = class {
       this.db.update(runs).set({
         finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
         error: currentRun.error ?? "Cancelled by user"
-      }).where(eq17(runs.id, runId)).run();
+      }).where(eq18(runs.id, runId)).run();
     }
     trackEvent("run.completed", {
       status: "cancelled",
@@ -12970,7 +13597,7 @@ function matchesBrandKey(candidateKey, brandKeys) {
 
 // src/gsc-sync.ts
 import crypto19 from "crypto";
-import { eq as eq18, and as and7, sql as sql6 } from "drizzle-orm";
+import { eq as eq19, and as and8, sql as sql6 } from "drizzle-orm";
 var log2 = createLogger("GscSync");
 function formatDate2(d) {
   return d.toISOString().split("T")[0];
@@ -12982,13 +13609,13 @@ function daysAgo(n) {
 }
 async function executeGscSync(db, runId, projectId, opts) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: "running", startedAt: now }).where(eq18(runs.id, runId)).run();
+  db.update(runs).set({ status: "running", startedAt: now }).where(eq19(runs.id, runId)).run();
   try {
     const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
     if (!googleClientId || !googleClientSecret) {
       throw new Error("Google OAuth is not configured in the local Canonry config");
     }
-    const project = db.select().from(projects).where(eq18(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq19(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -13022,8 +13649,8 @@ async function executeGscSync(db, runId, projectId, opts) {
     });
     log2.info("fetch.complete", { runId, projectId, rowCount: rows.length });
     db.delete(gscSearchData).where(
-      and7(
-        eq18(gscSearchData.projectId, projectId),
+      and8(
+        eq19(gscSearchData.projectId, projectId),
         sql6`${gscSearchData.date} >= ${startDate}`,
         sql6`${gscSearchData.date} <= ${endDate}`
       )
@@ -13090,7 +13717,7 @@ async function executeGscSync(db, runId, projectId, opts) {
         log2.error("inspect.url-failed", { runId, projectId, url: pageUrl, error: err instanceof Error ? err.message : String(err) });
       }
     }
-    const allInspections = db.select().from(gscUrlInspections).where(eq18(gscUrlInspections.projectId, projectId)).all();
+    const allInspections = db.select().from(gscUrlInspections).where(eq19(gscUrlInspections.projectId, projectId)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
       const existing = latestByUrl.get(row.url);
@@ -13111,7 +13738,7 @@ async function executeGscSync(db, runId, projectId, opts) {
       }
     }
     const snapshotDate = formatDate2(/* @__PURE__ */ new Date());
-    db.delete(gscCoverageSnapshots).where(and7(eq18(gscCoverageSnapshots.projectId, projectId), eq18(gscCoverageSnapshots.date, snapshotDate))).run();
+    db.delete(gscCoverageSnapshots).where(and8(eq19(gscCoverageSnapshots.projectId, projectId), eq19(gscCoverageSnapshots.date, snapshotDate))).run();
     db.insert(gscCoverageSnapshots).values({
       id: crypto19.randomUUID(),
       projectId,
@@ -13122,11 +13749,11 @@ async function executeGscSync(db, runId, projectId, opts) {
       reasonBreakdown: JSON.stringify(reasonCounts),
       createdAt: (/* @__PURE__ */ new Date()).toISOString()
     }).run();
-    db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq18(runs.id, runId)).run();
+    db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq19(runs.id, runId)).run();
     log2.info("sync.completed", { runId, projectId, searchDataRows: rows.length, urlInspections: topPages.length, indexed: snapIndexed, notIndexed: snapNotIndexed });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq18(runs.id, runId)).run();
+    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq19(runs.id, runId)).run();
     log2.error("sync.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
@@ -13134,7 +13761,7 @@ async function executeGscSync(db, runId, projectId, opts) {
 
 // src/gsc-inspect-sitemap.ts
 import crypto20 from "crypto";
-import { eq as eq19, and as and8 } from "drizzle-orm";
+import { eq as eq20, and as and9 } from "drizzle-orm";
 
 // src/sitemap-parser.ts
 var LOC_REGEX = /<loc>\s*([^<]+?)\s*<\/loc>/gi;
@@ -13203,13 +13830,13 @@ async function parseSitemapRecursive(url, urls, depth) {
 var log3 = createLogger("InspectSitemap");
 async function executeInspectSitemap(db, runId, projectId, opts) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: "running", startedAt: now }).where(eq19(runs.id, runId)).run();
+  db.update(runs).set({ status: "running", startedAt: now }).where(eq20(runs.id, runId)).run();
   try {
     const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
     if (!googleClientId || !googleClientSecret) {
       throw new Error("Google OAuth is not configured in the local Canonry config");
     }
-    const project = db.select().from(projects).where(eq19(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq20(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -13277,7 +13904,7 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
         await new Promise((r) => setTimeout(r, 1e3));
       }
     }
-    const allInspections = db.select().from(gscUrlInspections).where(eq19(gscUrlInspections.projectId, projectId)).all();
+    const allInspections = db.select().from(gscUrlInspections).where(eq20(gscUrlInspections.projectId, projectId)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
       const existing = latestByUrl.get(row.url);
@@ -13298,7 +13925,7 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
       }
     }
     const snapshotDate = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-    db.delete(gscCoverageSnapshots).where(and8(eq19(gscCoverageSnapshots.projectId, projectId), eq19(gscCoverageSnapshots.date, snapshotDate))).run();
+    db.delete(gscCoverageSnapshots).where(and9(eq20(gscCoverageSnapshots.projectId, projectId), eq20(gscCoverageSnapshots.date, snapshotDate))).run();
     db.insert(gscCoverageSnapshots).values({
       id: crypto20.randomUUID(),
       projectId,
@@ -13310,11 +13937,11 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
       createdAt: (/* @__PURE__ */ new Date()).toISOString()
     }).run();
     const status = errors > 0 && inspected > 0 ? "partial" : errors === urls.length ? "failed" : "completed";
-    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq19(runs.id, runId)).run();
+    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq20(runs.id, runId)).run();
     log3.info("inspect.completed", { runId, projectId, inspected, errors, total: urls.length, indexed: snapIndexed, notIndexed: snapNotIndexed });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq19(runs.id, runId)).run();
+    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq20(runs.id, runId)).run();
     log3.error("inspect.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
@@ -13373,7 +14000,7 @@ var ProviderRegistry = class {
 
 // src/scheduler.ts
 import cron from "node-cron";
-import { eq as eq20 } from "drizzle-orm";
+import { eq as eq21 } from "drizzle-orm";
 var log4 = createLogger("Scheduler");
 var Scheduler = class {
   db;
@@ -13385,7 +14012,7 @@ var Scheduler = class {
   }
   /** Load all enabled schedules from DB and register cron jobs. */
   start() {
-    const allSchedules = this.db.select().from(schedules).where(eq20(schedules.enabled, 1)).all();
+    const allSchedules = this.db.select().from(schedules).where(eq21(schedules.enabled, 1)).all();
     for (const schedule of allSchedules) {
       const missedRunAt = schedule.nextRunAt;
       this.registerCronTask(schedule);
@@ -13410,7 +14037,7 @@ var Scheduler = class {
       this.stopTask(projectId, existing, "Stopped");
       this.tasks.delete(projectId);
     }
-    const schedule = this.db.select().from(schedules).where(eq20(schedules.projectId, projectId)).get();
+    const schedule = this.db.select().from(schedules).where(eq21(schedules.projectId, projectId)).get();
     if (schedule && schedule.enabled === 1) {
       this.registerCronTask(schedule);
     }
@@ -13443,14 +14070,14 @@ var Scheduler = class {
     this.db.update(schedules).set({
       nextRunAt: task.getNextRun()?.toISOString() ?? null,
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    }).where(eq20(schedules.id, scheduleId)).run();
+    }).where(eq21(schedules.id, scheduleId)).run();
     const label = schedule.preset ?? cronExpr;
     log4.info("cron.registered", { projectId, schedule: label, timezone });
   }
   triggerRun(scheduleId, projectId) {
     try {
       const now = (/* @__PURE__ */ new Date()).toISOString();
-      const currentSchedule = this.db.select().from(schedules).where(eq20(schedules.id, scheduleId)).get();
+      const currentSchedule = this.db.select().from(schedules).where(eq21(schedules.id, scheduleId)).get();
       if (!currentSchedule || currentSchedule.enabled !== 1) {
         log4.warn("schedule.stale", { scheduleId, projectId, msg: "schedule no longer exists or is disabled" });
         this.remove(projectId);
@@ -13458,7 +14085,7 @@ var Scheduler = class {
       }
       const task = this.tasks.get(projectId);
       const nextRunAt = task?.getNextRun()?.toISOString() ?? null;
-      const project = this.db.select().from(projects).where(eq20(projects.id, projectId)).get();
+      const project = this.db.select().from(projects).where(eq21(projects.id, projectId)).get();
       if (!project) {
         log4.error("project.not-found", { projectId, msg: "skipping scheduled run" });
         this.remove(projectId);
@@ -13475,7 +14102,7 @@ var Scheduler = class {
         this.db.update(schedules).set({
           nextRunAt,
           updatedAt: now
-        }).where(eq20(schedules.id, currentSchedule.id)).run();
+        }).where(eq21(schedules.id, currentSchedule.id)).run();
         return;
       }
       const runId = queueResult.runId;
@@ -13483,7 +14110,7 @@ var Scheduler = class {
         lastRunAt: now,
         nextRunAt,
         updatedAt: now
-      }).where(eq20(schedules.id, currentSchedule.id)).run();
+      }).where(eq21(schedules.id, currentSchedule.id)).run();
       const scheduleProviders = parseJsonColumn(currentSchedule.providers, []);
       const providers = scheduleProviders.length > 0 ? scheduleProviders : void 0;
       log4.info("run.triggered", { runId, projectName: project.name, providers: providers ?? "all" });
@@ -13495,7 +14122,7 @@ var Scheduler = class {
 };
 
 // src/notifier.ts
-import { eq as eq21, desc as desc7, and as and9, or as or2 } from "drizzle-orm";
+import { eq as eq22, desc as desc8, and as and10, or as or2 } from "drizzle-orm";
 import crypto21 from "crypto";
 var log5 = createLogger("Notifier");
 var Notifier = class {
@@ -13508,18 +14135,18 @@ var Notifier = class {
   /** Called after a run completes (success, partial, or failed). */
   async onRunCompleted(runId, projectId) {
     log5.info("run.completed", { runId, projectId });
-    const notifs = this.db.select().from(notifications).where(eq21(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
+    const notifs = this.db.select().from(notifications).where(eq22(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
     if (notifs.length === 0) {
       log5.info("notifications.none-enabled", { projectId });
       return;
     }
     log5.info("notifications.found", { projectId, count: notifs.length });
-    const run = this.db.select().from(runs).where(eq21(runs.id, runId)).get();
+    const run = this.db.select().from(runs).where(eq22(runs.id, runId)).get();
     if (!run) {
       log5.error("run.not-found", { runId, msg: "skipping notification dispatch" });
       return;
     }
-    const project = this.db.select().from(projects).where(eq21(projects.id, projectId)).get();
+    const project = this.db.select().from(projects).where(eq22(projects.id, projectId)).get();
     if (!project) {
       log5.error("project.not-found", { projectId, msg: "skipping notification dispatch" });
       return;
@@ -13559,11 +14186,11 @@ var Notifier = class {
   }
   computeTransitions(runId, projectId) {
     const recentRuns = this.db.select().from(runs).where(
-      and9(
-        eq21(runs.projectId, projectId),
-        or2(eq21(runs.status, "completed"), eq21(runs.status, "partial"))
+      and10(
+        eq22(runs.projectId, projectId),
+        or2(eq22(runs.status, "completed"), eq22(runs.status, "partial"))
       )
-    ).orderBy(desc7(runs.createdAt)).limit(2).all();
+    ).orderBy(desc8(runs.createdAt)).limit(2).all();
     if (recentRuns.length < 2) return [];
     const currentRunId = recentRuns[0].id;
     const previousRunId = recentRuns[1].id;
@@ -13573,12 +14200,12 @@ var Notifier = class {
       keyword: keywords.keyword,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).leftJoin(keywords, eq21(querySnapshots.keywordId, keywords.id)).where(eq21(querySnapshots.runId, currentRunId)).all();
+    }).from(querySnapshots).leftJoin(keywords, eq22(querySnapshots.keywordId, keywords.id)).where(eq22(querySnapshots.runId, currentRunId)).all();
     const previousSnapshots = this.db.select({
       keywordId: querySnapshots.keywordId,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).where(eq21(querySnapshots.runId, previousRunId)).all();
+    }).from(querySnapshots).where(eq22(querySnapshots.runId, previousRunId)).all();
     const prevMap = /* @__PURE__ */ new Map();
     for (const s of previousSnapshots) {
       prevMap.set(`${s.keywordId}:${s.provider}`, s.citationState);
@@ -13648,6 +14275,382 @@ var Notifier = class {
   }
 };
 
+// src/intelligence-service.ts
+import { eq as eq23, desc as desc9, asc as asc2, and as and11, or as or3 } from "drizzle-orm";
+
+// ../intelligence/src/regressions.ts
+function detectRegressions(currentRun, previousRun) {
+  const regressions = [];
+  const previousCited = /* @__PURE__ */ new Map();
+  for (const snap of previousRun.snapshots) {
+    if (snap.cited) {
+      previousCited.set(`${snap.keyword}:${snap.provider}`, {
+        citationUrl: snap.citationUrl,
+        position: snap.position
+      });
+    }
+  }
+  for (const snap of currentRun.snapshots) {
+    const key = `${snap.keyword}:${snap.provider}`;
+    if (!snap.cited && previousCited.has(key)) {
+      const prev = previousCited.get(key);
+      regressions.push({
+        keyword: snap.keyword,
+        provider: snap.provider,
+        previousCitationUrl: prev.citationUrl,
+        previousPosition: prev.position,
+        currentRunId: currentRun.runId,
+        previousRunId: previousRun.runId
+      });
+    }
+  }
+  return regressions;
+}
+
+// ../intelligence/src/gains.ts
+function detectGains(currentRun, previousRun) {
+  const gains = [];
+  const previousCited = /* @__PURE__ */ new Set();
+  for (const snap of previousRun.snapshots) {
+    if (snap.cited) {
+      previousCited.add(`${snap.keyword}:${snap.provider}`);
+    }
+  }
+  for (const snap of currentRun.snapshots) {
+    const key = `${snap.keyword}:${snap.provider}`;
+    if (snap.cited && !previousCited.has(key)) {
+      gains.push({
+        keyword: snap.keyword,
+        provider: snap.provider,
+        citationUrl: snap.citationUrl,
+        position: snap.position,
+        snippet: snap.snippet,
+        runId: currentRun.runId
+      });
+    }
+  }
+  return gains;
+}
+
+// ../intelligence/src/health.ts
+function computeHealth(run) {
+  const providerStats = /* @__PURE__ */ new Map();
+  let totalPairs = 0;
+  let citedPairs = 0;
+  for (const snap of run.snapshots) {
+    totalPairs++;
+    if (snap.cited) citedPairs++;
+    const stats = providerStats.get(snap.provider) ?? { cited: 0, total: 0 };
+    stats.total++;
+    if (snap.cited) stats.cited++;
+    providerStats.set(snap.provider, stats);
+  }
+  const providerBreakdown = {};
+  for (const [provider, stats] of providerStats) {
+    providerBreakdown[provider] = {
+      citedRate: stats.total > 0 ? stats.cited / stats.total : 0,
+      cited: stats.cited,
+      total: stats.total
+    };
+  }
+  return {
+    overallCitedRate: totalPairs > 0 ? citedPairs / totalPairs : 0,
+    totalPairs,
+    citedPairs,
+    providerBreakdown
+  };
+}
+function computeHealthTrend(runs2) {
+  if (runs2.length === 0) {
+    return { current: 0, previous: 0, delta: 0 };
+  }
+  const current = computeHealth(runs2[runs2.length - 1]).overallCitedRate;
+  if (runs2.length === 1) {
+    return { current, previous: 0, delta: current };
+  }
+  const previous = computeHealth(runs2[runs2.length - 2]).overallCitedRate;
+  return {
+    current,
+    previous,
+    delta: current - previous
+  };
+}
+
+// ../intelligence/src/causes.ts
+function analyzeCause(regression, currentSnapshots) {
+  const currentSnap = currentSnapshots.find(
+    (s) => s.keyword === regression.keyword && s.provider === regression.provider && !s.cited && s.competitorDomain
+  );
+  if (currentSnap) {
+    return {
+      cause: "competitor_gain",
+      competitorDomain: currentSnap.competitorDomain,
+      details: `Competitor ${currentSnap.competitorDomain} now cited for "${regression.keyword}" on ${regression.provider}`
+    };
+  }
+  return {
+    cause: "unknown",
+    details: `No specific cause identified for loss of "${regression.keyword}" on ${regression.provider}`
+  };
+}
+
+// ../intelligence/src/insights.ts
+import { randomUUID } from "crypto";
+function generateInsights(regressions, gains, health, causes) {
+  const insights2 = [];
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  for (const reg of regressions) {
+    const key = `${reg.keyword}:${reg.provider}`;
+    const cause = causes.get(key);
+    insights2.push({
+      id: `ins_${randomUUID().slice(0, 8)}`,
+      type: "regression",
+      severity: "high",
+      title: `Lost ${reg.provider} citation for "${reg.keyword}"`,
+      keyword: reg.keyword,
+      provider: reg.provider,
+      recommendation: {
+        action: "audit",
+        target: reg.previousCitationUrl,
+        reason: `Page was previously cited at position ${reg.previousPosition ?? "unknown"}. Run aeo-audit to check for content or schema issues.`
+      },
+      cause,
+      createdAt: now
+    });
+  }
+  for (const gain of gains) {
+    insights2.push({
+      id: `ins_${randomUUID().slice(0, 8)}`,
+      type: "gain",
+      severity: "low",
+      title: `New ${gain.provider} citation for "${gain.keyword}"`,
+      keyword: gain.keyword,
+      provider: gain.provider,
+      recommendation: {
+        action: "monitor",
+        target: gain.citationUrl,
+        reason: `New citation appeared at position ${gain.position ?? "unknown"}. Monitor to confirm it persists.`
+      },
+      createdAt: now
+    });
+  }
+  return insights2;
+}
+
+// ../intelligence/src/analyzer.ts
+function analyzeRuns(currentRun, previousRun, allRuns) {
+  const regressions = detectRegressions(currentRun, previousRun);
+  const gains = detectGains(currentRun, previousRun);
+  const health = computeHealth(currentRun);
+  const trend = allRuns ? computeHealthTrend(allRuns) : void 0;
+  const causes = /* @__PURE__ */ new Map();
+  for (const reg of regressions) {
+    const cause = analyzeCause(reg, currentRun.snapshots);
+    causes.set(`${reg.keyword}:${reg.provider}`, cause);
+  }
+  const insights2 = generateInsights(regressions, gains, health, causes);
+  return {
+    regressions,
+    gains,
+    health,
+    trend,
+    insights: insights2
+  };
+}
+
+// src/intelligence-service.ts
+import crypto22 from "crypto";
+var log6 = createLogger("IntelligenceService");
+var IntelligenceService = class {
+  constructor(db) {
+    this.db = db;
+  }
+  /**
+   * Analyze a completed run and persist insights + health snapshot.
+   * Idempotent: deletes prior results for the same runId before inserting.
+   * Returns the analysis result for the coordinator to inspect (e.g. for webhook dispatch).
+   */
+  analyzeAndPersist(runId, projectId) {
+    const recentRuns = this.db.select().from(runs).where(
+      and11(
+        eq23(runs.projectId, projectId),
+        or3(eq23(runs.status, "completed"), eq23(runs.status, "partial"))
+      )
+    ).orderBy(desc9(runs.createdAt)).limit(2).all();
+    if (recentRuns.length === 0) {
+      log6.info("intelligence.skip", { runId, reason: "no completed runs" });
+      return null;
+    }
+    const currentRunRecord = recentRuns.find((r) => r.id === runId);
+    if (!currentRunRecord) {
+      log6.info("intelligence.skip", { runId, reason: "run not in recent completed list" });
+      return null;
+    }
+    const currentRun = this.buildRunData(runId, projectId, currentRunRecord.finishedAt ?? currentRunRecord.createdAt);
+    if (currentRun.snapshots.length === 0) {
+      log6.info("intelligence.skip", { runId, reason: "no snapshots" });
+      return null;
+    }
+    const previousRunRecord = recentRuns.find((r) => r.id !== runId);
+    const previousRun = previousRunRecord ? this.buildRunData(previousRunRecord.id, projectId, previousRunRecord.finishedAt ?? previousRunRecord.createdAt) : null;
+    const result = previousRun ? analyzeRuns(currentRun, previousRun) : analyzeRuns(currentRun, { ...currentRun, snapshots: [] });
+    log6.info("intelligence.analyzed", {
+      runId,
+      regressions: result.regressions.length,
+      gains: result.gains.length,
+      citedRate: result.health.overallCitedRate,
+      insights: result.insights.length
+    });
+    this.persistResult(result, runId, projectId);
+    return result;
+  }
+  /**
+   * Analyze a single run given an explicit previous run (or null for first run).
+   * Used by backfill where we control the run ordering.
+   */
+  analyzeRunWithPrevious(runRecord, previousRunRecord) {
+    const currentRun = this.buildRunData(runRecord.id, runRecord.projectId, runRecord.finishedAt ?? runRecord.createdAt);
+    if (currentRun.snapshots.length === 0) {
+      return null;
+    }
+    const previousRun = previousRunRecord ? this.buildRunData(previousRunRecord.id, previousRunRecord.projectId, previousRunRecord.finishedAt ?? previousRunRecord.createdAt) : null;
+    const result = previousRun ? analyzeRuns(currentRun, previousRun) : analyzeRuns(currentRun, { ...currentRun, snapshots: [] });
+    this.persistResult(result, runRecord.id, runRecord.projectId);
+    return result;
+  }
+  /**
+   * Backfill intelligence for all completed/partial runs of a project.
+   * Processes runs in chronological order so each run compares against its predecessor.
+   */
+  backfill(projectName, opts, onProgress) {
+    const project = this.db.select().from(projects).where(eq23(projects.name, projectName)).get();
+    if (!project) {
+      throw new Error(`Project "${projectName}" not found`);
+    }
+    const allRuns = this.db.select().from(runs).where(
+      and11(
+        eq23(runs.projectId, project.id),
+        or3(eq23(runs.status, "completed"), eq23(runs.status, "partial"))
+      )
+    ).orderBy(asc2(runs.finishedAt)).all();
+    let startIdx = 0;
+    let endIdx = allRuns.length;
+    if (opts?.fromRunId) {
+      const idx = allRuns.findIndex((r) => r.id === opts.fromRunId);
+      if (idx === -1) throw new Error(`Run "${opts.fromRunId}" not found in project`);
+      startIdx = idx;
+    }
+    if (opts?.toRunId) {
+      const idx = allRuns.findIndex((r) => r.id === opts.toRunId);
+      if (idx === -1) throw new Error(`Run "${opts.toRunId}" not found in project`);
+      endIdx = idx + 1;
+    }
+    const targetRuns = allRuns.slice(startIdx, endIdx);
+    let processed = 0;
+    let skipped = 0;
+    let totalInsights = 0;
+    for (let i = 0; i < targetRuns.length; i++) {
+      const run = targetRuns[i];
+      const globalIdx = allRuns.indexOf(run);
+      const previousRun = globalIdx > 0 ? allRuns[globalIdx - 1] : null;
+      const result = this.analyzeRunWithPrevious(run, previousRun);
+      if (result) {
+        processed++;
+        totalInsights += result.insights.length;
+        onProgress?.({ runId: run.id, index: i + 1, total: targetRuns.length, insights: result.insights.length });
+      } else {
+        skipped++;
+        onProgress?.({ runId: run.id, index: i + 1, total: targetRuns.length, insights: 0 });
+      }
+    }
+    return { processed, skipped, totalInsights };
+  }
+  persistResult(result, runId, projectId) {
+    const previouslyDismissed = /* @__PURE__ */ new Set();
+    const existingInsights = this.db.select({ keyword: insights.keyword, provider: insights.provider, type: insights.type, dismissed: insights.dismissed }).from(insights).where(eq23(insights.runId, runId)).all();
+    for (const row of existingInsights) {
+      if (row.dismissed) {
+        previouslyDismissed.add(`${row.keyword}:${row.provider}:${row.type}`);
+      }
+    }
+    this.db.transaction((tx) => {
+      tx.delete(insights).where(eq23(insights.runId, runId)).run();
+      tx.delete(healthSnapshots).where(eq23(healthSnapshots.runId, runId)).run();
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      for (const insight of result.insights) {
+        const wasDismissed = previouslyDismissed.has(`${insight.keyword}:${insight.provider}:${insight.type}`);
+        tx.insert(insights).values({
+          id: insight.id,
+          projectId,
+          runId,
+          type: insight.type,
+          severity: insight.severity,
+          title: insight.title,
+          keyword: insight.keyword,
+          provider: insight.provider,
+          recommendation: insight.recommendation ? JSON.stringify(insight.recommendation) : null,
+          cause: insight.cause ? JSON.stringify(insight.cause) : null,
+          dismissed: wasDismissed,
+          createdAt: insight.createdAt
+        }).run();
+      }
+      tx.insert(healthSnapshots).values({
+        id: crypto22.randomUUID(),
+        projectId,
+        runId,
+        overallCitedRate: String(result.health.overallCitedRate),
+        totalPairs: result.health.totalPairs,
+        citedPairs: result.health.citedPairs,
+        providerBreakdown: JSON.stringify(result.health.providerBreakdown),
+        createdAt: now
+      }).run();
+    });
+    log6.info("intelligence.persisted", { runId, insights: result.insights.length });
+  }
+  buildRunData(runId, projectId, completedAt) {
+    const rows = this.db.select({
+      keyword: keywords.keyword,
+      provider: querySnapshots.provider,
+      citationState: querySnapshots.citationState,
+      citedDomains: querySnapshots.citedDomains,
+      competitorOverlap: querySnapshots.competitorOverlap
+    }).from(querySnapshots).leftJoin(keywords, eq23(querySnapshots.keywordId, keywords.id)).where(eq23(querySnapshots.runId, runId)).all();
+    const snapshots = rows.map((r) => {
+      const domains = parseJsonColumn(r.citedDomains, []);
+      const competitors2 = parseJsonColumn(r.competitorOverlap, []);
+      return {
+        keyword: r.keyword ?? "",
+        provider: r.provider,
+        cited: r.citationState === "cited",
+        citationUrl: domains[0] ?? void 0,
+        competitorDomain: competitors2[0] ?? void 0
+      };
+    });
+    return { runId, projectId, completedAt, snapshots };
+  }
+};
+
+// src/run-coordinator.ts
+var log7 = createLogger("RunCoordinator");
+var RunCoordinator = class {
+  constructor(notifier, intelligenceService) {
+    this.notifier = notifier;
+    this.intelligenceService = intelligenceService;
+  }
+  async onRunCompleted(runId, projectId) {
+    try {
+      this.intelligenceService.analyzeAndPersist(runId, projectId);
+    } catch (err) {
+      log7.error("intelligence.failed", { runId, error: err instanceof Error ? err.message : String(err) });
+    }
+    try {
+      await this.notifier.onRunCompleted(runId, projectId);
+    } catch (err) {
+      log7.error("notifier.failed", { runId, error: err instanceof Error ? err.message : String(err) });
+    }
+  }
+};
+
 // src/snapshot-service.ts
 import { runAeoAudit } from "@ainyc/aeo-audit";
 
@@ -13768,7 +14771,7 @@ function formatAuditFactorScore(factor) {
 }
 
 // src/snapshot-service.ts
-var log6 = createLogger("Snapshot");
+var log8 = createLogger("Snapshot");
 var ANALYSIS_PROVIDER_PRIORITY = ["openai", "claude", "gemini", "perplexity", "local"];
 var SNAPSHOT_QUERY_COUNT = 6;
 var ProviderExecutionGate2 = class {
@@ -13911,7 +14914,7 @@ var SnapshotService = class {
       return mapAuditReport(report);
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
-      log6.warn("audit.failed", { homepageUrl, error: message });
+      log8.warn("audit.failed", { homepageUrl, error: message });
       return {
         url: homepageUrl,
         finalUrl: homepageUrl,
@@ -13941,7 +14944,7 @@ var SnapshotService = class {
           phrases: parsedPhrases
         };
       } catch (err) {
-        log6.warn("profile.generation-failed", {
+        log8.warn("profile.generation-failed", {
           domain: ctx.domain,
           provider: ctx.analysisProvider.adapter.name,
           error: err instanceof Error ? err.message : String(err)
@@ -14083,7 +15086,7 @@ var SnapshotService = class {
         recommendedActions: uniqueStrings(parsed.recommendedActions ?? []).slice(0, 4)
       };
     } catch (err) {
-      log6.warn("response.analysis-failed", {
+      log8.warn("response.analysis-failed", {
         provider: ctx.analysisProvider.adapter.name,
         error: err instanceof Error ? err.message : String(err)
       });
@@ -14368,7 +15371,7 @@ function clipText(value, length) {
 // src/server.ts
 var _require2 = createRequire2(import.meta.url);
 var { version: PKG_VERSION } = _require2("../package.json");
-var log7 = createLogger("Server");
+var log9 = createLogger("Server");
 var DEFAULT_QUOTA = {
   maxConcurrency: 2,
   maxRequestsPerMinute: 10,
@@ -14399,7 +15402,7 @@ function summarizeProviderConfig(provider, config) {
   };
 }
 function hashApiKey(key) {
-  return crypto22.createHash("sha256").update(key).digest("hex");
+  return crypto23.createHash("sha256").update(key).digest("hex");
 }
 function parseCookies2(header) {
   if (!header) return {};
@@ -14458,7 +15461,7 @@ async function createServer(opts) {
       quota: opts.config.geminiQuota
     };
   }
-  log7.info("providers.configured", { providers: Object.keys(providers).filter((k) => {
+  log9.info("providers.configured", { providers: Object.keys(providers).filter((k) => {
     const p = providers[k];
     return p?.apiKey || p?.baseUrl || p?.vertexProject;
   }) });
@@ -14494,7 +15497,9 @@ async function createServer(opts) {
   const jobRunner = new JobRunner(opts.db, registry);
   jobRunner.recoverStaleRuns();
   const notifier = new Notifier(opts.db, serverUrl);
-  jobRunner.onRunCompleted = (runId, projectId) => notifier.onRunCompleted(runId, projectId);
+  const intelligenceService = new IntelligenceService(opts.db);
+  const runCoordinator = new RunCoordinator(notifier, intelligenceService);
+  jobRunner.onRunCompleted = (runId, projectId) => runCoordinator.onRunCompleted(runId, projectId);
   const snapshotService = new SnapshotService(registry);
   const scheduler = new Scheduler(opts.db, {
     onRunCreated: (runId, projectId, providers2) => {
@@ -14571,7 +15576,7 @@ async function createServer(opts) {
       return removed;
     }
   };
-  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto22.randomBytes(32).toString("hex");
+  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto23.randomBytes(32).toString("hex");
   const googleConnectionStore = {
     listConnections: (domain) => listGoogleConnections(opts.config, domain),
     getConnection: (domain, connectionType) => getGoogleConnection(opts.config, domain, connectionType),
@@ -14617,11 +15622,11 @@ async function createServer(opts) {
   const apiPrefix = basePath ? `${basePath}api/v1` : "/api/v1";
   if (opts.config.apiKey) {
     const keyHash = hashApiKey(opts.config.apiKey);
-    const existing = opts.db.select().from(apiKeys).where(eq22(apiKeys.keyHash, keyHash)).get();
+    const existing = opts.db.select().from(apiKeys).where(eq24(apiKeys.keyHash, keyHash)).get();
     if (!existing) {
       const prefix = opts.config.apiKey.slice(0, 12);
       opts.db.insert(apiKeys).values({
-        id: `key_${crypto22.randomBytes(8).toString("hex")}`,
+        id: `key_${crypto23.randomBytes(8).toString("hex")}`,
         name: "default",
         keyHash,
         keyPrefix: prefix,
@@ -14645,7 +15650,7 @@ async function createServer(opts) {
   };
   const createSession = (apiKeyId) => {
     pruneExpiredSessions();
-    const sessionId = crypto22.randomBytes(32).toString("hex");
+    const sessionId = crypto23.randomBytes(32).toString("hex");
     sessions.set(sessionId, {
       apiKeyId,
       expiresAt: Date.now() + SESSION_TTL_MS
@@ -14669,7 +15674,7 @@ async function createServer(opts) {
   };
   const getDefaultApiKey = () => {
     if (!opts.config.apiKey) return void 0;
-    return opts.db.select().from(apiKeys).where(eq22(apiKeys.keyHash, hashApiKey(opts.config.apiKey))).get();
+    return opts.db.select().from(apiKeys).where(eq24(apiKeys.keyHash, hashApiKey(opts.config.apiKey))).get();
   };
   const createPasswordSession = (reply) => {
     const key = getDefaultApiKey();
@@ -14726,12 +15731,12 @@ async function createServer(opts) {
       return reply.send({ authenticated: true });
     }
     if (apiKey) {
-      const key = opts.db.select().from(apiKeys).where(eq22(apiKeys.keyHash, hashApiKey(apiKey))).get();
+      const key = opts.db.select().from(apiKeys).where(eq24(apiKeys.keyHash, hashApiKey(apiKey))).get();
       if (!key || key.revokedAt) {
         const err2 = authInvalid();
         return reply.status(err2.statusCode).send(err2.toJSON());
       }
-      opts.db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq22(apiKeys.id, key.id)).run();
+      opts.db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq24(apiKeys.id, key.id)).run();
       const sessionId = createSession(key.id);
       reply.header("set-cookie", serializeSessionCookie({
         name: SESSION_COOKIE_NAME,
@@ -14876,7 +15881,7 @@ async function createServer(opts) {
         const targetProjectIds = affectedProjectIds.length > 0 ? affectedProjectIds : [null];
         const createdAt = (/* @__PURE__ */ new Date()).toISOString();
         opts.db.insert(auditLog).values(targetProjectIds.map((projectId) => ({
-          id: crypto22.randomUUID(),
+          id: crypto23.randomUUID(),
           projectId,
           actor: "api",
           action: existing ? "provider.updated" : "provider.created",
@@ -15142,6 +16147,7 @@ export {
   notificationEventSchema,
   effectiveDomains,
   determineAnswerMentioned,
+  IntelligenceService,
   setGoogleAuthConfig,
   formatAuditFactorScore,
   createServer