@ainyc/canonry 1.46.1 → 1.48.2

package/dist/{chunk-RMLIF47M.js → chunk-YPTVJRJY.js}

@@ -23,7 +23,7 @@ import {
   runs,
   schedules,
   usageCounters
-} from "./chunk-HO22LHTY.js";
+} from "./chunk-JTKHPNGL.js";
 
 // src/config.ts
 import fs from "fs";
@@ -262,13 +262,83 @@ function trackEvent(event, properties) {
   }).finally(() => clearTimeout(timeout));
 }
 
+// src/cli-error.ts
+var EXIT_USER_ERROR = 1;
+var EXIT_SYSTEM_ERROR = 2;
+var CliError = class extends Error {
+  code;
+  displayMessage;
+  details;
+  exitCode;
+  constructor(options) {
+    super(options.message);
+    this.name = "CliError";
+    this.code = options.code;
+    this.displayMessage = options.displayMessage;
+    this.details = options.details;
+    this.exitCode = options.exitCode ?? EXIT_USER_ERROR;
+  }
+};
+function usageError(displayMessage, options) {
+  const firstLine = displayMessage.split("\n", 1)[0] ?? "Error: invalid command usage";
+  return new CliError({
+    code: "CLI_USAGE_ERROR",
+    message: options?.message ?? firstLine.replace(/^Error:\s*/, ""),
+    displayMessage,
+    details: options?.details
+  });
+}
+function printCliError(err, format) {
+  if (format === "json") {
+    if (err instanceof CliError) {
+      console.error(
+        JSON.stringify(
+          {
+            error: {
+              code: err.code,
+              message: err.message,
+              ...err.details ? { details: err.details } : {}
+            }
+          },
+          null,
+          2
+        )
+      );
+      return;
+    }
+    const message = err instanceof Error ? err.message : "An unexpected error occurred";
+    console.error(
+      JSON.stringify(
+        {
+          error: {
+            code: "CLI_ERROR",
+            message
+          }
+        },
+        null,
+        2
+      )
+    );
+    return;
+  }
+  if (err instanceof CliError && err.displayMessage) {
+    console.error(err.displayMessage);
+    return;
+  }
+  if (err instanceof Error) {
+    console.error(`Error: ${err.message}`);
+    return;
+  }
+  console.error("An unexpected error occurred");
+}
+
 // src/server.ts
 import { createRequire as createRequire2 } from "module";
-import crypto22 from "crypto";
-import fs5 from "fs";
-import path6 from "path";
-import { fileURLToPath } from "url";
-import { eq as eq23, sql as sql6 } from "drizzle-orm";
+import crypto23 from "crypto";
+import fs7 from "fs";
+import path8 from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import { eq as eq24, sql as sql6 } from "drizzle-orm";
 import Fastify from "fastify";
 
 // ../contracts/src/config-schema.ts
@@ -316,7 +386,9 @@ var notificationEventSchema = z2.enum([
   "citation.lost",
   "citation.gained",
   "run.completed",
-  "run.failed"
+  "run.failed",
+  "insight.critical",
+  "insight.high"
 ]);
 var notificationDtoSchema = z2.object({
   id: z2.string(),
@@ -327,6 +399,8 @@ var notificationDtoSchema = z2.object({
   urlHost: z2.string(),
   events: z2.array(notificationEventSchema),
   enabled: z2.boolean().default(true),
+  /** Opaque tag identifying the creator (e.g. `"agent"` for Aero webhooks). */
+  source: z2.string().optional(),
   webhookSecret: z2.string().optional(),
   createdAt: z2.string(),
   updatedAt: z2.string()
@@ -1454,7 +1528,39 @@ async function projectRoutes(app, opts) {
       });
     }
     if (existing) {
-      app.db.update(projects).set({
+      app.db.transaction((tx) => {
+        tx.update(projects).set({
+          displayName: body.displayName,
+          canonicalDomain: body.canonicalDomain,
+          ownedDomains: JSON.stringify(body.ownedDomains ?? []),
+          country: body.country,
+          language: body.language,
+          tags: JSON.stringify(body.tags ?? []),
+          labels: JSON.stringify(body.labels ?? {}),
+          providers: JSON.stringify(body.providers ?? []),
+          locations: JSON.stringify(nextLocations),
+          defaultLocation: nextDefaultLocation,
+          configSource: body.configSource ?? "api",
+          configRevision: existing.configRevision + 1,
+          updatedAt: now
+        }).where(eq3(projects.id, existing.id)).run();
+        writeAuditLog(tx, {
+          projectId: existing.id,
+          actor: "api",
+          action: "project.updated",
+          entityType: "project",
+          entityId: existing.id
+        });
+      });
+      opts.onProjectUpserted?.(existing.id, name);
+      const updated = app.db.select().from(projects).where(eq3(projects.id, existing.id)).get();
+      return reply.status(200).send(formatProject(updated));
+    }
+    const id = crypto4.randomUUID();
+    app.db.transaction((tx) => {
+      tx.insert(projects).values({
+        id,
+        name,
         displayName: body.displayName,
         canonicalDomain: body.canonicalDomain,
         ownedDomains: JSON.stringify(body.ownedDomains ?? []),
@@ -1466,45 +1572,19 @@ async function projectRoutes(app, opts) {
         locations: JSON.stringify(nextLocations),
         defaultLocation: nextDefaultLocation,
         configSource: body.configSource ?? "api",
-        configRevision: existing.configRevision + 1,
+        configRevision: 1,
+        createdAt: now,
         updatedAt: now
-      }).where(eq3(projects.id, existing.id)).run();
-      writeAuditLog(app.db, {
-        projectId: existing.id,
+      }).run();
+      writeAuditLog(tx, {
+        projectId: id,
         actor: "api",
-        action: "project.updated",
+        action: "project.created",
         entityType: "project",
-        entityId: existing.id
+        entityId: id
       });
-      const updated = app.db.select().from(projects).where(eq3(projects.id, existing.id)).get();
-      return reply.status(200).send(formatProject(updated));
-    }
-    const id = crypto4.randomUUID();
-    app.db.insert(projects).values({
-      id,
-      name,
-      displayName: body.displayName,
-      canonicalDomain: body.canonicalDomain,
-      ownedDomains: JSON.stringify(body.ownedDomains ?? []),
-      country: body.country,
-      language: body.language,
-      tags: JSON.stringify(body.tags ?? []),
-      labels: JSON.stringify(body.labels ?? {}),
-      providers: JSON.stringify(body.providers ?? []),
-      locations: JSON.stringify(nextLocations),
-      defaultLocation: nextDefaultLocation,
-      configSource: body.configSource ?? "api",
-      configRevision: 1,
-      createdAt: now,
-      updatedAt: now
-    }).run();
-    writeAuditLog(app.db, {
-      projectId: id,
-      actor: "api",
-      action: "project.created",
-      entityType: "project",
-      entityId: id
     });
+    opts.onProjectUpserted?.(id, name);
     const created = app.db.select().from(projects).where(eq3(projects.id, id)).get();
     return reply.status(201).send(formatProject(created));
   });
@@ -2299,7 +2379,7 @@ async function deliverWebhook(target, payload, webhookSecret) {
   const body = JSON.stringify(payload);
   const isHttps = target.url.protocol === "https:";
   const port = target.url.port ? Number(target.url.port) : isHttps ? 443 : 80;
-  const path7 = `${target.url.pathname}${target.url.search}`;
+  const path9 = `${target.url.pathname}${target.url.search}`;
   const headers = {
     "Content-Length": String(Buffer.byteLength(body)),
     "Content-Type": "application/json",
@@ -2315,7 +2395,7 @@ async function deliverWebhook(target, payload, webhookSecret) {
       headers,
       hostname: target.address,
       method: "POST",
-      path: path7,
+      path: path9,
       port,
       timeout: REQUEST_TIMEOUT_MS
     };
@@ -2623,6 +2703,9 @@ async function applyRoutes(app, opts) {
     if (scheduleAction) {
       opts?.onScheduleUpdated?.(scheduleAction, projectId);
     }
+    if (!hasNotifications) {
+      opts?.onProjectUpserted?.(projectId, config.metadata.name);
+    }
     if ("google" in rawSpec && config.spec.google?.gsc?.propertyUrl) {
       opts?.onGoogleConnectionPropertyUpdated?.(config.spec.canonicalDomain, "gsc", config.spec.google.gsc.propertyUrl);
     }
@@ -5533,8 +5616,8 @@ async function openApiRoutes(app, opts = {}) {
     return reply.type("application/json").send(buildOpenApiDocument(opts));
   });
 }
-function buildOperationId(method, path7) {
-  const parts = path7.split("/").filter(Boolean).map((part) => {
+function buildOperationId(method, path9) {
+  const parts = path9.split("/").filter(Boolean).map((part) => {
     if (part.startsWith("{") && part.endsWith("}")) {
       return `by-${part.slice(1, -1)}`;
     }
@@ -5852,14 +5935,14 @@ function formatSchedule(row) {
 // ../api-routes/src/notifications.ts
 import crypto12 from "crypto";
 import { eq as eq13 } from "drizzle-orm";
-var VALID_EVENTS = ["citation.lost", "citation.gained", "run.completed", "run.failed"];
+var VALID_EVENTS = ["citation.lost", "citation.gained", "run.completed", "run.failed", "insight.critical", "insight.high"];
 async function notificationRoutes(app) {
   app.get("/notifications/events", async (_request, reply) => {
     return reply.send(VALID_EVENTS);
   });
   app.post("/projects/:name/notifications", async (request, reply) => {
     const project = resolveProject(app.db, request.params.name);
-    const { channel, url, events } = request.body ?? {};
+    const { channel, url, events, source } = request.body ?? {};
     if (channel !== "webhook") throw validationError('Only "webhook" channel is supported');
     const urlCheck = await resolveWebhookTarget(url ?? "");
     if (!urlCheck.ok) throw validationError(urlCheck.message);
@@ -5875,7 +5958,7 @@ async function notificationRoutes(app) {
       id,
       projectId: project.id,
       channel: "webhook",
-      config: JSON.stringify({ url, events }),
+      config: JSON.stringify({ url, events, ...source ? { source } : {} }),
       webhookSecret,
       enabled: 1,
       createdAt: now,
@@ -5962,6 +6045,7 @@ function formatNotification(row) {
     urlHost: redacted.urlHost,
     events: config.events,
     enabled: row.enabled === 1,
+    ...config.source ? { source: config.source } : {},
     createdAt: row.createdAt,
     updatedAt: row.updatedAt
   };
@@ -5987,9 +6071,11 @@ var GSC_MAX_PAGES = 40;
 
 // ../integration-google/src/types.ts
 var GoogleAuthError = class extends Error {
-  constructor(message) {
+  statusCode;
+  constructor(message, statusCode) {
     super(message);
     this.name = "GoogleAuthError";
+    this.statusCode = statusCode;
   }
 };
 var GoogleApiError = class extends Error {
@@ -6080,13 +6166,19 @@ async function exchangeCode(clientId, clientSecret, code, redirectUri) {
     }),
     signal: AbortSignal.timeout(GOOGLE_REQUEST_TIMEOUT_MS)
   });
+  if (res.status === 429) {
+    throw new GoogleAuthError("Google OAuth rate limit exceeded", 429);
+  }
   if (!res.ok) {
     const body = await res.text();
     let detail = "";
     try {
       const parsed = JSON.parse(body);
       if (parsed.error) detail = parsed.error;
-      if (parsed.error_description) detail += detail ? `: ${parsed.error_description}` : parsed.error_description;
+      if (parsed.error_description) {
+        const sanitized = parsed.error_description.replace(new RegExp(escapeRegExp2(clientId), "g"), "***").replace(new RegExp(escapeRegExp2(clientSecret), "g"), "***").replace(new RegExp(escapeRegExp2(code), "g"), "***");
+        detail += detail ? `: ${sanitized}` : sanitized;
+      }
     } catch {
       detail = body.length <= 120 ? body : `${body.slice(0, 120)}...`;
     }
@@ -6094,6 +6186,9 @@ async function exchangeCode(clientId, clientSecret, code, redirectUri) {
   }
   return await res.json();
 }
+function escapeRegExp2(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 async function refreshAccessToken(clientId, clientSecret, currentRefreshToken) {
   validateClientId(clientId);
   validateClientSecret(clientSecret);
@@ -6109,13 +6204,19 @@ async function refreshAccessToken(clientId, clientSecret, currentRefreshToken) {
     }),
     signal: AbortSignal.timeout(GOOGLE_REQUEST_TIMEOUT_MS)
   });
+  if (res.status === 429) {
+    throw new GoogleAuthError("Google OAuth rate limit exceeded", 429);
+  }
   if (!res.ok) {
     const body = await res.text();
     let detail = "";
     try {
       const parsed = JSON.parse(body);
       if (parsed.error) detail = parsed.error;
-      if (parsed.error_description) detail += detail ? `: ${parsed.error_description}` : parsed.error_description;
+      if (parsed.error_description) {
+        const sanitized = parsed.error_description.replace(new RegExp(escapeRegExp2(clientId), "g"), "***").replace(new RegExp(escapeRegExp2(clientSecret), "g"), "***").replace(new RegExp(escapeRegExp2(currentRefreshToken), "g"), "***");
+        detail += detail ? `: ${sanitized}` : sanitized;
+      }
     } catch {
       detail = body.length <= 120 ? body : `${body.slice(0, 120)}...`;
     }
@@ -6187,6 +6288,20 @@ function gscClientLog(level, action, ctx) {
     ...ctx
   };
   if (entry.accessToken) entry.accessToken = "***";
+  if (typeof entry.siteUrl === "string") {
+    try {
+      const url = new URL(entry.siteUrl);
+      if (url.search) {
+        url.searchParams.forEach((_, key) => {
+          if (key.toLowerCase().includes("token") || key.toLowerCase().includes("key") || key.toLowerCase().includes("auth")) {
+            url.searchParams.set(key, "***");
+          }
+        });
+        entry.siteUrl = url.toString();
+      }
+    } catch {
+    }
+  }
   const stream = level === "error" ? process.stderr : process.stdout;
   stream.write(JSON.stringify(entry) + "\n");
 }
@@ -6413,11 +6528,15 @@ async function getAccessToken(clientEmail, privateKey) {
     const body = await res.text().catch(() => "");
     ga4Log("error", "token.failed", { httpStatus: res.status });
     const detail = body.length <= 200 ? body : `${body.slice(0, 200)}... [truncated]`;
-    throw new GA4ApiError(`Failed to get access token: ${detail}`, res.status);
+    const sanitizedDetail = detail.replace(new RegExp(escapeRegExp3(clientEmail), "g"), "***").replace(new RegExp(escapeRegExp3(privateKey.slice(0, 32)), "g"), "***");
+    throw new GA4ApiError(`Failed to get access token: ${sanitizedDetail}`, res.status);
   }
   const data = await res.json();
   return data.access_token;
 }
+function escapeRegExp3(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 async function runReport(accessToken, propertyId, request) {
   const url = `${GA4_DATA_API_BASE}/properties/${propertyId}:runReport`;
   const res = await fetch(url, {
@@ -6535,6 +6654,7 @@ async function fetchTrafficByLandingPage(accessToken, propertyId, days) {
       offset
     };
     const response = await runReport(accessToken, propertyId, request);
+    if (!response) break;
     const pageRows = (response.rows ?? []).map((row) => ({
       date: row.dimensionValues[0].value,
       landingPage: row.dimensionValues[1].value,
@@ -6567,6 +6687,7 @@ async function fetchTrafficByLandingPage(accessToken, propertyId, days) {
       offset: organicOffset
     };
     const organicResponse = await runReport(accessToken, propertyId, organicRequest);
+    if (!organicResponse) break;
     for (const row of organicResponse.rows ?? []) {
       const key = `${row.dimensionValues[0].value}::${row.dimensionValues[1].value}`;
       organicMap.set(key, parseInt(row.metricValues[0].value, 10) || 0);
@@ -6694,6 +6815,7 @@ async function fetchAiReferrals(accessToken, propertyId, days) {
         offset
       };
       const response = await runReport(accessToken, propertyId, request);
+      if (!response) break;
       const pageRows = (response.rows ?? []).map((row) => ({
         date: row.dimensionValues[0].value,
         source: row.dimensionValues[1].value,
@@ -6770,6 +6892,7 @@ async function fetchSocialReferrals(accessToken, propertyId, days) {
       offset
     };
     const response = await runReport(accessToken, propertyId, request);
+    if (!response) break;
     const pageRows = (response.rows ?? []).map((row) => ({
       date: row.dimensionValues[0].value,
       source: row.dimensionValues[1].value,
@@ -7579,6 +7702,9 @@ function bingClientLog(level, action, ctx) {
   const stream = level === "error" ? process.stderr : process.stdout;
   stream.write(JSON.stringify(entry) + "\n");
 }
+function escapeRegExp4(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 async function bingFetch(apiKey, endpoint, opts) {
   const method = opts?.method ?? "GET";
   const separator = endpoint.includes("?") ? "&" : "?";
@@ -7603,7 +7729,8 @@ async function bingFetch(apiKey, endpoint, opts) {
   if (!res.ok) {
     const body = await res.text();
     bingClientLog("error", "http.error", { endpoint, method, httpStatus: res.status });
-    const detail = body.length <= 500 ? body : `${body.slice(0, 500)}... [truncated]`;
+    let detail = body.length <= 500 ? body : `${body.slice(0, 500)}... [truncated]`;
+    detail = detail.replace(new RegExp(escapeRegExp4(apiKey), "g"), "***");
     throw new BingApiError(`Bing API error (${res.status}): ${detail}`, res.status);
   }
   const text = await res.text();
@@ -8025,12 +8152,12 @@ async function bingRoutes(app, opts) {
       }
       const unindexedUrls = [];
       for (const [url, row] of latestByUrl) {
-        if (row.inIndex === 0) {
+        if (row.inIndex === 0 || row.inIndex === null) {
           unindexedUrls.push(url);
         }
       }
       if (unindexedUrls.length === 0) {
-        const err = validationError('No explicitly unindexed URLs found. Run "canonry bing inspect <project> <url>" first.');
+        const err = validationError('No unindexed or unknown URLs found. Run "canonry bing inspect <project> <url>" first.');
         return reply.status(err.statusCode).send(err.toJSON());
       }
       urlsToSubmit = unindexedUrls;
@@ -8099,7 +8226,7 @@ async function bingRoutes(app, opts) {
       query: s.Query,
       impressions: s.Impressions,
       clicks: s.Clicks,
-      ctr: Number.isFinite(s.Ctr) ? s.Ctr : 0,
+      ctr: s.Impressions > 0 ? s.Clicks / s.Impressions : 0,
       averagePosition: s.AverageClickPosition ?? s.AverageImpressionPosition ?? 0
     }));
   });
@@ -9136,8 +9263,10 @@ function buildAuthErrorMessage(res, responseText) {
   }
   return "WordPress credentials are invalid or lack permission for this action";
 }
-async function fetchJson(connection, siteUrl, path7, init) {
-  const res = await fetch(`${normalizeSiteUrl(siteUrl)}${path7}`, {
+async function fetchJson(connection, siteUrl, path9, init) {
+  if (siteUrl.startsWith("http:")) {
+  }
+  const res = await fetch(`${normalizeSiteUrl(siteUrl)}${path9}`, {
     ...init,
     headers: {
       "Authorization": `Basic ${encodeBasicAuth(connection.username, connection.appPassword)}`,
@@ -9151,6 +9280,9 @@ async function fetchJson(connection, siteUrl, path7, init) {
     const errorMessage = buildAuthErrorMessage(res, text);
     throw new WordpressApiError("AUTH_INVALID", errorMessage, res.status);
   }
+  if (res.status === 429) {
+    throw new WordpressApiError("UPSTREAM_ERROR", "WordPress API rate limit exceeded", 429);
+  }
   if (res.status === 404) {
     throw new WordpressApiError("NOT_FOUND", "WordPress endpoint not found", 404);
   }
@@ -9649,12 +9781,12 @@ var CANONRY_SCHEMA_START = "<!-- canonry:schema:start -->";
 var CANONRY_SCHEMA_END = "<!-- canonry:schema:end -->";
 function stripCanonrySchema(content) {
   const regex = new RegExp(
-    `${escapeRegExp2(CANONRY_SCHEMA_START)}[\\s\\S]*?${escapeRegExp2(CANONRY_SCHEMA_END)}`,
+    `${escapeRegExp5(CANONRY_SCHEMA_START)}[\\s\\S]*?${escapeRegExp5(CANONRY_SCHEMA_END)}`,
     "g"
   );
   return content.replace(regex, "").replace(/\n{3,}/g, "\n\n").trim();
 }
-function escapeRegExp2(str) {
+function escapeRegExp5(str) {
   return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function injectCanonrySchema(content, schemas) {
@@ -9761,7 +9893,7 @@ async function getSchemaStatus(connection, env) {
     const thirdPartySchemas = [];
     if (hasCanonryMarker) {
       const markerRegex = new RegExp(
-        `${escapeRegExp2(CANONRY_SCHEMA_START)}([\\s\\S]*?)${escapeRegExp2(CANONRY_SCHEMA_END)}`
+        `${escapeRegExp5(CANONRY_SCHEMA_START)}([\\s\\S]*?)${escapeRegExp5(CANONRY_SCHEMA_END)}`
       );
       const match = markerRegex.exec(rawContent);
       if (match?.[1]) {
@@ -10650,6 +10782,7 @@ async function apiRoutes(app, opts) {
     await api.register(openApiRoutes, { ...opts.openApiInfo, routePrefix: opts.routePrefix });
     await api.register(projectRoutes, {
       onProjectDeleted: opts.onProjectDeleted,
+      onProjectUpserted: opts.onProjectUpserted,
       validProviderNames: opts.providerAdapters?.map((a) => a.name)
     });
     await api.register(keywordRoutes, {
@@ -10663,6 +10796,7 @@ async function apiRoutes(app, opts) {
     });
     await api.register(applyRoutes, {
       onScheduleUpdated: opts.onScheduleUpdated,
+      onProjectUpserted: opts.onProjectUpserted,
       validProviderNames: opts.providerAdapters?.map((a) => a.name),
       onGoogleConnectionPropertyUpdated: (domain, connectionType, propertyId) => {
         opts.googleConnectionStore?.updateConnection(domain, connectionType, {
@@ -10725,6 +10859,39 @@ async function apiRoutes(app, opts) {
   }, { prefix: opts.routePrefix ?? "/api/v1" });
 }
 
+// src/agent-webhook.ts
+import crypto18 from "crypto";
+import { eq as eq18 } from "drizzle-orm";
+var AGENT_WEBHOOK_EVENTS = ["run.completed", "insight.critical", "insight.high", "citation.gained"];
+function buildAgentWebhookUrl(gatewayPort) {
+  return `http://localhost:${gatewayPort}/hooks/canonry`;
+}
+function attachAgentWebhookDirect(db, projectId, gatewayPort) {
+  const agentUrl = buildAgentWebhookUrl(gatewayPort);
+  const existing = db.select().from(notifications).where(eq18(notifications.projectId, projectId)).all();
+  const hasAgent = existing.some((n) => {
+    const cfg = parseJsonColumn(n.config, {});
+    return cfg.source === "agent";
+  });
+  if (hasAgent) return "already-attached";
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  db.insert(notifications).values({
+    id: crypto18.randomUUID(),
+    projectId,
+    channel: "webhook",
+    config: JSON.stringify({
+      url: agentUrl,
+      events: [...AGENT_WEBHOOK_EVENTS],
+      source: "agent"
+    }),
+    enabled: 1,
+    webhookSecret: crypto18.randomUUID(),
+    createdAt: now,
+    updatedAt: now
+  }).run();
+  return "attached";
+}
+
 // ../provider-gemini/src/normalize.ts
 import { GoogleGenAI } from "@google/genai";
 
@@ -10736,6 +10903,12 @@ function isRetryableError(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry(fn, options = {}) {
@@ -10955,7 +11128,10 @@ function extractCitedDomainsFromSources(groundingSources) {
     }
     if (source.title) {
       const titleDomain = extractDomainFromTitle(source.title);
-      if (titleDomain) domains.add(titleDomain);
+      if (titleDomain) {
+        domains.add(titleDomain);
+        continue;
+      }
     }
   }
   return [...domains];
@@ -10970,7 +11146,10 @@ function extractDomainFromTitle(title) {
 function extractDomainFromUri(uri) {
   try {
     const url = new URL(uri);
-    const hostname = url.hostname.replace(/^www\./, "");
+    const hostname = url.hostname.replace(/^www\./, "").toLowerCase();
+    if (hostname.includes("chatgpt.com") || hostname.includes("openai.com")) {
+      return null;
+    }
     if (hostname === "vertexaisearch.cloud.google.com") {
       const redirectPath = url.pathname.replace(/^\/grounding-api-redirect\//, "");
       if (redirectPath && redirectPath !== url.pathname) {
@@ -11120,6 +11299,12 @@ function isRetryableError2(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry2(fn, options = {}) {
@@ -11346,7 +11531,11 @@ function extractCitedDomainsFromSources2(groundingSources) {
 function extractDomainFromUri2(uri) {
   try {
     const url = new URL(uri);
-    return url.hostname.replace(/^www\./, "").toLowerCase();
+    const hostname = url.hostname.replace(/^www\./, "").toLowerCase();
+    if (hostname.includes("chatgpt.com") || hostname.includes("openai.com")) {
+      return null;
+    }
+    return hostname;
   } catch {
     return null;
   }
@@ -11464,6 +11653,12 @@ function isRetryableError3(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry3(fn, options = {}) {
@@ -11715,7 +11910,11 @@ function extractCitedDomainsFromSources3(groundingSources) {
 function extractDomainFromUri3(uri) {
   try {
     const url = new URL(uri);
-    return url.hostname.replace(/^www\./, "").toLowerCase();
+    const hostname = url.hostname.replace(/^www\./, "").toLowerCase();
+    if (hostname.includes("chatgpt.com") || hostname.includes("openai.com")) {
+      return null;
+    }
+    return hostname;
   } catch {
     return null;
   }
@@ -11831,6 +12030,12 @@ function isRetryableError4(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry4(fn, options = {}) {
@@ -11935,11 +12140,15 @@ async function executeTrackedQuery4(input) {
 function normalizeResult4(raw) {
   const answerText = extractAnswerText2(raw.rawResponse);
   const citedDomains = extractDomainMentions(answerText);
+  const groundingSources = citedDomains.map((domain) => ({
+    uri: `http://${domain}`,
+    title: domain
+  }));
   return {
     provider: "local",
     answerText,
     citedDomains,
-    groundingSources: raw.groundingSources,
+    groundingSources,
     searchQueries: raw.searchQueries
   };
 }
@@ -12645,6 +12854,12 @@ function isRetryableError5(err) {
       return status >= 500 || status === 429;
     }
   }
+  if (err instanceof Error) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes("fetch failed") || msg.includes("econnreset") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("econnrefused") || msg.includes("network error")) {
+      return true;
+    }
+  }
   return true;
 }
 async function withRetry5(fn, options = {}) {
@@ -12862,7 +13077,11 @@ function extractCitedDomains2(groundingSources) {
 function extractDomainFromUri4(uri) {
   try {
     const url = new URL(uri);
-    return url.hostname.replace(/^www\./, "").toLowerCase();
+    const hostname = url.hostname.replace(/^www\./, "").toLowerCase();
+    if (hostname.includes("chatgpt.com") || hostname.includes("openai.com")) {
+      return null;
+    }
+    return hostname;
   } catch {
     return null;
   }
@@ -13124,11 +13343,11 @@ function removeWordpressConnection(config, projectName) {
 }
 
 // src/job-runner.ts
-import crypto18 from "crypto";
+import crypto19 from "crypto";
 import fs4 from "fs";
 import path5 from "path";
 import os4 from "os";
-import { and as and7, eq as eq18, inArray as inArray3, sql as sql4 } from "drizzle-orm";
+import { and as and7, eq as eq19, inArray as inArray3, sql as sql4 } from "drizzle-orm";
 
 // src/citation-utils.ts
 function domainMatches(domain, canonicalDomain) {
@@ -13364,7 +13583,7 @@ var JobRunner = class {
     if (stale.length === 0) return;
     const now = (/* @__PURE__ */ new Date()).toISOString();
     for (const run of stale) {
-      this.db.update(runs).set({ status: "failed", finishedAt: now, error: "Server restarted while run was in progress" }).where(eq18(runs.id, run.id)).run();
+      this.db.update(runs).set({ status: "failed", finishedAt: now, error: "Server restarted while run was in progress" }).where(eq19(runs.id, run.id)).run();
       log.warn("run.recovered-stale", { runId: run.id, previousStatus: run.status });
     }
   }
@@ -13392,10 +13611,10 @@ var JobRunner = class {
         throw new Error(`Run ${runId} is not executable from status '${existingRun.status}'`);
       }
       if (existingRun.status === "queued") {
-        this.db.update(runs).set({ status: "running", startedAt: now }).where(and7(eq18(runs.id, runId), eq18(runs.status, "queued"))).run();
+        this.db.update(runs).set({ status: "running", startedAt: now }).where(and7(eq19(runs.id, runId), eq19(runs.status, "queued"))).run();
       }
       this.throwIfRunCancelled(runId);
-      const project = this.db.select().from(projects).where(eq18(projects.id, projectId)).get();
+      const project = this.db.select().from(projects).where(eq19(projects.id, projectId)).get();
       if (!project) {
         throw new Error(`Project ${projectId} not found`);
       }
@@ -13415,8 +13634,8 @@ var JobRunner = class {
         throw new Error("No providers configured. Add at least one provider API key.");
       }
       log.info("run.dispatch", { runId, providerCount: activeProviders.length, providers: activeProviders.map((p) => p.adapter.name) });
-      projectKeywords = this.db.select().from(keywords).where(eq18(keywords.projectId, projectId)).all();
-      const projectCompetitors = this.db.select().from(competitors).where(eq18(competitors.projectId, projectId)).all();
+      projectKeywords = this.db.select().from(keywords).where(eq19(keywords.projectId, projectId)).all();
+      const projectCompetitors = this.db.select().from(competitors).where(eq19(competitors.projectId, projectId)).all();
       const competitorDomains = projectCompetitors.map((c) => c.domain);
       const allDomains = effectiveDomains({
         canonicalDomain: project.canonicalDomain,
@@ -13432,7 +13651,7 @@ var JobRunner = class {
       const todayPeriod = getCurrentUsageDay();
       for (const p of activeProviders) {
         const providerScope = `${projectId}:${p.adapter.name}`;
-        const providerUsage = this.db.select().from(usageCounters).where(eq18(usageCounters.scope, providerScope)).all().filter((r) => r.period === todayPeriod && r.metric === "queries").reduce((sum, r) => sum + r.count, 0);
+        const providerUsage = this.db.select().from(usageCounters).where(eq19(usageCounters.scope, providerScope)).all().filter((r) => r.period === todayPeriod && r.metric === "queries").reduce((sum, r) => sum + r.count, 0);
         const limit = p.config.quotaPolicy.maxRequestsPerDay;
         if (providerUsage + queriesPerProvider > limit) {
           throw new Error(
@@ -13488,11 +13707,11 @@ var JobRunner = class {
               normalized.answerText,
               allDomains,
               normalized.citedDomains,
-              overlap
+              competitorDomains
             );
             let screenshotRelPath = null;
             if (raw.screenshotPath && fs4.existsSync(raw.screenshotPath)) {
-              const snapshotId = crypto18.randomUUID();
+              const snapshotId = crypto19.randomUUID();
               const screenshotDir = path5.join(os4.homedir(), ".canonry", "screenshots", runId);
               if (!fs4.existsSync(screenshotDir)) fs4.mkdirSync(screenshotDir, { recursive: true });
               const destPath = path5.join(screenshotDir, `${snapshotId}.png`);
@@ -13522,7 +13741,7 @@ var JobRunner = class {
               }).run();
             } else {
               this.db.insert(querySnapshots).values({
-                id: crypto18.randomUUID(),
+                id: crypto19.randomUUID(),
                 runId,
                 keywordId: kw.id,
                 provider: providerName,
@@ -13573,12 +13792,12 @@ var JobRunner = class {
       const someFailed = providerErrors.size > 0;
       if (allFailed) {
         const errorDetail = JSON.stringify(Object.fromEntries(providerErrors));
-        this.db.update(runs).set({ status: "failed", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq18(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "failed", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq19(runs.id, runId)).run();
       } else if (someFailed) {
         const errorDetail = JSON.stringify(Object.fromEntries(providerErrors));
-        this.db.update(runs).set({ status: "partial", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq18(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "partial", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq19(runs.id, runId)).run();
       } else {
-        this.db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq18(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq19(runs.id, runId)).run();
       }
       this.flushProviderUsage(projectId, providerDispatchCounts);
       const finalStatus = allFailed ? "failed" : someFailed ? "partial" : "completed";
@@ -13613,7 +13832,7 @@ var JobRunner = class {
         status: "failed",
         finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
         error: errorMessage
-      }).where(eq18(runs.id, runId)).run();
+      }).where(eq19(runs.id, runId)).run();
       this.flushProviderUsage(projectId, providerDispatchCounts);
       trackEvent("run.completed", {
         status: "failed",
@@ -13634,7 +13853,7 @@ var JobRunner = class {
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const period = now.slice(0, 10);
     this.db.insert(usageCounters).values({
-      id: crypto18.randomUUID(),
+      id: crypto19.randomUUID(),
       scope,
       period,
       metric,
@@ -13656,7 +13875,7 @@ var JobRunner = class {
       status: runs.status,
       finishedAt: runs.finishedAt,
       error: runs.error
-    }).from(runs).where(eq18(runs.id, runId)).get();
+    }).from(runs).where(eq19(runs.id, runId)).get();
   }
   isRunCancelled(runId) {
     return this.getRunState(runId)?.status === "cancelled";
@@ -13672,7 +13891,7 @@ var JobRunner = class {
       this.db.update(runs).set({
         finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
         error: currentRun.error ?? "Cancelled by user"
-      }).where(eq18(runs.id, runId)).run();
+      }).where(eq19(runs.id, runId)).run();
     }
     trackEvent("run.completed", {
       status: "cancelled",
@@ -13694,8 +13913,8 @@ function getCurrentUsageDay() {
 }
 
 // src/gsc-sync.ts
-import crypto19 from "crypto";
-import { eq as eq19, and as and8, sql as sql5 } from "drizzle-orm";
+import crypto20 from "crypto";
+import { eq as eq20, and as and8, sql as sql5 } from "drizzle-orm";
 var log2 = createLogger("GscSync");
 function formatDate2(d) {
   return d.toISOString().split("T")[0];
@@ -13707,13 +13926,13 @@ function daysAgo(n) {
 }
 async function executeGscSync(db, runId, projectId, opts) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: "running", startedAt: now }).where(eq19(runs.id, runId)).run();
+  db.update(runs).set({ status: "running", startedAt: now }).where(eq20(runs.id, runId)).run();
   try {
     const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
     if (!googleClientId || !googleClientSecret) {
       throw new Error("Google OAuth is not configured in the local Canonry config");
     }
-    const project = db.select().from(projects).where(eq19(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq20(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -13748,7 +13967,7 @@ async function executeGscSync(db, runId, projectId, opts) {
     log2.info("fetch.complete", { runId, projectId, rowCount: rows.length });
     db.delete(gscSearchData).where(
       and8(
-        eq19(gscSearchData.projectId, projectId),
+        eq20(gscSearchData.projectId, projectId),
         sql5`${gscSearchData.date} >= ${startDate}`,
         sql5`${gscSearchData.date} <= ${endDate}`
       )
@@ -13760,7 +13979,7 @@ async function executeGscSync(db, runId, projectId, opts) {
       for (const row of batch) {
         const [query, page, country, device, date] = row.keys;
         db.insert(gscSearchData).values({
-          id: crypto19.randomUUID(),
+          id: crypto20.randomUUID(),
           projectId,
           syncRunId: runId,
           date: date ?? "",
@@ -13794,7 +14013,7 @@ async function executeGscSync(db, runId, projectId, opts) {
         const rich = ir.richResultsResult;
         const inspectedAt = (/* @__PURE__ */ new Date()).toISOString();
         db.insert(gscUrlInspections).values({
-          id: crypto19.randomUUID(),
+          id: crypto20.randomUUID(),
           projectId,
           syncRunId: runId,
           url: pageUrl,
@@ -13815,7 +14034,7 @@ async function executeGscSync(db, runId, projectId, opts) {
         log2.error("inspect.url-failed", { runId, projectId, url: pageUrl, error: err instanceof Error ? err.message : String(err) });
       }
     }
-    const allInspections = db.select().from(gscUrlInspections).where(eq19(gscUrlInspections.projectId, projectId)).all();
+    const allInspections = db.select().from(gscUrlInspections).where(eq20(gscUrlInspections.projectId, projectId)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
       const existing = latestByUrl.get(row.url);
@@ -13836,9 +14055,9 @@ async function executeGscSync(db, runId, projectId, opts) {
       }
     }
     const snapshotDate = formatDate2(/* @__PURE__ */ new Date());
-    db.delete(gscCoverageSnapshots).where(and8(eq19(gscCoverageSnapshots.projectId, projectId), eq19(gscCoverageSnapshots.date, snapshotDate))).run();
+    db.delete(gscCoverageSnapshots).where(and8(eq20(gscCoverageSnapshots.projectId, projectId), eq20(gscCoverageSnapshots.date, snapshotDate))).run();
     db.insert(gscCoverageSnapshots).values({
-      id: crypto19.randomUUID(),
+      id: crypto20.randomUUID(),
       projectId,
       syncRunId: runId,
       date: snapshotDate,
@@ -13847,19 +14066,19 @@ async function executeGscSync(db, runId, projectId, opts) {
       reasonBreakdown: JSON.stringify(reasonCounts),
       createdAt: (/* @__PURE__ */ new Date()).toISOString()
     }).run();
-    db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq19(runs.id, runId)).run();
+    db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq20(runs.id, runId)).run();
     log2.info("sync.completed", { runId, projectId, searchDataRows: rows.length, urlInspections: topPages.length, indexed: snapIndexed, notIndexed: snapNotIndexed });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq19(runs.id, runId)).run();
+    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq20(runs.id, runId)).run();
     log2.error("sync.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
 }
 
 // src/gsc-inspect-sitemap.ts
-import crypto20 from "crypto";
-import { eq as eq20, and as and9 } from "drizzle-orm";
+import crypto21 from "crypto";
+import { eq as eq21, and as and9 } from "drizzle-orm";
 
 // src/sitemap-parser.ts
 var LOC_REGEX = /<loc>\s*([^<]+?)\s*<\/loc>/gi;
@@ -13928,13 +14147,13 @@ async function parseSitemapRecursive(url, urls, depth) {
 var log3 = createLogger("InspectSitemap");
 async function executeInspectSitemap(db, runId, projectId, opts) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: "running", startedAt: now }).where(eq20(runs.id, runId)).run();
+  db.update(runs).set({ status: "running", startedAt: now }).where(eq21(runs.id, runId)).run();
   try {
     const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
     if (!googleClientId || !googleClientSecret) {
       throw new Error("Google OAuth is not configured in the local Canonry config");
     }
-    const project = db.select().from(projects).where(eq20(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq21(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -13975,7 +14194,7 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
         const rich = ir.richResultsResult;
         const inspectedAt = (/* @__PURE__ */ new Date()).toISOString();
         db.insert(gscUrlInspections).values({
-          id: crypto20.randomUUID(),
+          id: crypto21.randomUUID(),
           projectId,
           syncRunId: runId,
           url: pageUrl,
@@ -14002,7 +14221,7 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
         await new Promise((r) => setTimeout(r, 1e3));
       }
     }
-    const allInspections = db.select().from(gscUrlInspections).where(eq20(gscUrlInspections.projectId, projectId)).all();
+    const allInspections = db.select().from(gscUrlInspections).where(eq21(gscUrlInspections.projectId, projectId)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
       const existing = latestByUrl.get(row.url);
@@ -14023,9 +14242,9 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
       }
     }
     const snapshotDate = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-    db.delete(gscCoverageSnapshots).where(and9(eq20(gscCoverageSnapshots.projectId, projectId), eq20(gscCoverageSnapshots.date, snapshotDate))).run();
+    db.delete(gscCoverageSnapshots).where(and9(eq21(gscCoverageSnapshots.projectId, projectId), eq21(gscCoverageSnapshots.date, snapshotDate))).run();
     db.insert(gscCoverageSnapshots).values({
-      id: crypto20.randomUUID(),
+      id: crypto21.randomUUID(),
       projectId,
       syncRunId: runId,
       date: snapshotDate,
@@ -14035,11 +14254,11 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
       createdAt: (/* @__PURE__ */ new Date()).toISOString()
     }).run();
     const status = errors > 0 && inspected > 0 ? "partial" : errors === urls.length ? "failed" : "completed";
-    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq20(runs.id, runId)).run();
+    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq21(runs.id, runId)).run();
     log3.info("inspect.completed", { runId, projectId, inspected, errors, total: urls.length, indexed: snapIndexed, notIndexed: snapNotIndexed });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq20(runs.id, runId)).run();
+    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq21(runs.id, runId)).run();
     log3.error("inspect.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
@@ -14098,7 +14317,7 @@ var ProviderRegistry = class {
 
 // src/scheduler.ts
 import cron from "node-cron";
-import { eq as eq21 } from "drizzle-orm";
+import { eq as eq22 } from "drizzle-orm";
 var log4 = createLogger("Scheduler");
 var Scheduler = class {
   db;
@@ -14110,7 +14329,7 @@ var Scheduler = class {
   }
   /** Load all enabled schedules from DB and register cron jobs. */
   start() {
-    const allSchedules = this.db.select().from(schedules).where(eq21(schedules.enabled, 1)).all();
+    const allSchedules = this.db.select().from(schedules).where(eq22(schedules.enabled, 1)).all();
     for (const schedule of allSchedules) {
       const missedRunAt = schedule.nextRunAt;
       this.registerCronTask(schedule);
@@ -14135,7 +14354,7 @@ var Scheduler = class {
       this.stopTask(projectId, existing, "Stopped");
       this.tasks.delete(projectId);
     }
-    const schedule = this.db.select().from(schedules).where(eq21(schedules.projectId, projectId)).get();
+    const schedule = this.db.select().from(schedules).where(eq22(schedules.projectId, projectId)).get();
     if (schedule && schedule.enabled === 1) {
       this.registerCronTask(schedule);
     }
@@ -14168,14 +14387,14 @@ var Scheduler = class {
     this.db.update(schedules).set({
       nextRunAt: task.getNextRun()?.toISOString() ?? null,
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    }).where(eq21(schedules.id, scheduleId)).run();
+    }).where(eq22(schedules.id, scheduleId)).run();
     const label = schedule.preset ?? cronExpr;
     log4.info("cron.registered", { projectId, schedule: label, timezone });
   }
   triggerRun(scheduleId, projectId) {
     try {
       const now = (/* @__PURE__ */ new Date()).toISOString();
-      const currentSchedule = this.db.select().from(schedules).where(eq21(schedules.id, scheduleId)).get();
+      const currentSchedule = this.db.select().from(schedules).where(eq22(schedules.id, scheduleId)).get();
       if (!currentSchedule || currentSchedule.enabled !== 1) {
         log4.warn("schedule.stale", { scheduleId, projectId, msg: "schedule no longer exists or is disabled" });
         this.remove(projectId);
@@ -14183,7 +14402,7 @@ var Scheduler = class {
       }
       const task = this.tasks.get(projectId);
       const nextRunAt = task?.getNextRun()?.toISOString() ?? null;
-      const project = this.db.select().from(projects).where(eq21(projects.id, projectId)).get();
+      const project = this.db.select().from(projects).where(eq22(projects.id, projectId)).get();
       if (!project) {
         log4.error("project.not-found", { projectId, msg: "skipping scheduled run" });
         this.remove(projectId);
@@ -14212,7 +14431,7 @@ var Scheduler = class {
         this.db.update(schedules).set({
           nextRunAt,
           updatedAt: now
-        }).where(eq21(schedules.id, currentSchedule.id)).run();
+        }).where(eq22(schedules.id, currentSchedule.id)).run();
         return;
       }
       const runId = queueResult.runId;
@@ -14220,7 +14439,7 @@ var Scheduler = class {
         lastRunAt: now,
         nextRunAt,
         updatedAt: now
-      }).where(eq21(schedules.id, currentSchedule.id)).run();
+      }).where(eq22(schedules.id, currentSchedule.id)).run();
       const scheduleProviders = parseJsonColumn(currentSchedule.providers, []);
       const providers = scheduleProviders.length > 0 ? scheduleProviders : void 0;
       log4.info("run.triggered", { runId, projectName: project.name, providers: providers ?? "all" });
@@ -14232,8 +14451,8 @@ var Scheduler = class {
 };
 
 // src/notifier.ts
-import { eq as eq22, desc as desc8, and as and10, or as or2 } from "drizzle-orm";
-import crypto21 from "crypto";
+import { eq as eq23, desc as desc8, and as and10, or as or2 } from "drizzle-orm";
+import crypto22 from "crypto";
 var log5 = createLogger("Notifier");
 var Notifier = class {
   db;
@@ -14245,18 +14464,18 @@ var Notifier = class {
   /** Called after a run completes (success, partial, or failed). */
   async onRunCompleted(runId, projectId) {
     log5.info("run.completed", { runId, projectId });
-    const notifs = this.db.select().from(notifications).where(eq22(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
+    const notifs = this.db.select().from(notifications).where(eq23(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
     if (notifs.length === 0) {
       log5.info("notifications.none-enabled", { projectId });
       return;
     }
     log5.info("notifications.found", { projectId, count: notifs.length });
-    const run = this.db.select().from(runs).where(eq22(runs.id, runId)).get();
+    const run = this.db.select().from(runs).where(eq23(runs.id, runId)).get();
     if (!run) {
       log5.error("run.not-found", { runId, msg: "skipping notification dispatch" });
       return;
     }
-    const project = this.db.select().from(projects).where(eq22(projects.id, projectId)).get();
+    const project = this.db.select().from(projects).where(eq23(projects.id, projectId)).get();
     if (!project) {
       log5.error("project.not-found", { projectId, msg: "skipping notification dispatch" });
       return;
@@ -14295,11 +14514,52 @@ var Notifier = class {
       }
     }
   }
+  /** Dispatch insight webhooks for critical/high severity insights after a run. */
+  async dispatchInsightWebhooks(runId, projectId, result) {
+    const insightEvents = [];
+    const criticalInsights = result.insights.filter((i) => i.severity === "critical");
+    const highInsights = result.insights.filter((i) => i.severity === "high");
+    if (criticalInsights.length > 0) insightEvents.push("insight.critical");
+    if (highInsights.length > 0) insightEvents.push("insight.high");
+    if (insightEvents.length === 0) return;
+    const notifs = this.db.select().from(notifications).where(eq23(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
+    if (notifs.length === 0) return;
+    const run = this.db.select().from(runs).where(eq23(runs.id, runId)).get();
+    if (!run) return;
+    const project = this.db.select().from(projects).where(eq23(projects.id, projectId)).get();
+    if (!project) return;
+    for (const notif of notifs) {
+      const config = parseJsonColumn(notif.config, { url: "", events: [] });
+      if (!config.url) continue;
+      const subscribedEvents = config.events;
+      const matchingEvents = insightEvents.filter((e) => subscribedEvents.includes(e));
+      if (matchingEvents.length === 0) continue;
+      for (const event of matchingEvents) {
+        const relevantInsights = event === "insight.critical" ? criticalInsights : highInsights;
+        const payload = {
+          source: "canonry",
+          event,
+          project: { name: project.name, canonicalDomain: project.canonicalDomain },
+          run: { id: run.id, status: run.status, finishedAt: run.finishedAt },
+          insights: relevantInsights.map((i) => ({
+            id: i.id,
+            type: i.type,
+            severity: i.severity,
+            title: i.title,
+            keyword: i.keyword,
+            provider: i.provider
+          })),
+          dashboardUrl: `${this.serverUrl}/projects/${project.name}`
+        };
+        await this.sendWebhook(config.url, payload, notif.id, projectId, notif.webhookSecret ?? null);
+      }
+    }
+  }
   computeTransitions(runId, projectId) {
     const recentRuns = this.db.select().from(runs).where(
       and10(
-        eq22(runs.projectId, projectId),
-        or2(eq22(runs.status, "completed"), eq22(runs.status, "partial"))
+        eq23(runs.projectId, projectId),
+        or2(eq23(runs.status, "completed"), eq23(runs.status, "partial"))
       )
     ).orderBy(desc8(runs.createdAt)).limit(2).all();
     if (recentRuns.length < 2) return [];
@@ -14311,12 +14571,12 @@ var Notifier = class {
       keyword: keywords.keyword,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).leftJoin(keywords, eq22(querySnapshots.keywordId, keywords.id)).where(eq22(querySnapshots.runId, currentRunId)).all();
+    }).from(querySnapshots).leftJoin(keywords, eq23(querySnapshots.keywordId, keywords.id)).where(eq23(querySnapshots.runId, currentRunId)).all();
     const previousSnapshots = this.db.select({
       keywordId: querySnapshots.keywordId,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).where(eq22(querySnapshots.runId, previousRunId)).all();
+    }).from(querySnapshots).where(eq23(querySnapshots.runId, previousRunId)).all();
     const prevMap = /* @__PURE__ */ new Map();
     for (const s of previousSnapshots) {
       prevMap.set(`${s.keywordId}:${s.provider}`, s.citationState);
@@ -14374,7 +14634,7 @@ var Notifier = class {
   }
   logDelivery(projectId, notificationId, event, status, error) {
     this.db.insert(auditLog).values({
-      id: crypto21.randomUUID(),
+      id: crypto22.randomUUID(),
       projectId,
       actor: "scheduler",
       action: `notification.${status}`,
@@ -14389,13 +14649,26 @@ var Notifier = class {
 // src/run-coordinator.ts
 var log6 = createLogger("RunCoordinator");
 var RunCoordinator = class {
-  constructor(notifier, intelligenceService) {
+  constructor(notifier, intelligenceService, onInsightsGenerated) {
     this.notifier = notifier;
     this.intelligenceService = intelligenceService;
+    this.onInsightsGenerated = onInsightsGenerated;
   }
   async onRunCompleted(runId, projectId) {
     try {
-      await this.intelligenceService.analyzeAndPersist(runId, projectId);
+      const result = this.intelligenceService.analyzeAndPersist(runId, projectId);
+      if (result && this.onInsightsGenerated) {
+        const hasHighSeverity = result.insights.some(
+          (i) => i.severity === "critical" || i.severity === "high"
+        );
+        if (hasHighSeverity) {
+          try {
+            await this.onInsightsGenerated(runId, projectId, result);
+          } catch (err) {
+            log6.error("insight-webhook.failed", { runId, error: err instanceof Error ? err.message : String(err) });
+          }
+        }
+      }
     } catch (err) {
       log6.error("intelligence.failed", { runId, error: err instanceof Error ? err.message : String(err) });
     }
@@ -14429,13 +14702,13 @@ function extractHostname(domain) {
 function fetchWithPinnedAddress(target) {
   return new Promise((resolve) => {
     const port = target.url.port ? Number(target.url.port) : 443;
-    const path7 = target.url.pathname + target.url.search;
+    const path9 = target.url.pathname + target.url.search;
     const req = https2.request(
       {
         hostname: target.address,
         family: target.family,
         port,
-        path: path7,
+        path: path9,
         method: "GET",
         timeout: FETCH_TIMEOUT_MS,
         servername: target.url.hostname,
@@ -15124,10 +15397,503 @@ function clipText(value, length) {
   return `${value.slice(0, length - 3)}...`;
 }
 
+// src/agent-manager.ts
+import { execFileSync, spawn } from "child_process";
+import fs5 from "fs";
+import path6 from "path";
+var log8 = createLogger("AgentManager");
+var PROCESS_MARKER = "canonry-openclaw-gateway";
+var AgentManager = class {
+  constructor(config, stateDir) {
+    this.config = config;
+    this.stateDir = stateDir;
+    this.processJsonPath = path6.join(stateDir, "process.json");
+  }
+  processJsonPath;
+  /**
+   * Check if the gateway process is running.
+   * Cleans up stale process.json if the process is dead or belongs to a
+   * different process (PID reuse).
+   */
+  status() {
+    const info = this.readProcessInfo();
+    if (!info) {
+      return { state: "stopped" };
+    }
+    if (info.marker !== PROCESS_MARKER) {
+      this.removeProcessJson();
+      return { state: "stopped" };
+    }
+    if (isProcessAlive(info.pid) && this.verifyProcessIdentity(info.pid)) {
+      return {
+        state: "running",
+        pid: info.pid,
+        port: info.gatewayPort,
+        startedAt: info.startedAt
+      };
+    }
+    this.removeProcessJson();
+    return { state: "stopped" };
+  }
+  /**
+   * Start the OpenClaw gateway as a detached background process.
+   * Idempotent — no-op if already running.
+   * Waits briefly for the process to confirm it hasn't crashed on startup.
+   */
+  async start() {
+    const currentStatus = this.status();
+    if (currentStatus.state === "running") {
+      log8.info("already.running", { pid: currentStatus.pid });
+      return;
+    }
+    const binary = this.config.binary ?? "openclaw";
+    const profile = this.config.profile ?? "aero";
+    const port = this.config.gatewayPort ?? 3579;
+    if (!fs5.existsSync(this.stateDir)) {
+      fs5.mkdirSync(this.stateDir, { recursive: true });
+    }
+    const logFile = path6.join(this.stateDir, "gateway.log");
+    const logFd = fs5.openSync(logFile, "a");
+    const dotEnv = this.loadDotEnv();
+    const child = spawn(binary, ["--profile", profile, "gateway"], {
+      detached: true,
+      stdio: ["ignore", logFd, logFd],
+      env: {
+        ...process.env,
+        ...dotEnv,
+        OPENCLAW_PROFILE: profile,
+        OPENCLAW_GATEWAY_PORT: String(port),
+        OPENCLAW_STATE_DIR: this.stateDir
+      }
+    });
+    const startupResult = await new Promise((resolve) => {
+      let settled = false;
+      const settle = (r) => {
+        if (settled) return;
+        settled = true;
+        resolve(r);
+      };
+      child.on("error", (err) => settle({ error: err }));
+      child.on("exit", (code) => settle({ exitCode: code }));
+      setTimeout(() => settle({}), 500);
+    });
+    child.unref();
+    fs5.closeSync(logFd);
+    if (startupResult.error) {
+      throw new Error(`Failed to start OpenClaw gateway: ${startupResult.error.message}`);
+    }
+    if (startupResult.exitCode != null) {
+      throw new Error(`OpenClaw gateway exited immediately (code ${startupResult.exitCode}). Check ${path6.join(this.stateDir, "gateway.log")} for details.`);
+    }
+    if (child.pid == null) {
+      throw new Error("Failed to start OpenClaw gateway: no PID returned by spawn");
+    }
+    if (!isProcessAlive(child.pid)) {
+      throw new Error(`OpenClaw gateway exited immediately after spawn. Check ${path6.join(this.stateDir, "gateway.log")} for details.`);
+    }
+    const processInfo = {
+      pid: child.pid,
+      gatewayPort: port,
+      startedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      marker: PROCESS_MARKER
+    };
+    fs5.writeFileSync(this.processJsonPath, JSON.stringify(processInfo, null, 2), "utf-8");
+    log8.info("started", { pid: child.pid, port });
+  }
+  /**
+   * Stop the gateway process.
+   * Uses DenchClaw escalation: SIGTERM → 800ms poll → SIGKILL.
+   * Idempotent — no-op if already stopped.
+   */
+  async stop() {
+    const info = this.readProcessInfo();
+    if (!info) return;
+    if (isProcessAlive(info.pid) && info.marker === PROCESS_MARKER && this.verifyProcessIdentity(info.pid)) {
+      await terminateWithEscalation(info.pid);
+    }
+    this.removeProcessJson();
+    log8.info("stopped", { pid: info.pid });
+  }
+  /**
+   * Stop the gateway, wipe the workspace directory, and prepare for re-seeding.
+   */
+  async reset() {
+    await this.stop();
+    const workspaceDir = path6.join(this.stateDir, "workspace");
+    if (fs5.existsSync(workspaceDir)) {
+      fs5.rmSync(workspaceDir, { recursive: true, force: true });
+      log8.info("workspace.wiped", { dir: workspaceDir });
+    }
+  }
+  /**
+   * Verify that the PID actually belongs to an openclaw process by checking
+   * the full command line. Requires "openclaw" in the args to avoid matching
+   * unrelated Node processes after PID reuse.
+   */
+  verifyProcessIdentity(pid) {
+    try {
+      if (process.platform === "darwin") {
+        const out = execFileSync("ps", ["-p", String(pid), "-o", "args="], {
+          encoding: "utf-8",
+          timeout: 2e3
+        }).trim();
+        return out.includes("openclaw");
+      }
+      if (process.platform === "linux") {
+        const cmdline = fs5.readFileSync(`/proc/${pid}/cmdline`, "utf-8");
+        return cmdline.includes("openclaw");
+      }
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  readProcessInfo() {
+    if (!fs5.existsSync(this.processJsonPath)) return null;
+    try {
+      return JSON.parse(fs5.readFileSync(this.processJsonPath, "utf-8"));
+    } catch {
+      return null;
+    }
+  }
+  removeProcessJson() {
+    try {
+      fs5.unlinkSync(this.processJsonPath);
+    } catch {
+    }
+  }
+  /** Parse a simple KEY=value dotenv file from the state dir. */
+  loadDotEnv() {
+    const envFile = path6.join(this.stateDir, ".env");
+    if (!fs5.existsSync(envFile)) return {};
+    const result = {};
+    for (const line of fs5.readFileSync(envFile, "utf-8").split("\n")) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith("#")) continue;
+      const eq25 = trimmed.indexOf("=");
+      if (eq25 < 1) continue;
+      result[trimmed.slice(0, eq25)] = trimmed.slice(eq25 + 1);
+    }
+    return result;
+  }
+};
+function isProcessAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    if (err.code === "EPERM") return true;
+    return false;
+  }
+}
+async function terminateWithEscalation(pid) {
+  try {
+    process.kill(pid, "SIGTERM");
+  } catch {
+    return;
+  }
+  const deadline = Date.now() + 800;
+  while (Date.now() < deadline) {
+    if (!isProcessAlive(pid)) return;
+    await new Promise((resolve) => setTimeout(resolve, 100));
+  }
+  try {
+    process.kill(pid, "SIGKILL");
+  } catch {
+  }
+}
+
+// src/agent-bootstrap.ts
+import { execFileSync as execFileSync2, execSync } from "child_process";
+import fs6 from "fs";
+import os5 from "os";
+import path7 from "path";
+import { fileURLToPath } from "url";
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+var OPENCLAW_VERSION = "2026.4.14";
+var OPENCLAW_PACKAGE_SPEC = `openclaw@${OPENCLAW_VERSION}`;
+var MIN_NODE_VERSION = "22.14.0";
+var cachedResult = null;
+var cachedAt = 0;
+function getAeroStateDir(profile = "aero") {
+  return path7.join(os5.homedir(), `.openclaw-${profile}`);
+}
+async function detectOpenClaw(config) {
+  if (cachedResult && Date.now() - cachedAt < CACHE_TTL_MS) {
+    return cachedResult;
+  }
+  let result;
+  if (config?.binary) {
+    const version = probeVersion(config.binary);
+    if (version) {
+      result = { found: true, path: config.binary, version };
+      cachedResult = result;
+      cachedAt = Date.now();
+      return result;
+    }
+  }
+  const binaryPath = findInPath();
+  if (binaryPath) {
+    const version = probeVersion(binaryPath);
+    if (version) {
+      result = { found: true, path: binaryPath, version };
+      cachedResult = result;
+      cachedAt = Date.now();
+      return result;
+    }
+  }
+  result = { found: false };
+  cachedResult = result;
+  cachedAt = Date.now();
+  return result;
+}
+detectOpenClaw.resetCache = () => {
+  cachedResult = null;
+  cachedAt = 0;
+};
+function probeVersion(binaryPath) {
+  try {
+    const output = execFileSync2(binaryPath, ["--version"], {
+      timeout: 5e3,
+      encoding: "utf-8"
+    });
+    const match = output.toString().trim().match(/(\d+\.\d+\.\d+)/);
+    return match ? match[1] : output.toString().trim();
+  } catch {
+    return null;
+  }
+}
+function findInPath() {
+  const cmd = process.platform === "win32" ? "where" : "which";
+  try {
+    const output = execFileSync2(cmd, ["openclaw"], {
+      timeout: 5e3,
+      encoding: "utf-8"
+    });
+    return output.toString().trim().split("\n")[0] || null;
+  } catch {
+    return null;
+  }
+}
+async function installOpenClaw(opts) {
+  const unsupportedNodeError = getUnsupportedNodeError(opts?.nodeVersion);
+  if (unsupportedNodeError) {
+    return {
+      success: false,
+      error: unsupportedNodeError
+    };
+  }
+  try {
+    execSync(`npm install -g ${OPENCLAW_PACKAGE_SPEC}`, {
+      timeout: 12e4,
+      stdio: opts?.silent ? "pipe" : "inherit"
+    });
+  } catch (err) {
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : String(err)
+    };
+  }
+  detectOpenClaw.resetCache();
+  const detection = await detectOpenClaw();
+  if (!detection.found) {
+    return {
+      success: false,
+      error: `npm install succeeded but the ${OPENCLAW_PACKAGE_SPEC} binary was not found in PATH`
+    };
+  }
+  if (detection.version) {
+    const expectedVersion = parseVersionTuple(OPENCLAW_VERSION);
+    const detectedVersion = parseVersionTuple(detection.version);
+    if (expectedVersion && detectedVersion && compareVersionTuples(detectedVersion, expectedVersion) !== 0) {
+      return {
+        success: false,
+        error: `Installed OpenClaw binary reports version ${detection.version}, but Canonry pinned ${OPENCLAW_VERSION}. A different openclaw binary may be shadowing the npm-installed package in PATH.`
+      };
+    }
+  }
+  return { success: true, detection };
+}
+function getUnsupportedNodeError(currentNodeVersionOverride) {
+  const currentNodeVersion = normalizeVersion(currentNodeVersionOverride ?? process.versions.node);
+  const minimumTuple = parseVersionTuple(MIN_NODE_VERSION);
+  const currentTuple = parseVersionTuple(currentNodeVersion);
+  if (!minimumTuple || !currentTuple || compareVersionTuples(currentTuple, minimumTuple) >= 0) {
+    return null;
+  }
+  return `Canonry requires Node.js >=${MIN_NODE_VERSION} and installs pinned OpenClaw ${OPENCLAW_VERSION}, but the current runtime is ${currentNodeVersion}. Upgrade Node.js before running "canonry agent setup".`;
+}
+function normalizeVersion(version) {
+  const tuple = parseVersionTuple(version);
+  if (!tuple) {
+    return version.trim().replace(/^v/i, "");
+  }
+  return tuple.join(".");
+}
+function parseVersionTuple(version) {
+  const match = version.trim().replace(/^v/i, "").match(/^(\d+)(?:\.(\d+))?(?:\.(\d+))?$/);
+  if (!match) {
+    return null;
+  }
+  return [
+    Number(match[1]),
+    Number(match[2] ?? 0),
+    Number(match[3] ?? 0)
+  ];
+}
+function compareVersionTuples(left, right) {
+  for (let index = 0; index < left.length; index++) {
+    const delta = left[index] - right[index];
+    if (delta !== 0) {
+      return delta;
+    }
+  }
+  return 0;
+}
+function seedWorkspace(stateDir) {
+  const workspaceDir = path7.join(stateDir, "workspace");
+  fs6.mkdirSync(workspaceDir, { recursive: true });
+  const __dirname = path7.dirname(fileURLToPath(import.meta.url));
+  const assetsDir = path7.join(__dirname, "..", "assets", "agent-workspace");
+  if (!fs6.existsSync(assetsDir)) {
+    return;
+  }
+  copyDirRecursive(assetsDir, workspaceDir);
+}
+function initializeOpenClawProfile(binary, profile, workspaceDir) {
+  try {
+    execFileSync2(binary, [
+      "--profile",
+      profile,
+      "onboard",
+      "--non-interactive",
+      "--accept-risk",
+      "--mode",
+      "local",
+      "--workspace",
+      workspaceDir,
+      "--skip-channels",
+      "--skip-skills",
+      "--skip-health",
+      "--no-install-daemon"
+    ], { timeout: 3e4, stdio: "pipe" });
+  } catch (err) {
+    const stderr = err instanceof Error && "stderr" in err ? String(err.stderr) : "";
+    if (stderr.toLowerCase().includes("already")) return;
+    throw new CliError({
+      code: "AGENT_PROFILE_INIT_FAILED",
+      message: `Failed to initialize OpenClaw profile: ${stderr || (err instanceof Error ? err.message : String(err))}`,
+      displayMessage: `Failed to initialize OpenClaw profile "${profile}".`
+    });
+  }
+}
+function configureOpenClawGateway(binary, profile, gatewayPort) {
+  const entries = [
+    ["gateway.mode", "local", false],
+    ["gateway.port", String(gatewayPort), true]
+  ];
+  for (const [key, value, strict] of entries) {
+    try {
+      const args = ["--profile", profile, "config", "set", key, value];
+      if (strict) args.push("--strict-json");
+      execFileSync2(binary, args, { timeout: 1e4, stdio: "pipe" });
+    } catch (err) {
+      throw new CliError({
+        code: "AGENT_GATEWAY_CONFIG_FAILED",
+        message: `Failed to set ${key}=${value}: ${err instanceof Error ? err.message : String(err)}`,
+        displayMessage: `Failed to configure OpenClaw gateway (${key}).`
+      });
+    }
+  }
+}
+function setOpenClawModel(binary, profile, model) {
+  try {
+    execFileSync2(binary, [
+      "--profile",
+      profile,
+      "models",
+      "set",
+      model
+    ], { timeout: 1e4, stdio: "pipe" });
+  } catch (err) {
+    throw new CliError({
+      code: "AGENT_MODEL_SET_FAILED",
+      message: `Failed to set agent model to ${model}: ${err instanceof Error ? err.message : String(err)}`,
+      displayMessage: `Failed to set agent model to "${model}".`
+    });
+  }
+}
+function providerEnvVar(provider) {
+  const map = {
+    anthropic: "ANTHROPIC_API_KEY",
+    openai: "OPENAI_API_KEY",
+    google: "GOOGLE_API_KEY",
+    "google-vertex": "GOOGLE_API_KEY",
+    groq: "GROQ_API_KEY",
+    mistral: "MISTRAL_API_KEY",
+    xai: "XAI_API_KEY",
+    openrouter: "OPENROUTER_API_KEY",
+    cerebras: "CEREBRAS_API_KEY"
+  };
+  return map[provider] ?? `${provider.toUpperCase().replace(/-/g, "_")}_API_KEY`;
+}
+function writeAgentEnv(stateDir, key, value) {
+  const envFile = path7.join(stateDir, ".env");
+  let lines = [];
+  if (fs6.existsSync(envFile)) {
+    lines = fs6.readFileSync(envFile, "utf-8").split("\n");
+  }
+  const prefix = `${key}=`;
+  const idx = lines.findIndex((l) => l.startsWith(prefix));
+  const entry = `${key}=${value}`;
+  if (idx >= 0) {
+    lines[idx] = entry;
+  } else {
+    lines.push(entry);
+  }
+  while (lines.length > 0 && lines[lines.length - 1] === "") lines.pop();
+  fs6.writeFileSync(envFile, lines.join("\n") + "\n", "utf-8");
+}
+function resolveAgentCredentials(opts) {
+  const provider = opts.agentProvider ?? "anthropic";
+  if (opts.agentKey) {
+    return { provider, key: opts.agentKey, model: opts.agentModel };
+  }
+  const envVar = providerEnvVar(provider);
+  const envKey = process.env[envVar];
+  if (envKey) {
+    return { provider, key: envKey, model: opts.agentModel };
+  }
+  const genericKey = process.env.CANONRY_AGENT_KEY;
+  if (genericKey) {
+    return { provider, key: genericKey, model: opts.agentModel };
+  }
+  const envFile = path7.join(opts.stateDir, ".env");
+  if (fs6.existsSync(envFile)) {
+    const hasKey = fs6.readFileSync(envFile, "utf-8").split("\n").some((l) => l.includes("_API_KEY="));
+    if (hasKey) {
+      return { provider, key: void 0, model: opts.agentModel };
+    }
+  }
+  return { provider, key: void 0, model: opts.agentModel };
+}
+function copyDirRecursive(src, dest) {
+  fs6.mkdirSync(dest, { recursive: true });
+  for (const entry of fs6.readdirSync(src, { withFileTypes: true })) {
+    const srcPath = path7.join(src, entry.name);
+    const destPath = path7.join(dest, entry.name);
+    if (entry.isDirectory()) {
+      copyDirRecursive(srcPath, destPath);
+    } else {
+      fs6.copyFileSync(srcPath, destPath);
+    }
+  }
+}
+
 // src/server.ts
 var _require2 = createRequire2(import.meta.url);
 var { version: PKG_VERSION } = _require2("../package.json");
-var log8 = createLogger("Server");
+var log9 = createLogger("Server");
 var DEFAULT_QUOTA = {
   maxConcurrency: 2,
   maxRequestsPerMinute: 10,
@@ -15158,7 +15924,7 @@ function summarizeProviderConfig(provider, config) {
   };
 }
 function hashApiKey(key) {
-  return crypto22.createHash("sha256").update(key).digest("hex");
+  return crypto23.createHash("sha256").update(key).digest("hex");
 }
 function parseCookies2(header) {
   if (!header) return {};
@@ -15223,7 +15989,7 @@ function migrateDbCredentialsToConfig(db, config) {
       }
       if (migrated > 0) {
         saveConfigPatch({ google: config.google });
-        log8.info("credentials.migrated", { type: "google", count: migrated });
+        log9.info("credentials.migrated", { type: "google", count: migrated });
       }
     }
     const gaColCheck = db.all(sql6.raw(
@@ -15235,7 +16001,7 @@ function migrateDbCredentialsToConfig(db, config) {
       ));
       let migrated = 0;
       for (const row of rows) {
-        const project = db.select({ name: projects.name }).from(projects).where(eq23(projects.id, row.project_id)).get();
+        const project = db.select({ name: projects.name }).from(projects).where(eq24(projects.id, row.project_id)).get();
         if (!project) continue;
         const existing = getGa4Connection(config, project.name);
         if (existing?.privateKey) continue;
@@ -15251,7 +16017,7 @@ function migrateDbCredentialsToConfig(db, config) {
       }
       if (migrated > 0) {
         saveConfigPatch({ ga4: config.ga4 });
-        log8.info("credentials.migrated", { type: "ga4", count: migrated });
+        log9.info("credentials.migrated", { type: "ga4", count: migrated });
       }
     }
   } catch {
@@ -15282,7 +16048,7 @@ async function createServer(opts) {
     };
   }
   migrateDbCredentialsToConfig(opts.db, opts.config);
-  log8.info("providers.configured", { providers: Object.keys(providers).filter((k) => {
+  log9.info("providers.configured", { providers: Object.keys(providers).filter((k) => {
     const p = providers[k];
     return p?.apiKey || p?.baseUrl || p?.vertexProject;
   }) });
@@ -15319,9 +16085,28 @@ async function createServer(opts) {
   jobRunner.recoverStaleRuns();
   const notifier = new Notifier(opts.db, serverUrl);
   const intelligenceService = new IntelligenceService(opts.db);
-  const runCoordinator = new RunCoordinator(notifier, intelligenceService);
+  const runCoordinator = new RunCoordinator(
+    notifier,
+    intelligenceService,
+    (runId, projectId, result) => notifier.dispatchInsightWebhooks(runId, projectId, result)
+  );
   jobRunner.onRunCompleted = (runId, projectId) => runCoordinator.onRunCompleted(runId, projectId);
   const snapshotService = new SnapshotService(registry);
+  let agentManager;
+  let agentAutoStarted = false;
+  if (opts.config.agent) {
+    const stateDir = getAeroStateDir(opts.config.agent.profile ?? "aero");
+    agentManager = new AgentManager(opts.config.agent, stateDir);
+    if (opts.config.agent.autoStart) {
+      try {
+        await agentManager.start();
+        agentAutoStarted = true;
+        app.log.info({ pid: agentManager.status().pid }, "Agent gateway started");
+      } catch (err) {
+        app.log.error({ err }, "Failed to auto-start agent gateway");
+      }
+    }
+  }
   const scheduler = new Scheduler(opts.db, {
     onRunCreated: (runId, projectId, providers2, location) => {
       jobRunner.executeRun(runId, projectId, providers2, location).catch((err) => {
@@ -15397,7 +16182,7 @@ async function createServer(opts) {
       return removed;
     }
   };
-  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto22.randomBytes(32).toString("hex");
+  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto23.randomBytes(32).toString("hex");
   const googleConnectionStore = {
     listConnections: (domain) => listGoogleConnections(opts.config, domain),
     getConnection: (domain, connectionType) => getGoogleConnection(opts.config, domain, connectionType),
@@ -15443,11 +16228,11 @@ async function createServer(opts) {
   const apiPrefix = basePath ? `${basePath}api/v1` : "/api/v1";
   if (opts.config.apiKey) {
     const keyHash = hashApiKey(opts.config.apiKey);
-    const existing = opts.db.select().from(apiKeys).where(eq23(apiKeys.keyHash, keyHash)).get();
+    const existing = opts.db.select().from(apiKeys).where(eq24(apiKeys.keyHash, keyHash)).get();
     if (!existing) {
       const prefix = opts.config.apiKey.slice(0, 12);
       opts.db.insert(apiKeys).values({
-        id: `key_${crypto22.randomBytes(8).toString("hex")}`,
+        id: `key_${crypto23.randomBytes(8).toString("hex")}`,
         name: "default",
         keyHash,
         keyPrefix: prefix,
@@ -15471,7 +16256,7 @@ async function createServer(opts) {
   };
   const createSession = (apiKeyId) => {
     pruneExpiredSessions();
-    const sessionId = crypto22.randomBytes(32).toString("hex");
+    const sessionId = crypto23.randomBytes(32).toString("hex");
     sessions.set(sessionId, {
       apiKeyId,
       expiresAt: Date.now() + SESSION_TTL_MS
@@ -15495,7 +16280,7 @@ async function createServer(opts) {
   };
   const getDefaultApiKey = () => {
     if (!opts.config.apiKey) return void 0;
-    return opts.db.select().from(apiKeys).where(eq23(apiKeys.keyHash, hashApiKey(opts.config.apiKey))).get();
+    return opts.db.select().from(apiKeys).where(eq24(apiKeys.keyHash, hashApiKey(opts.config.apiKey))).get();
   };
   const createPasswordSession = (reply) => {
     const key = getDefaultApiKey();
@@ -15552,12 +16337,12 @@ async function createServer(opts) {
       return reply.send({ authenticated: true });
     }
     if (apiKey) {
-      const key = opts.db.select().from(apiKeys).where(eq23(apiKeys.keyHash, hashApiKey(apiKey))).get();
+      const key = opts.db.select().from(apiKeys).where(eq24(apiKeys.keyHash, hashApiKey(apiKey))).get();
       if (!key || key.revokedAt) {
         const err2 = authInvalid();
         return reply.status(err2.statusCode).send(err2.toJSON());
       }
-      opts.db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq23(apiKeys.id, key.id)).run();
+      opts.db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq24(apiKeys.id, key.id)).run();
       const sessionId = createSession(key.id);
       reply.header("set-cookie", serializeSessionCookie({
         name: SESSION_COOKIE_NAME,
@@ -15698,7 +16483,7 @@ async function createServer(opts) {
         const targetProjectIds = affectedProjectIds.length > 0 ? affectedProjectIds : [null];
         const createdAt = (/* @__PURE__ */ new Date()).toISOString();
         opts.db.insert(auditLog).values(targetProjectIds.map((projectId) => ({
-          id: crypto22.randomUUID(),
+          id: crypto23.randomUUID(),
           projectId,
           actor: "api",
           action: existing ? "provider.updated" : "provider.created",
@@ -15745,6 +16530,17 @@ async function createServer(opts) {
     onProjectDeleted: (projectId) => {
       scheduler.remove(projectId);
     },
+    onProjectUpserted: agentManager && opts.config.agent?.autoStart ? (_projectId, projectName) => {
+      try {
+        const gatewayPort = opts.config.agent?.gatewayPort ?? 3579;
+        const result = attachAgentWebhookDirect(opts.db, _projectId, gatewayPort);
+        if (result === "attached") {
+          app.log.info({ projectName }, "Auto-attached agent webhook");
+        }
+      } catch (err) {
+        app.log.error({ err, projectName }, "Failed to auto-attach agent webhook");
+      }
+    } : void 0,
     getTelemetryStatus: () => {
       const enabled = isTelemetryEnabled();
       return {
@@ -15829,10 +16625,10 @@ async function createServer(opts) {
       return snapshotService.createReport(input);
     }
   });
-  const dirname = path6.dirname(fileURLToPath(import.meta.url));
-  const assetsDir = path6.join(dirname, "..", "assets");
-  if (fs5.existsSync(assetsDir)) {
-    const indexPath = path6.join(assetsDir, "index.html");
+  const dirname = path8.dirname(fileURLToPath2(import.meta.url));
+  const assetsDir = path8.join(dirname, "..", "assets");
+  if (fs7.existsSync(assetsDir)) {
+    const indexPath = path8.join(assetsDir, "index.html");
     const injectConfig = (html) => {
       const clientConfig = {};
       if (basePath) clientConfig.basePath = basePath;
@@ -15844,14 +16640,14 @@ async function createServer(opts) {
     await app.register(fastifyStatic.default, {
       root: assetsDir,
       prefix: basePath ?? "/",
-      wildcard: false,
+      wildcard: true,
       // Don't serve index.html automatically — we handle it with config injection
       serve: true,
       index: false
     });
     const serveIndex = (_request, reply) => {
-      if (fs5.existsSync(indexPath)) {
-        const html = fs5.readFileSync(indexPath, "utf-8");
+      if (fs7.existsSync(indexPath)) {
+        const html = fs7.readFileSync(indexPath, "utf-8");
         return reply.type("text/html").send(injectConfig(html));
       }
       return reply.status(404).send({ error: "Dashboard not built" });
@@ -15871,8 +16667,8 @@ async function createServer(opts) {
       if (basePath && !url.startsWith(basePath)) {
         return reply.status(404).send({ error: "Not found", path: request.url });
       }
-      if (fs5.existsSync(indexPath)) {
-        const html = fs5.readFileSync(indexPath, "utf-8");
+      if (fs7.existsSync(indexPath)) {
+        const html = fs7.readFileSync(indexPath, "utf-8");
         return reply.type("text/html").send(injectConfig(html));
       }
       return reply.status(404).send({ error: "Not found" });
@@ -15891,6 +16687,13 @@ async function createServer(opts) {
   scheduler.start();
   app.addHook("onClose", async () => {
     scheduler.stop();
+    if (agentManager && agentAutoStarted) {
+      try {
+        await agentManager.stop();
+      } catch (err) {
+        app.log.error({ err }, "Failed to stop agent gateway");
+      }
+    }
   });
   return app;
 }
@@ -15952,6 +16755,11 @@ export {
   isFirstRun,
   showFirstRunNotice,
   trackEvent,
+  EXIT_USER_ERROR,
+  EXIT_SYSTEM_ERROR,
+  CliError,
+  usageError,
+  printCliError,
   providerQuotaPolicySchema,
   ProviderNames,
   resolveProviderInput,
@@ -15968,5 +16776,19 @@ export {
   extractRecommendedCompetitors,
   setGoogleAuthConfig,
   formatAuditFactorScore,
+  AGENT_WEBHOOK_EVENTS,
+  buildAgentWebhookUrl,
+  attachAgentWebhookDirect,
+  AgentManager,
+  getAeroStateDir,
+  detectOpenClaw,
+  installOpenClaw,
+  seedWorkspace,
+  initializeOpenClawProfile,
+  configureOpenClawGateway,
+  setOpenClawModel,
+  providerEnvVar,
+  writeAgentEnv,
+  resolveAgentCredentials,
   createServer
 };