@ainyc/canonry 2.12.1 → 2.13.2

package/assets/index.html

@@ -12,7 +12,7 @@
     <link rel="icon" type="image/png" sizes="32x32" href="./favicon-32.png" />
     <link rel="apple-touch-icon" href="./apple-touch-icon.png" />
     <title>Canonry</title>
-    <script type="module" crossorigin src="./assets/index-Ckr4V5dK.js"></script>
+    <script type="module" crossorigin src="./assets/index-CKzK0os-.js"></script>
     <link rel="stylesheet" crossorigin href="./assets/index-CAewPdsZ.css">
   </head>
   <body>

package/dist/{chunk-FCYNFM4B.js → chunk-DHMCIJMQ.js}

@@ -6,6 +6,9 @@ import {
   ApiClient,
   AppError,
   CcReleaseSyncStatuses,
+  CheckCategories,
+  CheckScopes,
+  CheckStatuses,
   CitationStates,
   MemorySources,
   RunKinds,
@@ -50,12 +53,13 @@ import {
   scheduleUpsertRequestSchema,
   serializeRunError,
   snapshotRequestSchema,
+  summarizeCheckResults,
   unsupportedKind,
   validationError,
   visibilityStateFromAnswerMentioned,
   windowCutoff,
   wordpressEnvSchema
-} from "./chunk-PLI7EOPM.js";
+} from "./chunk-XJS7NALL.js";
 import {
   IntelligenceService,
   agentMemory,
@@ -5303,6 +5307,44 @@ var routeCatalog = [
       404: { description: "Project not found." }
     }
   },
+  {
+    method: "get",
+    path: "/api/v1/doctor",
+    summary: "Run global health checks",
+    description: "Runs all global-scope checks (provider keys, etc.). Use ?check=<id> or ?check=<prefix>* (comma-separated) to filter. Returns a structured DoctorReport with per-check status, code, summary, remediation, and details.",
+    tags: ["doctor"],
+    parameters: [
+      {
+        name: "check",
+        in: "query",
+        description: 'Optional comma-separated list of check IDs or wildcard prefixes (e.g. "config.*").',
+        schema: stringSchema
+      }
+    ],
+    responses: {
+      200: { description: "Doctor report returned." }
+    }
+  },
+  {
+    method: "get",
+    path: "/api/v1/projects/{name}/doctor",
+    summary: "Run project health checks",
+    description: "Runs project-scoped checks (Google auth, GA auth, etc.). Use ?check=<id> or ?check=<prefix>* (comma-separated) to filter \u2014 e.g. ?check=google.* for just Google auth checks. Returns a structured DoctorReport.",
+    tags: ["doctor"],
+    parameters: [
+      nameParameter,
+      {
+        name: "check",
+        in: "query",
+        description: 'Optional comma-separated list of check IDs or wildcard prefixes (e.g. "google.auth.*").',
+        schema: stringSchema
+      }
+    ],
+    responses: {
+      200: { description: "Doctor report returned." },
+      404: { description: "Project not found." }
+    }
+  },
   {
     method: "get",
     path: "/api/v1/backlinks/status",
@@ -11193,6 +11235,595 @@ async function backlinksRoutes(app, opts) {
   );
 }
 
+// ../api-routes/src/doctor/checks/ga-auth.ts
+async function checkServiceAccount(conn) {
+  if (!conn.propertyId) {
+    return {
+      status: CheckStatuses.fail,
+      code: "ga.auth.no-property-selected",
+      summary: "GA4 service account record has no property ID set.",
+      remediation: "Set a propertyId in the GA4 credential record (config.yaml `ga4.connections[].propertyId`)."
+    };
+  }
+  if (!conn.clientEmail || !conn.privateKey) {
+    return {
+      status: CheckStatuses.fail,
+      code: "ga.auth.service-account-incomplete",
+      summary: "GA4 service account is missing clientEmail or privateKey.",
+      remediation: "Provide a complete service account JSON key (clientEmail + privateKey) in config.yaml.",
+      details: {
+        hasClientEmail: Boolean(conn.clientEmail),
+        hasPrivateKey: Boolean(conn.privateKey)
+      }
+    };
+  }
+  try {
+    await verifyConnection(conn.clientEmail, conn.privateKey, conn.propertyId);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      status: CheckStatuses.fail,
+      code: "ga.auth.verify-failed",
+      summary: "GA4 service account could not authenticate against the configured property.",
+      remediation: `Verify the service account has Viewer access on property ${conn.propertyId}, and that the private key in config.yaml is the active key for the service account.`,
+      details: { propertyId: conn.propertyId, error: message, authMethod: "service-account" }
+    };
+  }
+  return {
+    status: CheckStatuses.ok,
+    code: "ga.auth.verified",
+    summary: `GA4 property ${conn.propertyId} is reachable with the configured service account.`,
+    remediation: null,
+    details: { propertyId: conn.propertyId, clientEmail: conn.clientEmail, authMethod: "service-account" }
+  };
+}
+async function checkOAuthConnection(ctx, projectName, conn) {
+  if (!conn.propertyId) {
+    return {
+      status: CheckStatuses.fail,
+      code: "ga.auth.no-property-selected",
+      summary: "GA4 OAuth connection has no property selected.",
+      remediation: `Run \`canonry google connect ${projectName} --type ga4\` to select a property.`
+    };
+  }
+  if (!conn.refreshToken) {
+    return {
+      status: CheckStatuses.fail,
+      code: "ga.auth.no-refresh-token",
+      summary: "GA4 OAuth connection has no refresh token stored.",
+      remediation: `Run \`canonry google connect ${projectName} --type ga4\` to re-authorize and capture a refresh token.`,
+      details: { propertyId: conn.propertyId }
+    };
+  }
+  const auth = ctx.getGoogleAuthConfig?.() ?? {};
+  if (!auth.clientId || !auth.clientSecret) {
+    return {
+      status: CheckStatuses.fail,
+      code: "ga.auth.oauth-not-configured",
+      summary: "GA4 OAuth connection exists but Google OAuth client ID/secret is missing.",
+      remediation: "Set `google.clientId` and `google.clientSecret` in ~/.canonry/config.yaml."
+    };
+  }
+  let accessToken;
+  try {
+    const tokens = await refreshAccessToken(auth.clientId, auth.clientSecret, conn.refreshToken);
+    accessToken = tokens.access_token;
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      status: CheckStatuses.fail,
+      code: "ga.auth.refresh-failed",
+      summary: "GA4 OAuth refresh token rejected by Google.",
+      remediation: `Run \`canonry google connect ${projectName} --type ga4\` to re-authorize.`,
+      details: { propertyId: conn.propertyId, error: message, authMethod: "oauth" }
+    };
+  }
+  try {
+    await verifyConnectionWithToken(accessToken, conn.propertyId);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      status: CheckStatuses.fail,
+      code: "ga.auth.verify-failed",
+      summary: "GA4 OAuth token cannot reach the configured property.",
+      remediation: `Verify the authorized Google account has access to property ${conn.propertyId}, or run \`canonry google connect ${projectName} --type ga4\` to re-authorize.`,
+      details: { propertyId: conn.propertyId, error: message, authMethod: "oauth" }
+    };
+  }
+  return {
+    status: CheckStatuses.ok,
+    code: "ga.auth.verified",
+    summary: `GA4 property ${conn.propertyId} is reachable via OAuth.`,
+    remediation: null,
+    details: { propertyId: conn.propertyId, authMethod: "oauth" }
+  };
+}
+var ga4ConnectionCheck = {
+  id: "ga.auth.connection",
+  category: CheckCategories.auth,
+  scope: CheckScopes.project,
+  title: "GA4 connection",
+  run: async (ctx) => {
+    if (!ctx.project) {
+      return {
+        status: CheckStatuses.skipped,
+        code: "ga.auth.no-project",
+        summary: "Project context required.",
+        remediation: null
+      };
+    }
+    const saStore = ctx.ga4CredentialStore;
+    const oauthStore = ctx.googleConnectionStore;
+    if (!saStore && !oauthStore) {
+      return {
+        status: CheckStatuses.skipped,
+        code: "ga.auth.store-unavailable",
+        summary: "No GA4 credential store configured for this deployment.",
+        remediation: null
+      };
+    }
+    const saConn = saStore?.getConnection(ctx.project.name);
+    if (saConn) return checkServiceAccount(saConn);
+    const oauthConn = oauthStore?.getConnection(ctx.project.canonicalDomain, "ga4");
+    if (oauthConn) return checkOAuthConnection(ctx, ctx.project.name, oauthConn);
+    return {
+      status: CheckStatuses.warn,
+      code: "ga.auth.no-connection",
+      summary: "No GA4 connection configured for this project.",
+      remediation: `Run \`canonry google connect ${ctx.project.name} --type ga4\` to authorize via OAuth, or set up a service account in ~/.canonry/config.yaml under \`ga4.connections\`.`
+    };
+  }
+};
+var GA_AUTH_CHECKS = [ga4ConnectionCheck];
+
+// ../api-routes/src/doctor/checks/google-auth.ts
+var REQUIRED_GSC_SCOPES = [GSC_SCOPE, INDEXING_SCOPE];
+async function resolveAccessToken(ctx) {
+  if (!ctx.project) {
+    return { ok: false, output: skippedNoProject() };
+  }
+  const store = ctx.googleConnectionStore;
+  if (!store) {
+    return {
+      ok: false,
+      output: {
+        status: CheckStatuses.skipped,
+        code: "google.auth.store-unavailable",
+        summary: "Google connection store is not configured for this deployment.",
+        remediation: null
+      }
+    };
+  }
+  const auth = ctx.getGoogleAuthConfig?.() ?? {};
+  if (!auth.clientId || !auth.clientSecret) {
+    return {
+      ok: false,
+      output: {
+        status: CheckStatuses.fail,
+        code: "google.auth.oauth-not-configured",
+        summary: "Google OAuth client ID or secret is missing.",
+        remediation: "Set Google OAuth credentials in ~/.canonry/config.yaml under `google.clientId` and `google.clientSecret`."
+      }
+    };
+  }
+  const conn = store.getConnection(ctx.project.canonicalDomain, "gsc");
+  if (!conn) {
+    return {
+      ok: false,
+      output: {
+        status: CheckStatuses.fail,
+        code: "google.auth.no-connection",
+        summary: `No GSC connection for ${ctx.project.canonicalDomain}.`,
+        remediation: `Run \`canonry google connect ${ctx.project.name} --type gsc\` to authorize.`
+      }
+    };
+  }
+  if (!conn.refreshToken) {
+    return {
+      ok: false,
+      output: {
+        status: CheckStatuses.fail,
+        code: "google.auth.no-refresh-token",
+        summary: "GSC connection exists but has no refresh token stored.",
+        remediation: `Run \`canonry google connect ${ctx.project.name} --type gsc\` to re-authorize and capture a refresh token.`,
+        details: { domain: conn.domain }
+      }
+    };
+  }
+  try {
+    const tokens = await refreshAccessToken(auth.clientId, auth.clientSecret, conn.refreshToken);
+    return { ok: true, token: { accessToken: tokens.access_token } };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      output: {
+        status: CheckStatuses.fail,
+        code: "google.auth.refresh-failed",
+        summary: "Refresh token rejected by Google.",
+        remediation: `Run \`canonry google connect ${ctx.project.name} --type gsc\` to re-authorize. Refresh tokens are revoked if the user changes their password or the OAuth client is rotated.`,
+        details: { domain: conn.domain, error: message }
+      }
+    };
+  }
+}
+function skippedNoProject() {
+  return {
+    status: CheckStatuses.skipped,
+    code: "google.auth.no-project",
+    summary: "Project context required.",
+    remediation: null
+  };
+}
+var connectionCheck = {
+  id: "google.auth.connection",
+  category: CheckCategories.auth,
+  scope: CheckScopes.project,
+  title: "GSC OAuth connection",
+  run: async (ctx) => {
+    const resolved = await resolveAccessToken(ctx);
+    if (!resolved.ok) return resolved.output;
+    return {
+      status: CheckStatuses.ok,
+      code: "google.auth.connected",
+      summary: "GSC OAuth connection is valid and refreshable.",
+      remediation: null
+    };
+  }
+};
+var propertyAccessCheck = {
+  id: "google.auth.property-access",
+  category: CheckCategories.auth,
+  scope: CheckScopes.project,
+  title: "GSC property access",
+  run: async (ctx) => {
+    if (!ctx.project) return skippedNoProject();
+    const store = ctx.googleConnectionStore;
+    if (!store) {
+      return {
+        status: CheckStatuses.skipped,
+        code: "google.auth.store-unavailable",
+        summary: "Google connection store is not configured for this deployment.",
+        remediation: null
+      };
+    }
+    const conn = store.getConnection(ctx.project.canonicalDomain, "gsc");
+    if (!conn) {
+      return {
+        status: CheckStatuses.skipped,
+        code: "google.auth.no-connection",
+        summary: "No GSC connection \u2014 run google.auth.connection first.",
+        remediation: null
+      };
+    }
+    if (!conn.propertyId) {
+      return {
+        status: CheckStatuses.fail,
+        code: "google.auth.no-property-selected",
+        summary: "GSC connection has no property selected.",
+        remediation: `Run \`canonry google properties ${ctx.project.name}\` to list available properties, then \`canonry google set-property ${ctx.project.name} <siteUrl>\`.`
+      };
+    }
+    const resolved = await resolveAccessToken(ctx);
+    if (!resolved.ok) {
+      return {
+        status: CheckStatuses.skipped,
+        code: "google.auth.token-unresolved",
+        summary: "Skipped \u2014 token could not be refreshed (see google.auth.connection).",
+        remediation: null
+      };
+    }
+    let sites;
+    try {
+      sites = await listSites(resolved.token.accessToken);
+    } catch (err) {
+      if (err instanceof GoogleApiError && err.status === 403) {
+        return {
+          status: CheckStatuses.fail,
+          code: "google.auth.principal-forbidden",
+          summary: "The authorized Google account is forbidden from listing GSC sites.",
+          remediation: `Reconnect with a Google account that has access in Search Console: \`canonry google connect ${ctx.project.name} --type gsc\`.`,
+          details: { error: err.message }
+        };
+      }
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        status: CheckStatuses.fail,
+        code: "google.auth.list-sites-failed",
+        summary: "Failed to list GSC sites for the authorized account.",
+        remediation: "Check Google Search Console availability, then re-run.",
+        details: { error: message }
+      };
+    }
+    const match = sites.find((site) => site.siteUrl === conn.propertyId);
+    if (!match) {
+      return {
+        status: CheckStatuses.fail,
+        code: "google.auth.property-not-accessible",
+        summary: `Selected property "${conn.propertyId}" is not in the authorized account's accessible sites list.`,
+        remediation: `Either grant the authorizing Google account access to "${conn.propertyId}" in Search Console, or run \`canonry google set-property ${ctx.project.name} <siteUrl>\` to pick an accessible site.`,
+        details: {
+          selectedProperty: conn.propertyId,
+          accessibleSites: sites.map((s) => s.siteUrl)
+        }
+      };
+    }
+    return {
+      status: CheckStatuses.ok,
+      code: "google.auth.property-accessible",
+      summary: `Property "${conn.propertyId}" is accessible (permission: ${match.permissionLevel}).`,
+      remediation: null,
+      details: {
+        selectedProperty: conn.propertyId,
+        permissionLevel: match.permissionLevel
+      }
+    };
+  }
+};
+var redirectUriCheck = {
+  id: "google.auth.redirect-uri",
+  category: CheckCategories.auth,
+  scope: CheckScopes.project,
+  title: "OAuth redirect URI",
+  run: async (ctx) => {
+    if (!ctx.project) return skippedNoProject();
+    const auth = ctx.getGoogleAuthConfig?.() ?? {};
+    if (!auth.clientId || !auth.clientSecret) {
+      return {
+        status: CheckStatuses.fail,
+        code: "google.auth.oauth-not-configured",
+        summary: "Google OAuth client ID or secret is missing.",
+        remediation: "Set `google.clientId` and `google.clientSecret` in ~/.canonry/config.yaml."
+      };
+    }
+    if (!ctx.redirectUri) {
+      return {
+        status: CheckStatuses.warn,
+        code: "google.auth.redirect-uri-auto-detected",
+        summary: "No publicUrl configured \u2014 OAuth callback will be auto-detected from request headers each connect.",
+        remediation: "Set `publicUrl` in ~/.canonry/config.yaml so canonry uses a stable redirect URI (e.g. http://localhost:4100). Then register that exact URI in Google Cloud Console under your OAuth client."
+      };
+    }
+    let parsed;
+    try {
+      parsed = new URL(ctx.redirectUri);
+    } catch {
+      return {
+        status: CheckStatuses.fail,
+        code: "google.auth.redirect-uri-invalid",
+        summary: `Configured redirect URI is not a valid URL: ${ctx.redirectUri}`,
+        remediation: "Set `publicUrl` to a valid http(s) URL in ~/.canonry/config.yaml.",
+        details: { redirectUri: ctx.redirectUri }
+      };
+    }
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      return {
+        status: CheckStatuses.fail,
+        code: "google.auth.redirect-uri-invalid",
+        summary: `Redirect URI must use http or https: ${ctx.redirectUri}`,
+        remediation: "Set `publicUrl` to an http(s) URL.",
+        details: { redirectUri: ctx.redirectUri }
+      };
+    }
+    return {
+      status: CheckStatuses.ok,
+      code: "google.auth.redirect-uri-configured",
+      summary: `Redirect URI is ${ctx.redirectUri}.`,
+      remediation: `Ensure this exact URI is listed in your OAuth client's authorized redirect URIs in Google Cloud Console.`,
+      details: { redirectUri: ctx.redirectUri }
+    };
+  }
+};
+var scopesCheck = {
+  id: "google.auth.scopes",
+  category: CheckCategories.auth,
+  scope: CheckScopes.project,
+  title: "GSC granted scopes",
+  run: async (ctx) => {
+    if (!ctx.project) return skippedNoProject();
+    const store = ctx.googleConnectionStore;
+    if (!store) {
+      return {
+        status: CheckStatuses.skipped,
+        code: "google.auth.store-unavailable",
+        summary: "Google connection store is not configured for this deployment.",
+        remediation: null
+      };
+    }
+    const conn = store.getConnection(ctx.project.canonicalDomain, "gsc");
+    if (!conn) {
+      return {
+        status: CheckStatuses.skipped,
+        code: "google.auth.no-connection",
+        summary: "No GSC connection \u2014 run google.auth.connection first.",
+        remediation: null
+      };
+    }
+    const granted = new Set(conn.scopes ?? []);
+    const missing = REQUIRED_GSC_SCOPES.filter((scope) => !granted.has(scope));
+    if (missing.length === 0) {
+      return {
+        status: CheckStatuses.ok,
+        code: "google.auth.scopes-ok",
+        summary: "All required GSC scopes are granted.",
+        remediation: null,
+        details: { granted: [...granted] }
+      };
+    }
+    const gscMissing = missing.includes(GSC_SCOPE);
+    const indexingOnlyMissing = !gscMissing && missing.includes(INDEXING_SCOPE) && missing.length === 1;
+    return {
+      status: indexingOnlyMissing ? CheckStatuses.warn : CheckStatuses.fail,
+      code: indexingOnlyMissing ? "google.auth.indexing-scope-missing" : "google.auth.required-scope-missing",
+      summary: indexingOnlyMissing ? "Indexing API scope is not granted \u2014 `canonry google request-indexing` will fail." : `Missing required scopes: ${missing.join(", ")}.`,
+      remediation: `Reconnect to grant missing scopes: \`canonry google connect ${ctx.project.name} --type gsc\`.`,
+      details: { granted: [...granted], missing }
+    };
+  }
+};
+var GOOGLE_AUTH_CHECKS = [
+  connectionCheck,
+  propertyAccessCheck,
+  redirectUriCheck,
+  scopesCheck
+];
+var GOOGLE_AUTH_CHECK_BY_ID = Object.fromEntries(
+  GOOGLE_AUTH_CHECKS.map((check) => [check.id, check])
+);
+
+// ../api-routes/src/doctor/checks/providers.ts
+var providersConfiguredCheck = {
+  id: "config.providers",
+  category: CheckCategories.providers,
+  scope: CheckScopes.global,
+  title: "Provider keys",
+  run: (ctx) => {
+    const summary = ctx.providerSummary;
+    if (!summary) {
+      return {
+        status: CheckStatuses.skipped,
+        code: "providers.summary-unavailable",
+        summary: "Provider summary is not available in this deployment.",
+        remediation: null
+      };
+    }
+    const configured = summary.filter((entry) => entry.configured).map((entry) => entry.name);
+    const total = summary.length;
+    if (configured.length === 0) {
+      return {
+        status: CheckStatuses.fail,
+        code: "providers.none-configured",
+        summary: "No answer-engine providers have credentials configured.",
+        remediation: "Run `canonry init` to set provider keys interactively, or add them via flags (`--gemini-key`, `--openai-key`, `--claude-key`, `--perplexity-key`).",
+        details: { available: summary.map((entry) => entry.name) }
+      };
+    }
+    return {
+      status: CheckStatuses.ok,
+      code: "providers.configured",
+      summary: `${configured.length} of ${total} providers configured: ${configured.join(", ")}.`,
+      remediation: null,
+      details: { configured, total }
+    };
+  }
+};
+var PROVIDERS_CHECKS = [providersConfiguredCheck];
+
+// ../api-routes/src/doctor/registry.ts
+var ALL_CHECKS = [
+  ...GOOGLE_AUTH_CHECKS,
+  ...GA_AUTH_CHECKS,
+  ...PROVIDERS_CHECKS
+];
+var CHECK_BY_ID = Object.fromEntries(
+  ALL_CHECKS.map((check) => [check.id, check])
+);
+
+// ../api-routes/src/doctor/runner.ts
+function matchesCheckId(checkId, filters) {
+  if (filters.length === 0) return true;
+  for (const filter of filters) {
+    if (filter === checkId) return true;
+    if (filter.endsWith("*")) {
+      const prefix = filter.slice(0, -1);
+      if (checkId.startsWith(prefix)) return true;
+    }
+  }
+  return false;
+}
+async function runChecks(ctx, checks, options = {}) {
+  const startedAt = /* @__PURE__ */ new Date();
+  const filters = options.checkIds ?? [];
+  const targetScope = ctx.project ? CheckScopes.project : CheckScopes.global;
+  const projectName = ctx.project?.name ?? null;
+  const selected = checks.filter((check) => {
+    if (check.scope !== targetScope) return false;
+    return matchesCheckId(check.id, filters);
+  });
+  const results = [];
+  for (const definition of selected) {
+    const checkStarted = Date.now();
+    let output;
+    try {
+      output = await definition.run(ctx);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      output = {
+        status: CheckStatuses.fail,
+        code: `${definition.id}.runtime-error`,
+        summary: `Check threw an unexpected error: ${message}`,
+        remediation: null,
+        details: { error: message }
+      };
+    }
+    results.push({
+      id: definition.id,
+      category: definition.category,
+      scope: definition.scope,
+      title: definition.title,
+      status: output.status,
+      code: output.code,
+      summary: output.summary,
+      remediation: output.remediation ?? null,
+      details: output.details,
+      durationMs: Date.now() - checkStarted
+    });
+  }
+  return {
+    scope: targetScope,
+    project: projectName,
+    generatedAt: startedAt.toISOString(),
+    durationMs: Date.now() - startedAt.getTime(),
+    summary: summarizeCheckResults(results),
+    checks: results
+  };
+}
+
+// ../api-routes/src/doctor.ts
+function parseCheckIds(raw) {
+  if (!raw) return [];
+  return raw.split(",").map((token) => token.trim()).filter((token) => token.length > 0);
+}
+function resolveRedirectUri(opts) {
+  if (!opts.publicUrl) return void 0;
+  return `${opts.publicUrl.replace(/\/$/, "")}/api/v1/google/callback`;
+}
+async function doctorRoutes(app, opts) {
+  const redirectUri = resolveRedirectUri(opts);
+  app.get("/doctor", async (request) => {
+    const checkIds = parseCheckIds(request.query.check);
+    const ctx = {
+      db: app.db,
+      project: null,
+      googleConnectionStore: opts.googleConnectionStore,
+      ga4CredentialStore: opts.ga4CredentialStore,
+      getGoogleAuthConfig: opts.getGoogleAuthConfig,
+      redirectUri,
+      providerSummary: opts.providerSummary
+    };
+    return runChecks(ctx, ALL_CHECKS, { checkIds });
+  });
+  app.get("/projects/:name/doctor", async (request) => {
+    const project = resolveProject(app.db, request.params.name);
+    const checkIds = parseCheckIds(request.query.check);
+    const ctx = {
+      db: app.db,
+      project: {
+        id: project.id,
+        name: project.name,
+        canonicalDomain: project.canonicalDomain,
+        displayName: project.displayName
+      },
+      googleConnectionStore: opts.googleConnectionStore,
+      ga4CredentialStore: opts.ga4CredentialStore,
+      getGoogleAuthConfig: opts.getGoogleAuthConfig,
+      redirectUri,
+      providerSummary: opts.providerSummary
+    };
+    return runChecks(ctx, ALL_CHECKS, { checkIds });
+  });
+}
+
 // ../api-routes/src/index.ts
 async function apiRoutes(app, opts) {
   app.decorate("db", opts.db);
@@ -11312,6 +11943,13 @@ async function apiRoutes(app, opts) {
       onBacklinksPruneCache: opts.onBacklinksPruneCache,
       listCachedReleases: opts.listCachedReleases
     });
+    await api.register(doctorRoutes, {
+      googleConnectionStore: opts.googleConnectionStore,
+      ga4CredentialStore: opts.ga4CredentialStore,
+      getGoogleAuthConfig: opts.getGoogleAuthConfig,
+      publicUrl: opts.publicUrl,
+      providerSummary: opts.providerSummary
+    });
     if (opts.registerAuthenticatedRoutes) {
       await opts.registerAuthenticatedRoutes(api);
     }