@ainyc/canonry 4.11.0 → 4.12.1

package/dist/{chunk-NG2PJHVL.js → chunk-L4KKHRVQ.js}

@@ -4,13 +4,14 @@ import {
   configExists,
   loadConfig,
   saveConfigPatch
-} from "./chunk-ZR4AVT4T.js";
+} from "./chunk-LNRDWAG3.js";
 import {
   DEFAULT_RUN_HISTORY_LIMIT,
   IntelligenceService,
   MIN_TREND_POINTS,
   agentMemory,
   agentSessions,
+  aiReferralEventsHourly,
   apiKeys,
   auditLog,
   backlinkDomains,
@@ -36,6 +37,7 @@ import {
   categorizeQueryByIntent,
   ccReleaseSyncs,
   competitors,
+  crawlerEventsHourly,
   createLogger,
   dropLegacyCredentialColumns,
   extractLegacyCredentials,
@@ -58,10 +60,12 @@ import {
   projects,
   queries,
   querySnapshots,
+  rawEventSamples,
   runs,
   schedules,
+  trafficSources,
   usageCounters
-} from "./chunk-5G6WYP2S.js";
+} from "./chunk-DCE3B6KD.js";
 import {
   AGENT_MEMORY_VALUE_MAX_BYTES,
   AGENT_PROVIDER_IDS,
@@ -76,6 +80,11 @@ import {
   RunKinds,
   RunStatuses,
   RunTriggers,
+  TrafficEventConfidences,
+  TrafficEvidenceKinds,
+  TrafficSourceAuthModes,
+  TrafficSourceStatuses,
+  TrafficSourceTypes,
   absolutizeProjectUrl,
   actionConfidenceLabel,
   agentBusy,
@@ -137,7 +146,7 @@ import {
   visibilityStateFromAnswerMentioned,
   windowCutoff,
   wordpressEnvSchema
-} from "./chunk-WWU65YPN.js";
+} from "./chunk-YDGT5CAY.js";
 
 // src/telemetry.ts
 import crypto from "crypto";
@@ -213,11 +222,11 @@ function trackEvent(event, properties) {
 
 // src/server.ts
 import { createRequire as createRequire3 } from "module";
-import crypto28 from "crypto";
+import crypto30 from "crypto";
 import fs12 from "fs";
 import path14 from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
-import { eq as eq34 } from "drizzle-orm";
+import { eq as eq35 } from "drizzle-orm";
 import Fastify from "fastify";
 
 // ../api-routes/src/auth.ts
@@ -9160,6 +9169,66 @@ var routeCatalog = [
       200: { description: "History returned oldest-first by queriedAt." },
       404: { description: "Project not found." }
     }
+  },
+  {
+    method: "post",
+    path: "/api/v1/projects/{name}/traffic/connect/cloud-run",
+    summary: "Connect a Cloud Run traffic source",
+    description: "Stores the service-account JSON in `~/.canonry/config.yaml` and creates a `traffic_sources` row for the project. Reconnecting updates the existing active source rather than creating a duplicate.",
+    tags: ["traffic"],
+    parameters: [nameParameter],
+    requestBody: {
+      required: true,
+      content: {
+        "application/json": {
+          schema: {
+            type: "object",
+            required: ["gcpProjectId", "keyJson"],
+            properties: {
+              gcpProjectId: stringSchema,
+              serviceName: stringSchema,
+              location: stringSchema,
+              displayName: stringSchema,
+              keyJson: { ...stringSchema, description: "Service-account JSON content." }
+            }
+          }
+        }
+      }
+    },
+    responses: {
+      200: { description: "Traffic source DTO returned." },
+      400: { description: "Invalid Cloud Run connection request." },
+      404: { description: "Project not found." }
+    }
+  },
+  {
+    method: "post",
+    path: "/api/v1/projects/{name}/traffic/sources/{id}/sync",
+    summary: "Trigger a sync run for a traffic source",
+    description: "Pulls request logs from the configured Cloud Run service for the lookback window, classifies crawler / AI-referral hits, and upserts hourly buckets and a bounded sample tail.",
+    tags: ["traffic"],
+    parameters: [
+      nameParameter,
+      { name: "id", in: "path", required: true, description: "Traffic source ID.", schema: stringSchema }
+    ],
+    requestBody: {
+      required: false,
+      content: {
+        "application/json": {
+          schema: {
+            type: "object",
+            properties: {
+              sinceMinutes: { ...integerSchema, description: "Lookback window in minutes (default 60)." }
+            }
+          }
+        }
+      }
+    },
+    responses: {
+      200: { description: "Sync summary returned." },
+      400: { description: "Invalid sync request, missing credentials, or upstream pull error." },
+      404: { description: "Project or traffic source not found." }
+    }
   }
 ];
 var canonryLocalRouteCatalog = [
@@ -12235,6 +12304,17 @@ function formatSharePct(numerator, total) {
   if (rounded === 0) return "<1%";
   return `${rounded}%`;
 }
+function pickWinningDimension(rows, tupleKey) {
+  const winners = /* @__PURE__ */ new Map();
+  for (const row of rows) {
+    const key = tupleKey(row);
+    const existing = winners.get(key);
+    if (!existing || (row.sessions ?? 0) > (existing.sessions ?? 0)) {
+      winners.set(key, row);
+    }
+  }
+  return [...winners.values()].sort((a, b) => (b.sessions ?? 0) - (a.sessions ?? 0));
+}
 async function refreshOAuthTokenIfNeeded(googleStore, authConfig, canonicalDomain, oauthConn) {
   const expiresAt = oauthConn.tokenExpiresAt ? new Date(oauthConn.tokenExpiresAt).getTime() : 0;
   const fiveMinutes = 5 * 60 * 1e3;
@@ -12656,14 +12736,14 @@ async function ga4Routes(app, opts) {
       directSessions: sql5`COALESCE(SUM(${gaTrafficSnapshots.directSessions}), 0)`,
       users: sql5`SUM(${gaTrafficSnapshots.users})`
     }).from(gaTrafficSnapshots).where(and9(...snapshotConditions)).groupBy(sql5`COALESCE(${gaTrafficSnapshots.landingPageNormalized}, ${gaTrafficSnapshots.landingPage})`).orderBy(sql5`SUM(${gaTrafficSnapshots.sessions}) DESC`).limit(limit).all();
-    const aiReferrals = app.db.select({
+    const aiReferralRows = app.db.select({
       source: gaAiReferrals.source,
       medium: gaAiReferrals.medium,
       sourceDimension: gaAiReferrals.sourceDimension,
       sessions: sql5`SUM(${gaAiReferrals.sessions})`,
       users: sql5`SUM(${gaAiReferrals.users})`
-    }).from(gaAiReferrals).where(and9(...aiConditions)).groupBy(gaAiReferrals.source, gaAiReferrals.medium, gaAiReferrals.sourceDimension).orderBy(sql5`SUM(${gaAiReferrals.sessions}) DESC`).all();
-    const aiReferralLandingPages = app.db.select({
+    }).from(gaAiReferrals).where(and9(...aiConditions)).groupBy(gaAiReferrals.source, gaAiReferrals.medium, gaAiReferrals.sourceDimension).all();
+    const aiReferralLandingPageRows = app.db.select({
       source: gaAiReferrals.source,
       medium: gaAiReferrals.medium,
       sourceDimension: gaAiReferrals.sourceDimension,
@@ -12675,7 +12755,15 @@ async function ga4Routes(app, opts) {
       gaAiReferrals.medium,
       gaAiReferrals.sourceDimension,
       sql5`COALESCE(${gaAiReferrals.landingPageNormalized}, ${gaAiReferrals.landingPage})`
-    ).orderBy(sql5`SUM(${gaAiReferrals.sessions}) DESC`).all();
+    ).all();
+    const aiReferrals = pickWinningDimension(
+      aiReferralRows,
+      (r) => `${r.source}\0${r.medium}`
+    );
+    const aiReferralLandingPages = pickWinningDimension(
+      aiReferralLandingPageRows,
+      (r) => `${r.source}\0${r.medium}\0${r.landingPage}`
+    );
     const aiDeduped = app.db.select({
       sessions: sql5`COALESCE(SUM(max_sessions), 0)`,
       users: sql5`COALESCE(SUM(max_users), 0)`
@@ -14889,7 +14977,7 @@ async function queryBacklinks(opts) {
   const reversed = opts.targets.map(reverseDomain);
   const targetList = reversed.map(quote).join(", ");
   const limitClause = opts.limitPerTarget ? `QUALIFY row_number() OVER (PARTITION BY t.target_rev_domain ORDER BY v.num_hosts DESC) <= ${Math.floor(opts.limitPerTarget)}` : "";
-  const sql11 = `
+  const sql12 = `
     WITH vertices AS (
       SELECT * FROM read_csv(
         ${quote(opts.vertexPath)},
@@ -14925,7 +15013,7 @@ async function queryBacklinks(opts) {
   const conn = await instance.connect();
   let rows;
   try {
-    const reader = await conn.runAndReadAll(sql11);
+    const reader = await conn.runAndReadAll(sql12);
     rows = reader.getRowObjects();
   } finally {
     conn.disconnectSync?.();
@@ -15313,6 +15401,944 @@ async function backlinksRoutes(app, opts) {
   );
 }
 
+// ../api-routes/src/traffic.ts
+import crypto20 from "crypto";
+import { eq as eq23, sql as sql7 } from "drizzle-orm";
+
+// ../integration-cloud-run/src/auth.ts
+import crypto19 from "crypto";
+var GOOGLE_TOKEN_URL3 = "https://oauth2.googleapis.com/token";
+var CLOUD_LOGGING_READ_SCOPE = "https://www.googleapis.com/auth/logging.read";
+var TOKEN_REQUEST_TIMEOUT_MS = 3e4;
+var CloudRunAuthError = class extends Error {
+  constructor(message, httpStatus, body) {
+    super(message);
+    this.httpStatus = httpStatus;
+    this.body = body;
+    this.name = "CloudRunAuthError";
+  }
+};
+function createServiceAccountJwt2(clientEmail, privateKey, scope) {
+  if (!clientEmail) throw new CloudRunAuthError("clientEmail is required");
+  if (!privateKey) throw new CloudRunAuthError("privateKey is required");
+  if (!scope) throw new CloudRunAuthError("scope is required");
+  const now = Math.floor(Date.now() / 1e3);
+  const header = { alg: "RS256", typ: "JWT" };
+  const payload = {
+    iss: clientEmail,
+    scope,
+    aud: GOOGLE_TOKEN_URL3,
+    iat: now,
+    exp: now + 3600
+  };
+  const encode = (obj) => Buffer.from(JSON.stringify(obj)).toString("base64url");
+  const headerB64 = encode(header);
+  const payloadB64 = encode(payload);
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const sign = crypto19.createSign("RSA-SHA256");
+  sign.update(signingInput);
+  const signature = sign.sign(privateKey, "base64url");
+  return `${signingInput}.${signature}`;
+}
+async function getCloudLoggingAccessToken(clientEmail, privateKey) {
+  const jwt = createServiceAccountJwt2(clientEmail, privateKey, CLOUD_LOGGING_READ_SCOPE);
+  const res = await fetch(GOOGLE_TOKEN_URL3, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+      assertion: jwt
+    }),
+    signal: AbortSignal.timeout(TOKEN_REQUEST_TIMEOUT_MS)
+  });
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new CloudRunAuthError(
+      `Service-account token exchange failed (HTTP ${res.status})`,
+      res.status,
+      body.slice(0, 500)
+    );
+  }
+  const data = await res.json();
+  if (!data.access_token) {
+    throw new CloudRunAuthError("Service-account token response missing access_token", res.status);
+  }
+  return data.access_token;
+}
+
+// ../integration-cloud-run/src/filter.ts
+function assertNonEmpty(name, value) {
+  if (!value.trim()) {
+    throw new Error(`${name} must be a non-empty string`);
+  }
+}
+function quoteLogFilterValue(value) {
+  return JSON.stringify(value);
+}
+function normalizeTimestamp(value) {
+  const date = value instanceof Date ? value : new Date(value);
+  if (Number.isNaN(date.getTime())) {
+    throw new Error(`Invalid timestamp: ${String(value)}`);
+  }
+  return date.toISOString();
+}
+function buildCloudRunLogFilter(options = {}) {
+  const clauses = ['resource.type="cloud_run_revision"'];
+  if (options.serviceName !== void 0) {
+    assertNonEmpty("serviceName", options.serviceName);
+    clauses.push(`resource.labels.service_name=${quoteLogFilterValue(options.serviceName)}`);
+  }
+  if (options.location !== void 0) {
+    assertNonEmpty("location", options.location);
+    clauses.push(`resource.labels.location=${quoteLogFilterValue(options.location)}`);
+  }
+  if (options.startTime !== void 0) {
+    clauses.push(`timestamp >= ${quoteLogFilterValue(normalizeTimestamp(options.startTime))}`);
+  }
+  if (options.endTime !== void 0) {
+    clauses.push(`timestamp < ${quoteLogFilterValue(normalizeTimestamp(options.endTime))}`);
+  }
+  const userAgentSubstrings = (options.userAgentSubstrings ?? []).map((pattern) => pattern.trim()).filter(Boolean);
+  if (userAgentSubstrings.length > 0) {
+    const uaClauses = userAgentSubstrings.map((pattern) => `httpRequest.userAgent:${quoteLogFilterValue(pattern)}`);
+    clauses.push(`(${uaClauses.join(" OR ")})`);
+  }
+  const requestUrlSubstrings = (options.requestUrlSubstrings ?? []).map((pattern) => pattern.trim()).filter(Boolean);
+  if (requestUrlSubstrings.length > 0) {
+    const urlClauses = requestUrlSubstrings.map((pattern) => `httpRequest.requestUrl:${quoteLogFilterValue(pattern)}`);
+    clauses.push(`(${urlClauses.join(" OR ")})`);
+  }
+  return clauses.join(" AND ");
+}
+
+// ../integration-cloud-run/src/normalize.ts
+function numberOrNull(value) {
+  if (value === void 0 || value === null) return null;
+  const parsed = typeof value === "number" ? value : Number(value);
+  return Number.isFinite(parsed) ? parsed : null;
+}
+function latencyToMs(value) {
+  if (!value) return null;
+  const secondsMatch = /^([0-9]+(?:\.[0-9]+)?)s$/.exec(value.trim());
+  if (!secondsMatch) return null;
+  const seconds = Number(secondsMatch[1]);
+  return Number.isFinite(seconds) ? Math.round(seconds * 1e6) / 1e3 : null;
+}
+function normalizeLabels(labels) {
+  if (!labels) return {};
+  return Object.fromEntries(
+    Object.entries(labels).filter((entry) => typeof entry[0] === "string" && typeof entry[1] === "string")
+  );
+}
+function parseRequestUrl(requestUrl) {
+  try {
+    const url = requestUrl.startsWith("/") ? new URL(requestUrl, "https://canonry.local") : new URL(requestUrl);
+    return {
+      host: url.hostname === "canonry.local" ? null : url.hostname,
+      path: url.pathname || "/",
+      queryString: url.search ? url.search.slice(1) : null
+    };
+  } catch {
+    return null;
+  }
+}
+function buildEventId(entry, observedAt, requestUrl) {
+  if (entry.insertId?.trim()) {
+    return `cloud-run:${observedAt}:${entry.insertId}`;
+  }
+  return `cloud-run:${observedAt}:${requestUrl}`;
+}
+function normalizeCloudRunLogEntry(entry) {
+  const request = entry.httpRequest;
+  if (!request?.requestUrl) return null;
+  const observedAt = entry.timestamp ?? entry.receiveTimestamp;
+  if (!observedAt) return null;
+  const urlParts = parseRequestUrl(request.requestUrl);
+  if (!urlParts) return null;
+  return {
+    sourceType: TrafficSourceTypes["cloud-run"],
+    evidenceKind: TrafficEvidenceKinds["raw-request"],
+    confidence: TrafficEventConfidences.observed,
+    eventId: buildEventId(entry, observedAt, request.requestUrl),
+    observedAt,
+    method: request.requestMethod ?? null,
+    requestUrl: request.requestUrl,
+    host: urlParts.host,
+    path: urlParts.path,
+    queryString: urlParts.queryString,
+    status: numberOrNull(request.status),
+    userAgent: request.userAgent ?? null,
+    remoteIp: request.remoteIp ?? null,
+    referer: request.referer ?? null,
+    latencyMs: latencyToMs(request.latency),
+    requestSizeBytes: numberOrNull(request.requestSize),
+    responseSizeBytes: numberOrNull(request.responseSize),
+    providerResource: {
+      type: entry.resource?.type ?? null,
+      labels: normalizeLabels(entry.resource?.labels)
+    },
+    providerLabels: normalizeLabels(entry.labels)
+  };
+}
+
+// ../integration-cloud-run/src/client.ts
+var CLOUD_LOGGING_ENTRIES_LIST_URL = "https://logging.googleapis.com/v2/entries:list";
+var DEFAULT_PAGE_SIZE = 1e3;
+var DEFAULT_MAX_PAGES = 1;
+var DEFAULT_TIMEOUT_MS = 3e4;
+var CloudRunLoggingApiError = class extends Error {
+  constructor(message, status, body) {
+    super(message);
+    this.status = status;
+    this.body = body;
+    this.name = "CloudRunLoggingApiError";
+  }
+};
+function validateAccessToken3(accessToken) {
+  if (!accessToken.trim()) {
+    throw new CloudRunLoggingApiError("Cloud Logging access token is required", 400);
+  }
+}
+function validateProjectId(gcpProjectId) {
+  if (!gcpProjectId.trim()) {
+    throw new CloudRunLoggingApiError("GCP project ID is required", 400);
+  }
+}
+function normalizePageSize(pageSize) {
+  if (pageSize === void 0) return DEFAULT_PAGE_SIZE;
+  if (!Number.isInteger(pageSize) || pageSize < 1) {
+    throw new CloudRunLoggingApiError("pageSize must be a positive integer", 400);
+  }
+  return pageSize;
+}
+function normalizeMaxPages(maxPages) {
+  if (maxPages === void 0) return DEFAULT_MAX_PAGES;
+  if (!Number.isInteger(maxPages) || maxPages < 1) {
+    throw new CloudRunLoggingApiError("maxPages must be a positive integer", 400);
+  }
+  return maxPages;
+}
+async function readErrorBody(response) {
+  const text = await response.text().catch(() => "");
+  if (!text) return void 0;
+  return text.length <= 500 ? text : `${text.slice(0, 500)}... [truncated]`;
+}
+async function listCloudRunTrafficEvents(accessToken, options) {
+  validateAccessToken3(accessToken);
+  validateProjectId(options.gcpProjectId);
+  const filter = buildCloudRunLogFilter(options);
+  const pageSize = normalizePageSize(options.pageSize);
+  const maxPages = normalizeMaxPages(options.maxPages);
+  const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  let pageToken = options.pageToken;
+  let rawEntryCount = 0;
+  let skippedEntryCount = 0;
+  const events = [];
+  for (let page = 0; page < maxPages; page += 1) {
+    const requestBody = {
+      resourceNames: [`projects/${options.gcpProjectId}`],
+      filter,
+      orderBy: options.orderBy ?? "timestamp asc",
+      pageSize
+    };
+    if (pageToken) {
+      requestBody.pageToken = pageToken;
+    }
+    const response = await fetch(CLOUD_LOGGING_ENTRIES_LIST_URL, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(requestBody),
+      signal: AbortSignal.timeout(timeoutMs)
+    });
+    if (!response.ok) {
+      const body2 = await readErrorBody(response);
+      throw new CloudRunLoggingApiError(
+        `Cloud Logging entries.list failed with HTTP ${response.status}`,
+        response.status,
+        body2
+      );
+    }
+    const body = await response.json();
+    const entries = body.entries ?? [];
+    rawEntryCount += entries.length;
+    for (const entry of entries) {
+      const event = normalizeCloudRunLogEntry(entry);
+      if (event) {
+        events.push(event);
+      } else {
+        skippedEntryCount += 1;
+      }
+    }
+    pageToken = body.nextPageToken;
+    if (!pageToken) break;
+  }
+  return {
+    events,
+    rawEntryCount,
+    skippedEntryCount,
+    nextPageToken: pageToken,
+    filter
+  };
+}
+
+// ../integration-traffic/src/rules.ts
+var DEFAULT_AI_CRAWLER_RULES = [
+  {
+    id: "openai-gptbot",
+    operator: "OpenAI",
+    product: "GPTBot",
+    purpose: "training",
+    userAgentPatterns: [/GPTBot\//i]
+  },
+  {
+    id: "openai-searchbot",
+    operator: "OpenAI",
+    product: "OAI-SearchBot",
+    purpose: "search",
+    userAgentPatterns: [/OAI-SearchBot\//i]
+  },
+  {
+    id: "openai-chatgpt-user",
+    operator: "OpenAI",
+    product: "ChatGPT-User",
+    purpose: "user-agent",
+    userAgentPatterns: [/ChatGPT-User\//i]
+  },
+  {
+    id: "anthropic-claudebot",
+    operator: "Anthropic",
+    product: "ClaudeBot",
+    purpose: "training",
+    userAgentPatterns: [/ClaudeBot\//i, /Claude-Web\//i, /anthropic-ai/i]
+  },
+  {
+    id: "perplexity-bot",
+    operator: "Perplexity",
+    product: "PerplexityBot",
+    purpose: "search",
+    userAgentPatterns: [/PerplexityBot\//i]
+  },
+  {
+    id: "google-extended",
+    operator: "Google",
+    product: "Google-Extended",
+    purpose: "training-control",
+    userAgentPatterns: [/Google-Extended/i]
+  },
+  {
+    id: "bytespider",
+    operator: "ByteDance",
+    product: "Bytespider",
+    purpose: "training",
+    userAgentPatterns: [/Bytespider/i]
+  },
+  {
+    id: "applebot-extended",
+    operator: "Apple",
+    product: "Applebot-Extended",
+    purpose: "training",
+    userAgentPatterns: [/Applebot-Extended/i]
+  },
+  {
+    id: "meta-externalagent",
+    operator: "Meta",
+    product: "meta-externalagent",
+    purpose: "training",
+    userAgentPatterns: [/meta-externalagent/i]
+  },
+  {
+    id: "ccbot",
+    operator: "Common Crawl",
+    product: "CCBot",
+    purpose: "crawl",
+    userAgentPatterns: [/CCBot\//i]
+  },
+  {
+    id: "cohere-ai",
+    operator: "Cohere",
+    product: "cohere-ai",
+    purpose: "training",
+    userAgentPatterns: [/cohere-ai/i]
+  },
+  {
+    id: "diffbot",
+    operator: "Diffbot",
+    product: "Diffbot",
+    purpose: "crawl",
+    userAgentPatterns: [/Diffbot/i]
+  },
+  {
+    id: "mistral-ai",
+    operator: "Mistral AI",
+    product: "MistralAI-User",
+    purpose: "crawl",
+    userAgentPatterns: [/MistralAI/i]
+  }
+];
+var DEFAULT_AI_REFERRER_RULES = [
+  { domain: "chatgpt.com", operator: "OpenAI", product: "ChatGPT" },
+  { domain: "chat.openai.com", operator: "OpenAI", product: "ChatGPT" },
+  { domain: "perplexity.ai", operator: "Perplexity", product: "Perplexity" },
+  { domain: "claude.ai", operator: "Anthropic", product: "Claude" },
+  { domain: "gemini.google.com", operator: "Google", product: "Gemini" },
+  { domain: "copilot.microsoft.com", operator: "Microsoft", product: "Copilot" },
+  { domain: "phind.com", operator: "Phind", product: "Phind" },
+  { domain: "you.com", operator: "You.com", product: "You.com" },
+  { domain: "meta.ai", operator: "Meta", product: "Meta AI" }
+];
+
+// ../integration-traffic/src/classifier.ts
+function normalizeHost(host) {
+  return host.trim().toLowerCase().replace(/^www\./, "");
+}
+function hostMatches(host, domain) {
+  const normalizedHost = normalizeHost(host);
+  const normalizedDomain = normalizeHost(domain);
+  return normalizedHost === normalizedDomain || normalizedHost.endsWith(`.${normalizedDomain}`);
+}
+function hostFromUrl(value) {
+  if (!value) return null;
+  try {
+    return normalizeHost(new URL(value).hostname);
+  } catch {
+    return null;
+  }
+}
+function utmSourceFromQuery(queryString) {
+  if (!queryString) return null;
+  const params = new URLSearchParams(queryString);
+  const source = params.get("utm_source");
+  return source ? normalizeHost(source) : null;
+}
+function classifyCrawler(event) {
+  const userAgent = event.userAgent?.trim();
+  if (!userAgent) return null;
+  for (const rule of DEFAULT_AI_CRAWLER_RULES) {
+    if (rule.userAgentPatterns.some((pattern) => pattern.test(userAgent))) {
+      return {
+        botId: rule.id,
+        operator: rule.operator,
+        product: rule.product,
+        purpose: rule.purpose,
+        verificationStatus: "claimed_unverified",
+        matchedUserAgent: userAgent
+      };
+    }
+  }
+  return null;
+}
+function classifyAiReferral(event) {
+  const refererHost = hostFromUrl(event.referer);
+  if (refererHost) {
+    const rule = DEFAULT_AI_REFERRER_RULES.find((candidate) => hostMatches(refererHost, candidate.domain));
+    if (rule) {
+      return {
+        operator: rule.operator,
+        product: rule.product,
+        sourceDomain: refererHost,
+        evidenceType: "referer"
+      };
+    }
+  }
+  const utmSource = utmSourceFromQuery(event.queryString);
+  if (utmSource) {
+    const rule = DEFAULT_AI_REFERRER_RULES.find((candidate) => hostMatches(utmSource, candidate.domain));
+    if (rule) {
+      return {
+        operator: rule.operator,
+        product: rule.product,
+        sourceDomain: utmSource,
+        evidenceType: "utm"
+      };
+    }
+  }
+  return null;
+}
+
+// ../integration-traffic/src/rollup.ts
+var DEFAULT_SAMPLE_LIMIT = 25;
+var UUID_SEGMENT = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+var LONG_HEX_SEGMENT = /^[0-9a-f]{16,}$/i;
+var NUMERIC_SEGMENT = /^\d+$/;
+function normalizeTrafficPathPattern(path15) {
+  const cleanPath = path15.trim() || "/";
+  const pathOnly = cleanPath.split("?")[0] || "/";
+  const segments = pathOnly.split("/").map((segment) => {
+    if (!segment) return segment;
+    if (UUID_SEGMENT.test(segment) || LONG_HEX_SEGMENT.test(segment) || NUMERIC_SEGMENT.test(segment)) {
+      return ":id";
+    }
+    return segment;
+  });
+  const normalized = segments.join("/");
+  return normalized.startsWith("/") ? normalized : `/${normalized}`;
+}
+function hourBucket(value) {
+  const date = new Date(value);
+  if (Number.isNaN(date.getTime())) return value;
+  date.setUTCMinutes(0, 0, 0);
+  return date.toISOString();
+}
+function sortCrawlerBuckets(a, b) {
+  return a.tsHour.localeCompare(b.tsHour) || a.botId.localeCompare(b.botId) || a.pathNormalized.localeCompare(b.pathNormalized) || String(a.status).localeCompare(String(b.status));
+}
+function sortReferralBuckets(a, b) {
+  return a.tsHour.localeCompare(b.tsHour) || a.product.localeCompare(b.product) || a.sourceDomain.localeCompare(b.sourceDomain) || a.landingPathNormalized.localeCompare(b.landingPathNormalized) || String(a.status).localeCompare(String(b.status));
+}
+function topEntries(map, limit) {
+  return [...map.values()].sort((a, b) => b.hits - a.hits || JSON.stringify(a.fields).localeCompare(JSON.stringify(b.fields))).slice(0, limit).map((entry) => ({ ...entry.fields, hits: entry.hits }));
+}
+function buildTrafficProbeReport(events, options = {}) {
+  const sampleLimit = options.sampleLimit ?? DEFAULT_SAMPLE_LIMIT;
+  const crawlerBuckets = /* @__PURE__ */ new Map();
+  const aiReferralBuckets = /* @__PURE__ */ new Map();
+  const topBots = /* @__PURE__ */ new Map();
+  const topCrawlerPaths = /* @__PURE__ */ new Map();
+  const topAiReferrers = /* @__PURE__ */ new Map();
+  const topAiReferralLandingPaths = /* @__PURE__ */ new Map();
+  let crawlerHits = 0;
+  let aiReferralHits = 0;
+  let unknownHits = 0;
+  const samples = [];
+  for (const event of events) {
+    const tsHour = hourBucket(event.observedAt);
+    const pathNormalized = normalizeTrafficPathPattern(event.path);
+    const crawler = classifyCrawler(event);
+    const aiReferral = classifyAiReferral(event);
+    if (crawler) {
+      crawlerHits += 1;
+      const key = [
+        tsHour,
+        crawler.botId,
+        crawler.verificationStatus,
+        pathNormalized,
+        event.status ?? "null"
+      ].join("	");
+      const existing = crawlerBuckets.get(key);
+      if (existing) {
+        existing.hits += 1;
+      } else {
+        crawlerBuckets.set(key, {
+          tsHour,
+          botId: crawler.botId,
+          operator: crawler.operator,
+          product: crawler.product,
+          verificationStatus: crawler.verificationStatus,
+          pathNormalized,
+          status: event.status,
+          hits: 1,
+          sampledUserAgent: event.userAgent
+        });
+      }
+      const botKey = `${crawler.botId}	${crawler.operator}`;
+      const botEntry = topBots.get(botKey);
+      if (botEntry) botEntry.hits += 1;
+      else topBots.set(botKey, { fields: { botId: crawler.botId, operator: crawler.operator }, hits: 1 });
+      incrementBucket(topCrawlerPaths, pathNormalized, { pathNormalized });
+    }
+    if (aiReferral) {
+      aiReferralHits += 1;
+      const key = [
+        tsHour,
+        aiReferral.product,
+        aiReferral.sourceDomain,
+        aiReferral.evidenceType,
+        pathNormalized,
+        event.status ?? "null"
+      ].join("	");
+      const existing = aiReferralBuckets.get(key);
+      if (existing) {
+        existing.hits += 1;
+      } else {
+        aiReferralBuckets.set(key, {
+          tsHour,
+          operator: aiReferral.operator,
+          product: aiReferral.product,
+          sourceDomain: aiReferral.sourceDomain,
+          evidenceType: aiReferral.evidenceType,
+          landingPathNormalized: pathNormalized,
+          status: event.status,
+          hits: 1
+        });
+      }
+      incrementBucket(topAiReferrers, aiReferral.sourceDomain, {
+        sourceDomain: aiReferral.sourceDomain,
+        product: aiReferral.product
+      });
+      incrementBucket(topAiReferralLandingPaths, pathNormalized, { landingPathNormalized: pathNormalized });
+    }
+    if (!crawler && !aiReferral) unknownHits += 1;
+    if (samples.length < sampleLimit) {
+      samples.push({
+        eventId: event.eventId,
+        observedAt: event.observedAt,
+        sourceType: event.sourceType,
+        path: event.path,
+        pathNormalized,
+        status: event.status,
+        userAgent: event.userAgent,
+        referer: event.referer,
+        crawler,
+        aiReferral
+      });
+    }
+  }
+  return {
+    generatedAt: options.generatedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
+    totals: {
+      normalizedEvents: events.length,
+      crawlerHits,
+      aiReferralHits,
+      unknownHits
+    },
+    crawlerEventsHourly: [...crawlerBuckets.values()].sort(sortCrawlerBuckets),
+    aiReferralEventsHourly: [...aiReferralBuckets.values()].sort(sortReferralBuckets),
+    topBots: topEntries(topBots, 10),
+    topCrawlerPaths: topEntries(topCrawlerPaths, 10),
+    topAiReferrers: topEntries(topAiReferrers, 10),
+    topAiReferralLandingPaths: topEntries(topAiReferralLandingPaths, 10),
+    samples
+  };
+}
+function incrementBucket(map, key, fields) {
+  const existing = map.get(key);
+  if (existing) existing.hits += 1;
+  else map.set(key, { fields, hits: 1 });
+}
+
+// ../api-routes/src/traffic.ts
+var DEFAULT_SYNC_WINDOW_MINUTES = 60;
+var DEFAULT_PAGE_SIZE2 = 1e3;
+var DEFAULT_MAX_PAGES2 = 5;
+var DEFAULT_SAMPLE_LIMIT2 = 100;
+function parseSourceConfig(row) {
+  return parseJsonColumn(row.configJson, {});
+}
+function rowToDto(row) {
+  return {
+    id: row.id,
+    projectId: row.projectId,
+    sourceType: row.sourceType,
+    displayName: row.displayName,
+    status: row.status,
+    lastSyncedAt: row.lastSyncedAt ?? null,
+    lastCursor: row.lastCursor ?? null,
+    lastError: row.lastError ?? null,
+    archivedAt: row.archivedAt ?? null,
+    config: parseSourceConfig(row),
+    createdAt: row.createdAt,
+    updatedAt: row.updatedAt
+  };
+}
+async function defaultResolveAccessToken(record) {
+  if (record.authMode === TrafficSourceAuthModes["service-account"]) {
+    if (!record.clientEmail || !record.privateKey) {
+      throw validationError("Service-account credentials missing client_email or private_key");
+    }
+    return getCloudLoggingAccessToken(record.clientEmail, record.privateKey);
+  }
+  throw validationError(
+    "OAuth-mode Cloud Run sync is not yet supported in v1. Provide a service-account key file."
+  );
+}
+async function trafficRoutes(app, opts) {
+  const pullEvents = opts.pullCloudRunEvents ?? listCloudRunTrafficEvents;
+  const resolveAccessToken2 = opts.resolveCloudRunAccessToken ?? defaultResolveAccessToken;
+  const syncWindowMinutes = opts.defaultSyncWindowMinutes ?? DEFAULT_SYNC_WINDOW_MINUTES;
+  const pageSize = opts.defaultPageSize ?? DEFAULT_PAGE_SIZE2;
+  const maxPages = opts.defaultMaxPages ?? DEFAULT_MAX_PAGES2;
+  const sampleLimit = opts.defaultSampleLimit ?? DEFAULT_SAMPLE_LIMIT2;
+  app.post("/projects/:name/traffic/connect/cloud-run", async (request) => {
+    const project = resolveProject(app.db, request.params.name);
+    const body = request.body ?? {};
+    const { gcpProjectId, serviceName, location, displayName, keyJson } = body;
+    if (!gcpProjectId || typeof gcpProjectId !== "string") {
+      throw validationError("gcpProjectId is required");
+    }
+    if (!keyJson) {
+      throw validationError(
+        "keyJson is required for v1 (service-account JSON content). OAuth-mode Cloud Run is not yet supported."
+      );
+    }
+    if (!opts.cloudRunCredentialStore) {
+      throw validationError("Cloud Run credential storage is not configured for this deployment");
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(keyJson);
+    } catch {
+      throw validationError("Invalid JSON in keyJson");
+    }
+    if (!parsed.client_email || !parsed.private_key) {
+      throw validationError("Service-account JSON must contain client_email and private_key");
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const existing = opts.cloudRunCredentialStore.getConnection(project.name);
+    opts.cloudRunCredentialStore.upsertConnection({
+      projectName: project.name,
+      gcpProjectId,
+      serviceName: serviceName ?? void 0,
+      location: location ?? void 0,
+      authMode: TrafficSourceAuthModes["service-account"],
+      clientEmail: parsed.client_email,
+      privateKey: parsed.private_key,
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now
+    });
+    const activeSource = app.db.select().from(trafficSources).where(eq23(trafficSources.projectId, project.id)).all().find((row) => row.sourceType === TrafficSourceTypes["cloud-run"] && row.status !== TrafficSourceStatuses.archived);
+    const config = {
+      gcpProjectId,
+      serviceName: serviceName ?? null,
+      location: location ?? null,
+      authMode: TrafficSourceAuthModes["service-account"]
+    };
+    const fallbackName = displayName ?? `Cloud Run \xB7 ${gcpProjectId}${serviceName ? ` / ${serviceName}` : ""}`;
+    let sourceRow;
+    if (activeSource) {
+      app.db.update(trafficSources).set({
+        displayName: fallbackName,
+        status: TrafficSourceStatuses.connected,
+        lastError: null,
+        configJson: JSON.stringify(config),
+        updatedAt: now
+      }).where(eq23(trafficSources.id, activeSource.id)).run();
+      sourceRow = app.db.select().from(trafficSources).where(eq23(trafficSources.id, activeSource.id)).get();
+    } else {
+      const newId = crypto20.randomUUID();
+      app.db.insert(trafficSources).values({
+        id: newId,
+        projectId: project.id,
+        sourceType: TrafficSourceTypes["cloud-run"],
+        displayName: fallbackName,
+        status: TrafficSourceStatuses.connected,
+        lastSyncedAt: null,
+        lastCursor: null,
+        lastError: null,
+        archivedAt: null,
+        configJson: JSON.stringify(config),
+        createdAt: now,
+        updatedAt: now
+      }).run();
+      sourceRow = app.db.select().from(trafficSources).where(eq23(trafficSources.id, newId)).get();
+    }
+    writeAuditLog(app.db, {
+      projectId: project.id,
+      actor: "api",
+      action: "traffic.cloud-run.connected",
+      entityType: "traffic_source",
+      entityId: sourceRow.id
+    });
+    return rowToDto(sourceRow);
+  });
+  app.post("/projects/:name/traffic/sources/:id/sync", async (request) => {
+    const project = resolveProject(app.db, request.params.name);
+    const sourceRow = app.db.select().from(trafficSources).where(eq23(trafficSources.id, request.params.id)).get();
+    if (!sourceRow || sourceRow.projectId !== project.id) {
+      throw notFound("Traffic source", request.params.id);
+    }
+    if (sourceRow.sourceType !== TrafficSourceTypes["cloud-run"]) {
+      throw validationError(
+        `Sync for source type "${sourceRow.sourceType}" is not implemented yet \u2014 only cloud-run is supported in v1.`
+      );
+    }
+    const credentialStore = opts.cloudRunCredentialStore;
+    if (!credentialStore) {
+      throw validationError("Cloud Run credential storage is not configured for this deployment");
+    }
+    const credential = credentialStore.getConnection(project.name);
+    if (!credential) {
+      throw validationError(
+        `No Cloud Run credential found for project "${project.name}". Run "canonry traffic connect cloud-run" first.`
+      );
+    }
+    const config = parseSourceConfig(sourceRow);
+    const gcpProjectId = config.gcpProjectId ?? credential.gcpProjectId;
+    const serviceName = config.serviceName ?? credential.serviceName ?? void 0;
+    const location = config.location ?? credential.location ?? void 0;
+    const requestedMinutes = request.body?.sinceMinutes;
+    const windowMinutes = Number.isFinite(requestedMinutes) && requestedMinutes && requestedMinutes > 0 ? Math.floor(requestedMinutes) : syncWindowMinutes;
+    const windowEnd = /* @__PURE__ */ new Date();
+    const requestedStartMs = windowEnd.getTime() - windowMinutes * 6e4;
+    const lastSyncedMs = sourceRow.lastSyncedAt ? new Date(sourceRow.lastSyncedAt).getTime() : Number.NEGATIVE_INFINITY;
+    const windowStart = new Date(
+      Math.min(windowEnd.getTime(), Math.max(requestedStartMs, lastSyncedMs))
+    );
+    const startedAt = windowEnd.toISOString();
+    const runId = crypto20.randomUUID();
+    app.db.insert(runs).values({
+      id: runId,
+      projectId: project.id,
+      kind: RunKinds["traffic-sync"],
+      status: RunStatuses.running,
+      trigger: RunTriggers.manual,
+      startedAt,
+      createdAt: startedAt
+    }).run();
+    let accessToken;
+    try {
+      accessToken = await resolveAccessToken2(credential);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      app.db.update(runs).set({ status: RunStatuses.failed, error: msg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq23(runs.id, runId)).run();
+      app.db.update(trafficSources).set({ status: TrafficSourceStatuses.error, lastError: msg, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq23(trafficSources.id, sourceRow.id)).run();
+      throw validationError(`Failed to resolve Cloud Run access token: ${msg}`);
+    }
+    let allEvents = [];
+    try {
+      const page = await pullEvents(accessToken, {
+        gcpProjectId,
+        serviceName,
+        location,
+        startTime: windowStart.toISOString(),
+        endTime: windowEnd.toISOString(),
+        pageSize,
+        maxPages
+      });
+      allEvents = page.events;
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      app.db.update(runs).set({ status: RunStatuses.failed, error: msg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq23(runs.id, runId)).run();
+      app.db.update(trafficSources).set({ status: TrafficSourceStatuses.error, lastError: msg, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq23(trafficSources.id, sourceRow.id)).run();
+      throw validationError(`Cloud Run pull failed: ${msg}`);
+    }
+    const report = buildTrafficProbeReport(allEvents, { sampleLimit });
+    const finishedAt = (/* @__PURE__ */ new Date()).toISOString();
+    let crawlerBucketRows = 0;
+    let aiReferralBucketRows = 0;
+    let sampleRows = 0;
+    app.db.transaction((tx) => {
+      for (const bucket of report.crawlerEventsHourly) {
+        const status = bucket.status ?? 0;
+        tx.insert(crawlerEventsHourly).values({
+          projectId: project.id,
+          sourceId: sourceRow.id,
+          tsHour: bucket.tsHour,
+          botId: bucket.botId,
+          operator: bucket.operator,
+          verificationStatus: bucket.verificationStatus,
+          pathNormalized: bucket.pathNormalized,
+          status,
+          hits: bucket.hits,
+          sampledUserAgent: bucket.sampledUserAgent,
+          createdAt: finishedAt,
+          updatedAt: finishedAt
+        }).onConflictDoUpdate({
+          target: [
+            crawlerEventsHourly.projectId,
+            crawlerEventsHourly.sourceId,
+            crawlerEventsHourly.tsHour,
+            crawlerEventsHourly.botId,
+            crawlerEventsHourly.verificationStatus,
+            crawlerEventsHourly.pathNormalized,
+            crawlerEventsHourly.status
+          ],
+          set: {
+            hits: sql7`${crawlerEventsHourly.hits} + ${bucket.hits}`,
+            sampledUserAgent: bucket.sampledUserAgent,
+            updatedAt: finishedAt
+          }
+        }).run();
+        crawlerBucketRows += 1;
+      }
+      for (const bucket of report.aiReferralEventsHourly) {
+        const status = bucket.status ?? 0;
+        tx.insert(aiReferralEventsHourly).values({
+          projectId: project.id,
+          sourceId: sourceRow.id,
+          tsHour: bucket.tsHour,
+          product: bucket.product,
+          operator: bucket.operator,
+          sourceDomain: bucket.sourceDomain,
+          evidenceType: bucket.evidenceType,
+          landingPathNormalized: bucket.landingPathNormalized,
+          status,
+          sessionsOrHits: bucket.hits,
+          usersEstimated: null,
+          createdAt: finishedAt,
+          updatedAt: finishedAt
+        }).onConflictDoUpdate({
+          target: [
+            aiReferralEventsHourly.projectId,
+            aiReferralEventsHourly.sourceId,
+            aiReferralEventsHourly.tsHour,
+            aiReferralEventsHourly.product,
+            aiReferralEventsHourly.sourceDomain,
+            aiReferralEventsHourly.evidenceType,
+            aiReferralEventsHourly.landingPathNormalized,
+            aiReferralEventsHourly.status
+          ],
+          set: {
+            sessionsOrHits: sql7`${aiReferralEventsHourly.sessionsOrHits} + ${bucket.hits}`,
+            updatedAt: finishedAt
+          }
+        }).run();
+        aiReferralBucketRows += 1;
+      }
+      for (const sample of report.samples) {
+        const eventType = sample.crawler ? "crawler" : sample.aiReferral ? "ai_referral" : "unknown";
+        const refererHost = (() => {
+          if (!sample.referer) return null;
+          try {
+            return new URL(sample.referer).hostname;
+          } catch {
+            return null;
+          }
+        })();
+        tx.insert(rawEventSamples).values({
+          id: crypto20.randomUUID(),
+          projectId: project.id,
+          sourceId: sourceRow.id,
+          ts: sample.observedAt,
+          eventType,
+          ipHash: null,
+          userAgent: sample.userAgent,
+          pathNormalized: sample.pathNormalized,
+          status: sample.status,
+          refererHost,
+          classifierDetailsJson: JSON.stringify({
+            crawler: sample.crawler,
+            aiReferral: sample.aiReferral
+          }),
+          createdAt: finishedAt
+        }).run();
+        sampleRows += 1;
+      }
+      tx.update(trafficSources).set({
+        status: TrafficSourceStatuses.connected,
+        lastSyncedAt: finishedAt,
+        lastError: null,
+        updatedAt: finishedAt
+      }).where(eq23(trafficSources.id, sourceRow.id)).run();
+      tx.update(runs).set({ status: RunStatuses.completed, finishedAt }).where(eq23(runs.id, runId)).run();
+    });
+    writeAuditLog(app.db, {
+      projectId: project.id,
+      actor: "api",
+      action: "traffic.cloud-run.synced",
+      entityType: "traffic_source",
+      entityId: sourceRow.id
+    });
+    const response = {
+      sourceId: sourceRow.id,
+      runId,
+      syncedAt: finishedAt,
+      pulledEvents: report.totals.normalizedEvents,
+      crawlerHits: report.totals.crawlerHits,
+      aiReferralHits: report.totals.aiReferralHits,
+      unknownHits: report.totals.unknownHits,
+      crawlerBucketRows,
+      aiReferralBucketRows,
+      sampleRows,
+      windowStart: windowStart.toISOString(),
+      windowEnd: windowEnd.toISOString()
+    };
+    return response;
+  });
+}
+
 // ../api-routes/src/doctor/checks/bing-auth.ts
 var BING_AUTH_CHECKS = [
   {
@@ -16164,6 +17190,11 @@ async function apiRoutes(app, opts) {
       googleConnectionStore: opts.googleConnectionStore,
       getGoogleAuthConfig: opts.getGoogleAuthConfig
     });
+    await api.register(trafficRoutes, {
+      cloudRunCredentialStore: opts.cloudRunCredentialStore,
+      pullCloudRunEvents: opts.pullCloudRunEvents,
+      resolveCloudRunAccessToken: opts.resolveCloudRunAccessToken
+    });
     await api.register(backlinksRoutes, {
       getBacklinksStatus: opts.getBacklinksStatus,
       onInstallBacklinks: opts.onInstallBacklinks,
@@ -18589,8 +19620,40 @@ function removeGa4Connection(config, projectName) {
   return true;
 }
 
-// src/wordpress-config.ts
+// src/cloud-run-config.ts
 function ensureConnections3(config) {
+  if (!config.cloudRun) config.cloudRun = {};
+  if (!config.cloudRun.connections) config.cloudRun.connections = [];
+  return config.cloudRun.connections;
+}
+function getCloudRunConnection(config, projectName) {
+  return (config.cloudRun?.connections ?? []).find((c) => c.projectName === projectName);
+}
+function upsertCloudRunConnection(config, connection) {
+  const connections = ensureConnections3(config);
+  const index = connections.findIndex((c) => c.projectName === connection.projectName);
+  if (index === -1) {
+    connections.push(connection);
+    return connection;
+  }
+  connections[index] = connection;
+  return connection;
+}
+function removeCloudRunConnection(config, projectName) {
+  const connections = config.cloudRun?.connections;
+  if (!connections?.length) return false;
+  const next = connections.filter((c) => c.projectName !== projectName);
+  if (next.length === connections.length) return false;
+  if (!config.cloudRun) return false;
+  config.cloudRun.connections = next;
+  if (next.length === 0) {
+    delete config.cloudRun;
+  }
+  return true;
+}
+
+// src/wordpress-config.ts
+function ensureConnections4(config) {
   if (!config.wordpress) config.wordpress = {};
   if (!config.wordpress.connections) config.wordpress.connections = [];
   return config.wordpress.connections;
@@ -18607,7 +19670,7 @@ function getWordpressConnection(config, projectName) {
   return (config.wordpress?.connections ?? []).find((connection) => connection.projectName === projectName);
 }
 function upsertWordpressConnection(config, connection) {
-  const connections = ensureConnections3(config);
+  const connections = ensureConnections4(config);
   const normalized = normalizeConnection(connection);
   const index = connections.findIndex((entry) => entry.projectName === connection.projectName);
   if (index === -1) {
@@ -18641,11 +19704,11 @@ function removeWordpressConnection(config, projectName) {
 }
 
 // src/job-runner.ts
-import crypto19 from "crypto";
+import crypto21 from "crypto";
 import fs7 from "fs";
 import path9 from "path";
 import os4 from "os";
-import { and as and12, eq as eq23, inArray as inArray7, sql as sql7 } from "drizzle-orm";
+import { and as and12, eq as eq24, inArray as inArray7, sql as sql8 } from "drizzle-orm";
 
 // src/citation-utils.ts
 function domainMatches(domain, canonicalDomain) {
@@ -18906,7 +19969,7 @@ var JobRunner = class {
     if (stale.length === 0) return;
     const now = (/* @__PURE__ */ new Date()).toISOString();
     for (const run of stale) {
-      this.db.update(runs).set({ status: "failed", finishedAt: now, error: "Server restarted while run was in progress" }).where(eq23(runs.id, run.id)).run();
+      this.db.update(runs).set({ status: "failed", finishedAt: now, error: "Server restarted while run was in progress" }).where(eq24(runs.id, run.id)).run();
       log.warn("run.recovered-stale", { runId: run.id, previousStatus: run.status });
     }
   }
@@ -18934,10 +19997,10 @@ var JobRunner = class {
         throw new Error(`Run ${runId} is not executable from status '${existingRun.status}'`);
       }
       if (existingRun.status === "queued") {
-        this.db.update(runs).set({ status: "running", startedAt: now }).where(and12(eq23(runs.id, runId), eq23(runs.status, "queued"))).run();
+        this.db.update(runs).set({ status: "running", startedAt: now }).where(and12(eq24(runs.id, runId), eq24(runs.status, "queued"))).run();
       }
       this.throwIfRunCancelled(runId);
-      const project = this.db.select().from(projects).where(eq23(projects.id, projectId)).get();
+      const project = this.db.select().from(projects).where(eq24(projects.id, projectId)).get();
       if (!project) {
         throw new Error(`Project ${projectId} not found`);
       }
@@ -18957,8 +20020,8 @@ var JobRunner = class {
         throw new Error("No providers configured. Add at least one provider API key.");
       }
       log.info("run.dispatch", { runId, providerCount: activeProviders.length, providers: activeProviders.map((p) => p.adapter.name) });
-      projectQueries = this.db.select().from(queries).where(eq23(queries.projectId, projectId)).all();
-      const projectCompetitors = this.db.select().from(competitors).where(eq23(competitors.projectId, projectId)).all();
+      projectQueries = this.db.select().from(queries).where(eq24(queries.projectId, projectId)).all();
+      const projectCompetitors = this.db.select().from(competitors).where(eq24(competitors.projectId, projectId)).all();
       const competitorDomains = projectCompetitors.map((c) => c.domain);
       const allDomains = effectiveDomains({
         canonicalDomain: project.canonicalDomain,
@@ -18974,7 +20037,7 @@ var JobRunner = class {
       const todayPeriod = getCurrentUsageDay();
       for (const p of activeProviders) {
         const providerScope = `${projectId}:${p.adapter.name}`;
-        const providerUsage = this.db.select().from(usageCounters).where(eq23(usageCounters.scope, providerScope)).all().filter((r) => r.period === todayPeriod && r.metric === "queries").reduce((sum, r) => sum + r.count, 0);
+        const providerUsage = this.db.select().from(usageCounters).where(eq24(usageCounters.scope, providerScope)).all().filter((r) => r.period === todayPeriod && r.metric === "queries").reduce((sum, r) => sum + r.count, 0);
         const limit = p.config.quotaPolicy.maxRequestsPerDay;
         if (providerUsage + queriesPerProvider > limit) {
           throw new Error(
@@ -19034,7 +20097,7 @@ var JobRunner = class {
             );
             let screenshotRelPath = null;
             if (raw.screenshotPath && fs7.existsSync(raw.screenshotPath)) {
-              const snapshotId = crypto19.randomUUID();
+              const snapshotId = crypto21.randomUUID();
               const screenshotDir = path9.join(os4.homedir(), ".canonry", "screenshots", runId);
               if (!fs7.existsSync(screenshotDir)) fs7.mkdirSync(screenshotDir, { recursive: true });
               const destPath = path9.join(screenshotDir, `${snapshotId}.png`);
@@ -19064,7 +20127,7 @@ var JobRunner = class {
               }).run();
             } else {
               this.db.insert(querySnapshots).values({
-                id: crypto19.randomUUID(),
+                id: crypto21.randomUUID(),
                 runId,
                 queryId: q.id,
                 provider: providerName,
@@ -19115,12 +20178,12 @@ var JobRunner = class {
       const someFailed = providerErrors.size > 0;
       if (allFailed) {
         const errorDetail = serializeRunError(buildRunErrorFromMessages(providerErrors));
-        this.db.update(runs).set({ status: "failed", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq23(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "failed", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq24(runs.id, runId)).run();
       } else if (someFailed) {
         const errorDetail = serializeRunError(buildRunErrorFromMessages(providerErrors));
-        this.db.update(runs).set({ status: "partial", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq23(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "partial", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq24(runs.id, runId)).run();
       } else {
-        this.db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq23(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq24(runs.id, runId)).run();
       }
       this.flushProviderUsage(projectId, providerDispatchCounts);
       const finalStatus = allFailed ? "failed" : someFailed ? "partial" : "completed";
@@ -19155,7 +20218,7 @@ var JobRunner = class {
         status: "failed",
         finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
         error: errorMessage
-      }).where(eq23(runs.id, runId)).run();
+      }).where(eq24(runs.id, runId)).run();
       this.flushProviderUsage(projectId, providerDispatchCounts);
       trackEvent("run.completed", {
         status: "failed",
@@ -19176,7 +20239,7 @@ var JobRunner = class {
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const period = now.slice(0, 10);
     this.db.insert(usageCounters).values({
-      id: crypto19.randomUUID(),
+      id: crypto21.randomUUID(),
       scope,
       period,
       metric,
@@ -19184,7 +20247,7 @@ var JobRunner = class {
       updatedAt: now
     }).onConflictDoUpdate({
       target: [usageCounters.scope, usageCounters.period, usageCounters.metric],
-      set: { count: sql7`${usageCounters.count} + ${count}`, updatedAt: now }
+      set: { count: sql8`${usageCounters.count} + ${count}`, updatedAt: now }
     }).run();
   }
   flushProviderUsage(projectId, providerDispatchCounts) {
@@ -19198,7 +20261,7 @@ var JobRunner = class {
       status: runs.status,
       finishedAt: runs.finishedAt,
       error: runs.error
-    }).from(runs).where(eq23(runs.id, runId)).get();
+    }).from(runs).where(eq24(runs.id, runId)).get();
   }
   isRunCancelled(runId) {
     return this.getRunState(runId)?.status === "cancelled";
@@ -19214,7 +20277,7 @@ var JobRunner = class {
       this.db.update(runs).set({
         finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
         error: currentRun.error ?? "Cancelled by user"
-      }).where(eq23(runs.id, runId)).run();
+      }).where(eq24(runs.id, runId)).run();
     }
     trackEvent("run.completed", {
       status: "cancelled",
@@ -19236,8 +20299,8 @@ function getCurrentUsageDay() {
 }
 
 // src/gsc-sync.ts
-import crypto20 from "crypto";
-import { eq as eq24, and as and13, sql as sql8 } from "drizzle-orm";
+import crypto22 from "crypto";
+import { eq as eq25, and as and13, sql as sql9 } from "drizzle-orm";
 var log2 = createLogger("GscSync");
 function formatDate3(d) {
   return d.toISOString().split("T")[0];
@@ -19249,13 +20312,13 @@ function daysAgo(n) {
 }
 async function executeGscSync(db, runId, projectId, opts) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: "running", startedAt: now }).where(eq24(runs.id, runId)).run();
+  db.update(runs).set({ status: "running", startedAt: now }).where(eq25(runs.id, runId)).run();
   try {
     const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
     if (!googleClientId || !googleClientSecret) {
       throw new Error("Google OAuth is not configured in the local Canonry config");
     }
-    const project = db.select().from(projects).where(eq24(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq25(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -19290,9 +20353,9 @@ async function executeGscSync(db, runId, projectId, opts) {
     log2.info("fetch.complete", { runId, projectId, rowCount: rows.length });
     db.delete(gscSearchData).where(
       and13(
-        eq24(gscSearchData.projectId, projectId),
-        sql8`${gscSearchData.date} >= ${startDate}`,
-        sql8`${gscSearchData.date} <= ${endDate}`
+        eq25(gscSearchData.projectId, projectId),
+        sql9`${gscSearchData.date} >= ${startDate}`,
+        sql9`${gscSearchData.date} <= ${endDate}`
       )
     ).run();
     const batchSize = 500;
@@ -19302,7 +20365,7 @@ async function executeGscSync(db, runId, projectId, opts) {
       for (const row of batch) {
         const [query, page, country, device, date] = row.keys;
         db.insert(gscSearchData).values({
-          id: crypto20.randomUUID(),
+          id: crypto22.randomUUID(),
           projectId,
           syncRunId: runId,
           date: date ?? "",
@@ -19336,7 +20399,7 @@ async function executeGscSync(db, runId, projectId, opts) {
         const rich = ir.richResultsResult;
         const inspectedAt = (/* @__PURE__ */ new Date()).toISOString();
         db.insert(gscUrlInspections).values({
-          id: crypto20.randomUUID(),
+          id: crypto22.randomUUID(),
           projectId,
           syncRunId: runId,
           url: pageUrl,
@@ -19357,7 +20420,7 @@ async function executeGscSync(db, runId, projectId, opts) {
         log2.error("inspect.url-failed", { runId, projectId, url: pageUrl, error: err instanceof Error ? err.message : String(err) });
       }
     }
-    const allInspections = db.select().from(gscUrlInspections).where(eq24(gscUrlInspections.projectId, projectId)).all();
+    const allInspections = db.select().from(gscUrlInspections).where(eq25(gscUrlInspections.projectId, projectId)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
       const existing = latestByUrl.get(row.url);
@@ -19378,9 +20441,9 @@ async function executeGscSync(db, runId, projectId, opts) {
       }
     }
     const snapshotDate = formatDate3(/* @__PURE__ */ new Date());
-    db.delete(gscCoverageSnapshots).where(and13(eq24(gscCoverageSnapshots.projectId, projectId), eq24(gscCoverageSnapshots.date, snapshotDate))).run();
+    db.delete(gscCoverageSnapshots).where(and13(eq25(gscCoverageSnapshots.projectId, projectId), eq25(gscCoverageSnapshots.date, snapshotDate))).run();
     db.insert(gscCoverageSnapshots).values({
-      id: crypto20.randomUUID(),
+      id: crypto22.randomUUID(),
       projectId,
       syncRunId: runId,
       date: snapshotDate,
@@ -19389,19 +20452,19 @@ async function executeGscSync(db, runId, projectId, opts) {
       reasonBreakdown: JSON.stringify(reasonCounts),
       createdAt: (/* @__PURE__ */ new Date()).toISOString()
     }).run();
-    db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq24(runs.id, runId)).run();
+    db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq25(runs.id, runId)).run();
     log2.info("sync.completed", { runId, projectId, searchDataRows: rows.length, urlInspections: topPages.length, indexed: snapIndexed, notIndexed: snapNotIndexed });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq24(runs.id, runId)).run();
+    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq25(runs.id, runId)).run();
     log2.error("sync.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
 }
 
 // src/gsc-inspect-sitemap.ts
-import crypto21 from "crypto";
-import { eq as eq25, and as and14 } from "drizzle-orm";
+import crypto23 from "crypto";
+import { eq as eq26, and as and14 } from "drizzle-orm";
 
 // src/sitemap-parser.ts
 var log3 = createLogger("SitemapParser");
@@ -19522,13 +20585,13 @@ async function parseSitemapRecursive(url, urls, visited, depth, isChild) {
 var log4 = createLogger("InspectSitemap");
 async function executeInspectSitemap(db, runId, projectId, opts) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: "running", startedAt: now }).where(eq25(runs.id, runId)).run();
+  db.update(runs).set({ status: "running", startedAt: now }).where(eq26(runs.id, runId)).run();
   try {
     const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
     if (!googleClientId || !googleClientSecret) {
       throw new Error("Google OAuth is not configured in the local Canonry config");
     }
-    const project = db.select().from(projects).where(eq25(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq26(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -19569,7 +20632,7 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
         const rich = ir.richResultsResult;
         const inspectedAt = (/* @__PURE__ */ new Date()).toISOString();
         db.insert(gscUrlInspections).values({
-          id: crypto21.randomUUID(),
+          id: crypto23.randomUUID(),
           projectId,
           syncRunId: runId,
           url: pageUrl,
@@ -19596,7 +20659,7 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
         await new Promise((r) => setTimeout(r, 1e3));
       }
     }
-    const allInspections = db.select().from(gscUrlInspections).where(eq25(gscUrlInspections.projectId, projectId)).all();
+    const allInspections = db.select().from(gscUrlInspections).where(eq26(gscUrlInspections.projectId, projectId)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
       const existing = latestByUrl.get(row.url);
@@ -19617,9 +20680,9 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
       }
     }
     const snapshotDate = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-    db.delete(gscCoverageSnapshots).where(and14(eq25(gscCoverageSnapshots.projectId, projectId), eq25(gscCoverageSnapshots.date, snapshotDate))).run();
+    db.delete(gscCoverageSnapshots).where(and14(eq26(gscCoverageSnapshots.projectId, projectId), eq26(gscCoverageSnapshots.date, snapshotDate))).run();
     db.insert(gscCoverageSnapshots).values({
-      id: crypto21.randomUUID(),
+      id: crypto23.randomUUID(),
       projectId,
       syncRunId: runId,
       date: snapshotDate,
@@ -19629,19 +20692,19 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
       createdAt: (/* @__PURE__ */ new Date()).toISOString()
     }).run();
     const status = errors > 0 && inspected > 0 ? "partial" : errors === urls.length ? "failed" : "completed";
-    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq25(runs.id, runId)).run();
+    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq26(runs.id, runId)).run();
     log4.info("inspect.completed", { runId, projectId, inspected, errors, total: urls.length, indexed: snapIndexed, notIndexed: snapNotIndexed });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq25(runs.id, runId)).run();
+    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq26(runs.id, runId)).run();
     log4.error("inspect.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
 }
 
 // src/bing-inspect-sitemap.ts
-import crypto22 from "crypto";
-import { eq as eq26, desc as desc12 } from "drizzle-orm";
+import crypto24 from "crypto";
+import { eq as eq27, desc as desc12 } from "drizzle-orm";
 var log5 = createLogger("BingInspectSitemap");
 function parseBingDate2(value) {
   if (!value) return null;
@@ -19659,9 +20722,9 @@ function isBlockingIssueType2(issueType) {
 }
 async function executeBingInspectSitemap(db, runId, projectId, opts) {
   const startedAt = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: RunStatuses.running, startedAt }).where(eq26(runs.id, runId)).run();
+  db.update(runs).set({ status: RunStatuses.running, startedAt }).where(eq27(runs.id, runId)).run();
   try {
-    const project = db.select().from(projects).where(eq26(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq27(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -19679,7 +20742,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
     if (sitemapUrls.length === 0) {
       throw new Error("No URLs found in sitemap");
     }
-    const trackedRows = db.select({ url: bingUrlInspections.url }).from(bingUrlInspections).where(eq26(bingUrlInspections.projectId, projectId)).all();
+    const trackedRows = db.select({ url: bingUrlInspections.url }).from(bingUrlInspections).where(eq27(bingUrlInspections.projectId, projectId)).all();
     const trackedUrls = new Set(trackedRows.map((r) => r.url));
     const discovered = sitemapUrls.filter((u) => !trackedUrls.has(u));
     log5.info("sitemap.diff", {
@@ -19728,7 +20791,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
           derivedInIndex = false;
         }
         db.insert(bingUrlInspections).values({
-          id: crypto22.randomUUID(),
+          id: crypto24.randomUUID(),
           projectId,
           url: pageUrl,
           httpCode,
@@ -19762,7 +20825,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
         await new Promise((r) => setTimeout(r, 1e3));
       }
     }
-    const allInspections = db.select().from(bingUrlInspections).where(eq26(bingUrlInspections.projectId, projectId)).orderBy(desc12(bingUrlInspections.inspectedAt)).all();
+    const allInspections = db.select().from(bingUrlInspections).where(eq27(bingUrlInspections.projectId, projectId)).orderBy(desc12(bingUrlInspections.inspectedAt)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     const definitiveByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
@@ -19786,7 +20849,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
     const snapshotDate = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
     const snapNow = (/* @__PURE__ */ new Date()).toISOString();
     db.insert(bingCoverageSnapshots).values({
-      id: crypto22.randomUUID(),
+      id: crypto24.randomUUID(),
       projectId,
       syncRunId: runId,
       date: snapshotDate,
@@ -19805,7 +20868,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
       }
     }).run();
     const status = errors === sitemapUrls.length ? RunStatuses.failed : errors > 0 ? RunStatuses.partial : RunStatuses.completed;
-    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq26(runs.id, runId)).run();
+    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq27(runs.id, runId)).run();
     log5.info("inspect.completed", {
       runId,
       projectId,
@@ -19819,16 +20882,16 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
     });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: RunStatuses.failed, error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq26(runs.id, runId)).run();
+    db.update(runs).set({ status: RunStatuses.failed, error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq27(runs.id, runId)).run();
     log5.error("inspect.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
 }
 
 // src/commoncrawl-sync.ts
-import crypto23 from "crypto";
+import crypto25 from "crypto";
 import path10 from "path";
-import { and as and15, eq as eq27, sql as sql9 } from "drizzle-orm";
+import { and as and15, eq as eq28, sql as sql10 } from "drizzle-orm";
 var log6 = createLogger("CommonCrawlSync");
 var INSERT_CHUNK_SIZE = 1e4;
 function defaultDeps() {
@@ -19854,7 +20917,7 @@ async function executeReleaseSync(db, syncId, opts) {
       phaseDetail: "downloading vertices + edges",
       updatedAt: downloadStartedAt,
       error: null
-    }).where(eq27(ccReleaseSyncs.id, syncId)).run();
+    }).where(eq28(ccReleaseSyncs.id, syncId)).run();
     const paths = ccReleasePaths(release);
     const releaseCacheDir = path10.join(deps.cacheDir, release);
     const vertexPath = path10.join(releaseCacheDir, paths.vertexFilename);
@@ -19877,7 +20940,7 @@ async function executeReleaseSync(db, syncId, opts) {
       vertexSha256: vertex.sha256,
       edgesSha256: edges.sha256,
       updatedAt: downloadFinishedAt
-    }).where(eq27(ccReleaseSyncs.id, syncId)).run();
+    }).where(eq28(ccReleaseSyncs.id, syncId)).run();
     const allProjects = db.select().from(projects).all();
     const targets = Array.from(new Set(allProjects.map((p) => p.canonicalDomain)));
     let rows = [];
@@ -19893,15 +20956,15 @@ async function executeReleaseSync(db, syncId, opts) {
     }
     const queriedAt = deps.now().toISOString();
     db.transaction((tx) => {
-      tx.delete(backlinkDomains).where(eq27(backlinkDomains.releaseSyncId, syncId)).run();
-      tx.delete(backlinkSummaries).where(eq27(backlinkSummaries.releaseSyncId, syncId)).run();
+      tx.delete(backlinkDomains).where(eq28(backlinkDomains.releaseSyncId, syncId)).run();
+      tx.delete(backlinkSummaries).where(eq28(backlinkSummaries.releaseSyncId, syncId)).run();
       const expanded = [];
       for (const r of rows) {
         const projectIds = projectsByDomain.get(r.targetDomain);
         if (!projectIds) continue;
         for (const projectId of projectIds) {
           expanded.push({
-            id: crypto23.randomUUID(),
+            id: crypto25.randomUUID(),
             projectId,
             releaseSyncId: syncId,
             release,
@@ -19921,7 +20984,7 @@ async function executeReleaseSync(db, syncId, opts) {
         const projectRows = rowsByProject.get(p.id) ?? [];
         const summary = computeSummary(projectRows);
         tx.insert(backlinkSummaries).values({
-          id: crypto23.randomUUID(),
+          id: crypto25.randomUUID(),
           projectId: p.id,
           releaseSyncId: syncId,
           release,
@@ -19953,7 +21016,7 @@ async function executeReleaseSync(db, syncId, opts) {
       domainsDiscovered: rows.length,
       updatedAt: finishedAt,
       error: null
-    }).where(eq27(ccReleaseSyncs.id, syncId)).run();
+    }).where(eq28(ccReleaseSyncs.id, syncId)).run();
     log6.info("sync.completed", {
       syncId,
       release,
@@ -19983,7 +21046,7 @@ async function executeReleaseSync(db, syncId, opts) {
       error: errorMsg,
       phaseDetail: null,
       updatedAt: finishedAt
-    }).where(eq27(ccReleaseSyncs.id, syncId)).run();
+    }).where(eq28(ccReleaseSyncs.id, syncId)).run();
     log6.error("sync.failed", { syncId, release, error: errorMsg });
     throw err;
   }
@@ -20017,9 +21080,9 @@ function computeSummary(rows) {
 }
 
 // src/backlink-extract.ts
-import crypto24 from "crypto";
+import crypto26 from "crypto";
 import fs8 from "fs";
-import { and as and16, desc as desc13, eq as eq28 } from "drizzle-orm";
+import { and as and16, desc as desc13, eq as eq29 } from "drizzle-orm";
 var log7 = createLogger("BacklinkExtract");
 function defaultDeps2() {
   return {
@@ -20031,13 +21094,13 @@ function defaultDeps2() {
 async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
   const deps = { ...defaultDeps2(), ...opts.deps };
   const startedAt = deps.now().toISOString();
-  db.update(runs).set({ status: RunStatuses.running, startedAt }).where(eq28(runs.id, runId)).run();
+  db.update(runs).set({ status: RunStatuses.running, startedAt }).where(eq29(runs.id, runId)).run();
   try {
-    const project = db.select().from(projects).where(eq28(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq29(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
-    const sync = opts.release ? db.select().from(ccReleaseSyncs).where(eq28(ccReleaseSyncs.release, opts.release)).get() : db.select().from(ccReleaseSyncs).where(eq28(ccReleaseSyncs.status, CcReleaseSyncStatuses.ready)).orderBy(desc13(ccReleaseSyncs.createdAt)).limit(1).get();
+    const sync = opts.release ? db.select().from(ccReleaseSyncs).where(eq29(ccReleaseSyncs.release, opts.release)).get() : db.select().from(ccReleaseSyncs).where(eq29(ccReleaseSyncs.status, CcReleaseSyncStatuses.ready)).orderBy(desc13(ccReleaseSyncs.createdAt)).limit(1).get();
     if (!sync) {
       throw new Error("No ready release sync available \u2014 run `canonry backlinks sync` first");
     }
@@ -20065,11 +21128,11 @@ async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
     const targetDomain = project.canonicalDomain;
     db.transaction((tx) => {
       tx.delete(backlinkDomains).where(
-        and16(eq28(backlinkDomains.projectId, projectId), eq28(backlinkDomains.release, release))
+        and16(eq29(backlinkDomains.projectId, projectId), eq29(backlinkDomains.release, release))
       ).run();
       if (rows.length > 0) {
         const values = rows.map((r) => ({
-          id: crypto24.randomUUID(),
+          id: crypto26.randomUUID(),
           projectId,
           releaseSyncId: syncId,
           release,
@@ -20082,7 +21145,7 @@ async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
       }
       const summary = computeSummary2(rows);
       tx.insert(backlinkSummaries).values({
-        id: crypto24.randomUUID(),
+        id: crypto26.randomUUID(),
         projectId,
         releaseSyncId: syncId,
         release,
@@ -20105,7 +21168,7 @@ async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
       }).run();
     });
     const finishedAt = deps.now().toISOString();
-    db.update(runs).set({ status: RunStatuses.completed, finishedAt }).where(eq28(runs.id, runId)).run();
+    db.update(runs).set({ status: RunStatuses.completed, finishedAt }).where(eq29(runs.id, runId)).run();
     log7.info("extract.completed", { runId, projectId, release, rows: rows.length });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
@@ -20114,7 +21177,7 @@ async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
       status: RunStatuses.failed,
       error: errorMsg,
       finishedAt
-    }).where(eq28(runs.id, runId)).run();
+    }).where(eq29(runs.id, runId)).run();
     log7.error("extract.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
@@ -20187,7 +21250,7 @@ var ProviderRegistry = class {
 
 // src/scheduler.ts
 import cron from "node-cron";
-import { eq as eq29 } from "drizzle-orm";
+import { eq as eq30 } from "drizzle-orm";
 var log8 = createLogger("Scheduler");
 var Scheduler = class {
   db;
@@ -20199,7 +21262,7 @@ var Scheduler = class {
   }
   /** Load all enabled schedules from DB and register cron jobs. */
   start() {
-    const allSchedules = this.db.select().from(schedules).where(eq29(schedules.enabled, 1)).all();
+    const allSchedules = this.db.select().from(schedules).where(eq30(schedules.enabled, 1)).all();
     for (const schedule of allSchedules) {
       const missedRunAt = schedule.nextRunAt;
       this.registerCronTask(schedule);
@@ -20224,7 +21287,7 @@ var Scheduler = class {
       this.stopTask(projectId, existing, "Stopped");
       this.tasks.delete(projectId);
     }
-    const schedule = this.db.select().from(schedules).where(eq29(schedules.projectId, projectId)).get();
+    const schedule = this.db.select().from(schedules).where(eq30(schedules.projectId, projectId)).get();
     if (schedule && schedule.enabled === 1) {
       this.registerCronTask(schedule);
     }
@@ -20257,14 +21320,14 @@ var Scheduler = class {
     this.db.update(schedules).set({
       nextRunAt: task.getNextRun()?.toISOString() ?? null,
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    }).where(eq29(schedules.id, scheduleId)).run();
+    }).where(eq30(schedules.id, scheduleId)).run();
     const label = schedule.preset ?? cronExpr;
     log8.info("cron.registered", { projectId, schedule: label, timezone });
   }
   triggerRun(scheduleId, projectId) {
     try {
       const now = (/* @__PURE__ */ new Date()).toISOString();
-      const currentSchedule = this.db.select().from(schedules).where(eq29(schedules.id, scheduleId)).get();
+      const currentSchedule = this.db.select().from(schedules).where(eq30(schedules.id, scheduleId)).get();
       if (!currentSchedule || currentSchedule.enabled !== 1) {
         log8.warn("schedule.stale", { scheduleId, projectId, msg: "schedule no longer exists or is disabled" });
         this.remove(projectId);
@@ -20272,7 +21335,7 @@ var Scheduler = class {
       }
       const task = this.tasks.get(projectId);
       const nextRunAt = task?.getNextRun()?.toISOString() ?? null;
-      const project = this.db.select().from(projects).where(eq29(projects.id, projectId)).get();
+      const project = this.db.select().from(projects).where(eq30(projects.id, projectId)).get();
       if (!project) {
         log8.error("project.not-found", { projectId, msg: "skipping scheduled run" });
         this.remove(projectId);
@@ -20301,7 +21364,7 @@ var Scheduler = class {
         this.db.update(schedules).set({
           nextRunAt,
           updatedAt: now
-        }).where(eq29(schedules.id, currentSchedule.id)).run();
+        }).where(eq30(schedules.id, currentSchedule.id)).run();
         return;
       }
       const runId = queueResult.runId;
@@ -20309,7 +21372,7 @@ var Scheduler = class {
         lastRunAt: now,
         nextRunAt,
         updatedAt: now
-      }).where(eq29(schedules.id, currentSchedule.id)).run();
+      }).where(eq30(schedules.id, currentSchedule.id)).run();
       const scheduleProviders = parseJsonColumn(currentSchedule.providers, []);
       const providers = scheduleProviders.length > 0 ? scheduleProviders : void 0;
       log8.info("run.triggered", { runId, projectName: project.name, providers: providers ?? "all" });
@@ -20321,8 +21384,8 @@ var Scheduler = class {
 };
 
 // src/notifier.ts
-import { eq as eq30, desc as desc14, and as and17, or as or4 } from "drizzle-orm";
-import crypto25 from "crypto";
+import { eq as eq31, desc as desc14, and as and17, or as or4 } from "drizzle-orm";
+import crypto27 from "crypto";
 var log9 = createLogger("Notifier");
 var Notifier = class {
   db;
@@ -20334,18 +21397,18 @@ var Notifier = class {
   /** Called after a run completes (success, partial, or failed). */
   async onRunCompleted(runId, projectId) {
     log9.info("run.completed", { runId, projectId });
-    const notifs = this.db.select().from(notifications).where(eq30(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
+    const notifs = this.db.select().from(notifications).where(eq31(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
     if (notifs.length === 0) {
       log9.info("notifications.none-enabled", { projectId });
       return;
     }
     log9.info("notifications.found", { projectId, count: notifs.length });
-    const run = this.db.select().from(runs).where(eq30(runs.id, runId)).get();
+    const run = this.db.select().from(runs).where(eq31(runs.id, runId)).get();
     if (!run) {
       log9.error("run.not-found", { runId, msg: "skipping notification dispatch" });
       return;
     }
-    const project = this.db.select().from(projects).where(eq30(projects.id, projectId)).get();
+    const project = this.db.select().from(projects).where(eq31(projects.id, projectId)).get();
     if (!project) {
       log9.error("project.not-found", { projectId, msg: "skipping notification dispatch" });
       return;
@@ -20392,11 +21455,11 @@ var Notifier = class {
     if (criticalInsights.length > 0) insightEvents.push("insight.critical");
     if (highInsights.length > 0) insightEvents.push("insight.high");
     if (insightEvents.length === 0) return;
-    const notifs = this.db.select().from(notifications).where(eq30(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
+    const notifs = this.db.select().from(notifications).where(eq31(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
     if (notifs.length === 0) return;
-    const run = this.db.select().from(runs).where(eq30(runs.id, runId)).get();
+    const run = this.db.select().from(runs).where(eq31(runs.id, runId)).get();
     if (!run) return;
-    const project = this.db.select().from(projects).where(eq30(projects.id, projectId)).get();
+    const project = this.db.select().from(projects).where(eq31(projects.id, projectId)).get();
     if (!project) return;
     for (const notif of notifs) {
       const config = parseJsonColumn(notif.config, { url: "", events: [] });
@@ -20428,8 +21491,8 @@ var Notifier = class {
   computeTransitions(runId, projectId) {
     const recentRuns = this.db.select().from(runs).where(
       and17(
-        eq30(runs.projectId, projectId),
-        or4(eq30(runs.status, "completed"), eq30(runs.status, "partial"))
+        eq31(runs.projectId, projectId),
+        or4(eq31(runs.status, "completed"), eq31(runs.status, "partial"))
       )
     ).orderBy(desc14(runs.createdAt)).limit(2).all();
     if (recentRuns.length < 2) return [];
@@ -20441,12 +21504,12 @@ var Notifier = class {
       query: queries.query,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).leftJoin(queries, eq30(querySnapshots.queryId, queries.id)).where(eq30(querySnapshots.runId, currentRunId)).all();
+    }).from(querySnapshots).leftJoin(queries, eq31(querySnapshots.queryId, queries.id)).where(eq31(querySnapshots.runId, currentRunId)).all();
     const previousSnapshots = this.db.select({
       queryId: querySnapshots.queryId,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).where(eq30(querySnapshots.runId, previousRunId)).all();
+    }).from(querySnapshots).where(eq31(querySnapshots.runId, previousRunId)).all();
     const prevMap = /* @__PURE__ */ new Map();
     for (const s of previousSnapshots) {
       prevMap.set(`${s.queryId}:${s.provider}`, s.citationState);
@@ -20504,7 +21567,7 @@ var Notifier = class {
   }
   logDelivery(projectId, notificationId, event, status, error) {
     this.db.insert(auditLog).values({
-      id: crypto25.randomUUID(),
+      id: crypto27.randomUUID(),
       projectId,
       actor: "scheduler",
       action: `notification.${status}`,
@@ -20562,8 +21625,8 @@ var RunCoordinator = class {
 };
 
 // src/agent/session-registry.ts
-import crypto27 from "crypto";
-import { eq as eq32 } from "drizzle-orm";
+import crypto29 from "crypto";
+import { eq as eq33 } from "drizzle-orm";
 
 // src/agent/session.ts
 import fs11 from "fs";
@@ -20912,11 +21975,11 @@ function resolveSessionProviderAndModel(config, opts) {
 }
 
 // src/agent/memory-store.ts
-import crypto26 from "crypto";
-import { and as and18, desc as desc15, eq as eq31, like as like2, sql as sql10 } from "drizzle-orm";
+import crypto28 from "crypto";
+import { and as and18, desc as desc15, eq as eq32, like as like2, sql as sql11 } from "drizzle-orm";
 var COMPACTION_KEY_PREFIX = "compaction:";
 var COMPACTION_NOTES_PER_SESSION = 3;
-function rowToDto(row) {
+function rowToDto2(row) {
   return {
     id: row.id,
     key: row.key,
@@ -20927,9 +21990,9 @@ function rowToDto(row) {
   };
 }
 function listMemoryEntries(db, projectId, opts = {}) {
-  const query = db.select().from(agentMemory).where(eq31(agentMemory.projectId, projectId)).orderBy(desc15(agentMemory.updatedAt));
+  const query = db.select().from(agentMemory).where(eq32(agentMemory.projectId, projectId)).orderBy(desc15(agentMemory.updatedAt));
   const rows = opts.limit === void 0 ? query.all() : query.limit(opts.limit).all();
-  return rows.map(rowToDto);
+  return rows.map(rowToDto2);
 }
 function upsertMemoryEntry(db, args) {
   if (Buffer.byteLength(args.value, "utf8") > AGENT_MEMORY_VALUE_MAX_BYTES) {
@@ -20941,7 +22004,7 @@ function upsertMemoryEntry(db, args) {
     throw new Error(`memory key prefix "${COMPACTION_KEY_PREFIX}" is reserved for compaction notes`);
   }
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  const id = crypto26.randomUUID();
+  const id = crypto28.randomUUID();
   db.insert(agentMemory).values({
     id,
     projectId: args.projectId,
@@ -20958,12 +22021,12 @@ function upsertMemoryEntry(db, args) {
       updatedAt: now
     }
   }).run();
-  const row = db.select().from(agentMemory).where(and18(eq31(agentMemory.projectId, args.projectId), eq31(agentMemory.key, args.key))).get();
+  const row = db.select().from(agentMemory).where(and18(eq32(agentMemory.projectId, args.projectId), eq32(agentMemory.key, args.key))).get();
   if (!row) throw new Error("memory upsert produced no row");
-  return rowToDto(row);
+  return rowToDto2(row);
 }
 function deleteMemoryEntry(db, projectId, key) {
-  const result = db.delete(agentMemory).where(and18(eq31(agentMemory.projectId, projectId), eq31(agentMemory.key, key))).run();
+  const result = db.delete(agentMemory).where(and18(eq32(agentMemory.projectId, projectId), eq32(agentMemory.key, key))).run();
   const changes = result.changes ?? 0;
   return changes > 0;
 }
@@ -20978,7 +22041,7 @@ function writeCompactionNote(db, args) {
   }
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const key = `${COMPACTION_KEY_PREFIX}${args.sessionId}:${now}`;
-  const id = crypto26.randomUUID();
+  const id = crypto28.randomUUID();
   let inserted;
   db.transaction((tx) => {
     tx.insert(agentMemory).values({
@@ -20993,16 +22056,16 @@ function writeCompactionNote(db, args) {
     const sessionPrefix = `${COMPACTION_KEY_PREFIX}${args.sessionId}:`;
     const existing = tx.select({ id: agentMemory.id, updatedAt: agentMemory.updatedAt }).from(agentMemory).where(
       and18(
-        eq31(agentMemory.projectId, args.projectId),
+        eq32(agentMemory.projectId, args.projectId),
         like2(agentMemory.key, `${sessionPrefix}%`)
       )
     ).orderBy(desc15(agentMemory.updatedAt)).all();
     const stale = existing.slice(COMPACTION_NOTES_PER_SESSION).map((r) => r.id);
     if (stale.length > 0) {
-      tx.delete(agentMemory).where(sql10`${agentMemory.id} IN (${sql10.join(stale.map((s) => sql10`${s}`), sql10`, `)})`).run();
+      tx.delete(agentMemory).where(sql11`${agentMemory.id} IN (${sql11.join(stale.map((s) => sql11`${s}`), sql11`, `)})`).run();
     }
-    const row = tx.select().from(agentMemory).where(and18(eq31(agentMemory.projectId, args.projectId), eq31(agentMemory.key, key))).get();
-    if (row) inserted = rowToDto(row);
+    const row = tx.select().from(agentMemory).where(and18(eq32(agentMemory.projectId, args.projectId), eq32(agentMemory.key, key))).get();
+    if (row) inserted = rowToDto2(row);
   });
   if (!inserted) throw new Error("compaction note write produced no row");
   return inserted;
@@ -21183,7 +22246,7 @@ var SessionRegistry = class {
           modelProvider: effectiveProvider,
           modelId: effectiveModelId,
           updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-        }).where(eq32(agentSessions.projectId, projectId)).run();
+        }).where(eq33(agentSessions.projectId, projectId)).run();
       }
       const agent2 = createAeroSession({
         projectName,
@@ -21397,7 +22460,7 @@ ${lines.join("\n")}
       modelProvider: nextProvider,
       modelId: nextModelId,
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    }).where(eq32(agentSessions.projectId, projectId)).run();
+    }).where(eq33(agentSessions.projectId, projectId)).run();
   }
   /** Persist a session's transcript back to the DB. Call after any run settles. */
   save(projectName) {
@@ -21559,17 +22622,17 @@ ${lines.join("\n")}
     return id;
   }
   tryResolveProjectId(projectName) {
-    const row = this.opts.db.select({ id: projects.id }).from(projects).where(eq32(projects.name, projectName)).get();
+    const row = this.opts.db.select({ id: projects.id }).from(projects).where(eq33(projects.name, projectName)).get();
     return row?.id;
   }
   loadRow(projectId) {
-    const row = this.opts.db.select().from(agentSessions).where(eq32(agentSessions.projectId, projectId)).get();
+    const row = this.opts.db.select().from(agentSessions).where(eq33(agentSessions.projectId, projectId)).get();
     return row ?? null;
   }
   insertRow(params) {
     const now = (/* @__PURE__ */ new Date()).toISOString();
     this.opts.db.insert(agentSessions).values({
-      id: crypto27.randomUUID(),
+      id: crypto29.randomUUID(),
       projectId: params.projectId,
       systemPrompt: params.systemPrompt,
       modelProvider: params.provider ?? params.modelProvider ?? AgentProviderIds.claude,
@@ -21582,14 +22645,14 @@ ${lines.join("\n")}
   }
   updateRow(projectId, patch) {
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    this.opts.db.update(agentSessions).set({ ...patch, updatedAt: now }).where(eq32(agentSessions.projectId, projectId)).run();
+    this.opts.db.update(agentSessions).set({ ...patch, updatedAt: now }).where(eq33(agentSessions.projectId, projectId)).run();
   }
 };
 
 // src/agent/agent-routes.ts
-import { eq as eq33 } from "drizzle-orm";
+import { eq as eq34 } from "drizzle-orm";
 function resolveProject2(db, name) {
-  const row = db.select({ id: projects.id, name: projects.name }).from(projects).where(eq33(projects.name, name)).get();
+  const row = db.select({ id: projects.id, name: projects.name }).from(projects).where(eq34(projects.name, name)).get();
   if (!row) throw notFound("project", name);
   return row;
 }
@@ -21598,7 +22661,7 @@ function registerAgentRoutes(app, opts) {
     "/projects/:name/agent/transcript",
     async (request) => {
       const project = resolveProject2(opts.db, request.params.name);
-      const row = opts.db.select().from(agentSessions).where(eq33(agentSessions.projectId, project.id)).get();
+      const row = opts.db.select().from(agentSessions).where(eq34(agentSessions.projectId, project.id)).get();
       if (!row) {
         return { messages: [], modelProvider: null, modelId: null, updatedAt: null };
       }
@@ -21622,7 +22685,7 @@ function registerAgentRoutes(app, opts) {
     async (request) => {
       const project = resolveProject2(opts.db, request.params.name);
       opts.sessionRegistry.reset(project.name);
-      opts.db.update(agentSessions).set({ messages: "[]", followUpQueue: "[]", updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq33(agentSessions.projectId, project.id)).run();
+      opts.db.update(agentSessions).set({ messages: "[]", followUpQueue: "[]", updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq34(agentSessions.projectId, project.id)).run();
       return { status: "reset" };
     }
   );
@@ -22486,7 +23549,7 @@ function summarizeProviderConfig(provider, config) {
   };
 }
 function hashApiKey(key) {
-  return crypto28.createHash("sha256").update(key).digest("hex");
+  return crypto30.createHash("sha256").update(key).digest("hex");
 }
 function parseCookies2(header) {
   if (!header) return {};
@@ -22644,7 +23707,7 @@ async function createServer(opts) {
     intelligenceService,
     (runId, projectId, result) => notifier.dispatchInsightWebhooks(runId, projectId, result),
     async ({ runId, projectId, insightCount, criticalOrHigh }) => {
-      const project = opts.db.select({ name: projects.name }).from(projects).where(eq34(projects.id, projectId)).get();
+      const project = opts.db.select({ name: projects.name }).from(projects).where(eq35(projects.id, projectId)).get();
       if (!project) return;
       sessionRegistry.queueFollowUp(project.name, {
         role: "user",
@@ -22738,7 +23801,22 @@ async function createServer(opts) {
       return removed;
     }
   };
-  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto28.randomBytes(32).toString("hex");
+  const cloudRunCredentialStore = {
+    getConnection: (projectName) => {
+      return getCloudRunConnection(opts.config, projectName);
+    },
+    upsertConnection: (record) => {
+      const updated = upsertCloudRunConnection(opts.config, record);
+      saveConfigPatch(opts.config);
+      return updated;
+    },
+    deleteConnection: (projectName) => {
+      const removed = removeCloudRunConnection(opts.config, projectName);
+      if (removed) saveConfigPatch(opts.config);
+      return removed;
+    }
+  };
+  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto30.randomBytes(32).toString("hex");
   const googleConnectionStore = {
     listConnections: (domain) => listGoogleConnections(opts.config, domain),
     getConnection: (domain, connectionType) => getGoogleConnection(opts.config, domain, connectionType),
@@ -22784,11 +23862,11 @@ async function createServer(opts) {
   const apiPrefix = basePath ? `${basePath}api/v1` : "/api/v1";
   if (opts.config.apiKey) {
     const keyHash = hashApiKey(opts.config.apiKey);
-    const existing = opts.db.select().from(apiKeys).where(eq34(apiKeys.keyHash, keyHash)).get();
+    const existing = opts.db.select().from(apiKeys).where(eq35(apiKeys.keyHash, keyHash)).get();
     if (!existing) {
       const prefix = opts.config.apiKey.slice(0, 12);
       opts.db.insert(apiKeys).values({
-        id: `key_${crypto28.randomBytes(8).toString("hex")}`,
+        id: `key_${crypto30.randomBytes(8).toString("hex")}`,
         name: "default",
         keyHash,
         keyPrefix: prefix,
@@ -22812,7 +23890,7 @@ async function createServer(opts) {
   };
   const createSession = (apiKeyId) => {
     pruneExpiredSessions();
-    const sessionId = crypto28.randomBytes(32).toString("hex");
+    const sessionId = crypto30.randomBytes(32).toString("hex");
     sessions.set(sessionId, {
       apiKeyId,
       expiresAt: Date.now() + SESSION_TTL_MS
@@ -22836,7 +23914,7 @@ async function createServer(opts) {
   };
   const getDefaultApiKey = () => {
     if (!opts.config.apiKey) return void 0;
-    return opts.db.select().from(apiKeys).where(eq34(apiKeys.keyHash, hashApiKey(opts.config.apiKey))).get();
+    return opts.db.select().from(apiKeys).where(eq35(apiKeys.keyHash, hashApiKey(opts.config.apiKey))).get();
   };
   const createPasswordSession = (reply) => {
     const key = getDefaultApiKey();
@@ -22893,12 +23971,12 @@ async function createServer(opts) {
       return reply.send({ authenticated: true });
     }
     if (apiKey) {
-      const key = opts.db.select().from(apiKeys).where(eq34(apiKeys.keyHash, hashApiKey(apiKey))).get();
+      const key = opts.db.select().from(apiKeys).where(eq35(apiKeys.keyHash, hashApiKey(apiKey))).get();
       if (!key || key.revokedAt) {
         const err2 = authInvalid();
         return reply.status(err2.statusCode).send(err2.toJSON());
       }
-      opts.db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq34(apiKeys.id, key.id)).run();
+      opts.db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq35(apiKeys.id, key.id)).run();
       const sessionId = createSession(key.id);
       reply.header("set-cookie", serializeSessionCookie({
         name: SESSION_COOKIE_NAME,
@@ -23008,7 +24086,7 @@ async function createServer(opts) {
         deps: {
           enqueueAutoExtract: ({ projectId, release: r }) => {
             const now = (/* @__PURE__ */ new Date()).toISOString();
-            const runId = crypto28.randomUUID();
+            const runId = crypto30.randomUUID();
             opts.db.insert(runs).values({
               id: runId,
               projectId,
@@ -23081,6 +24159,7 @@ async function createServer(opts) {
     },
     wordpressConnectionStore,
     ga4CredentialStore,
+    cloudRunCredentialStore,
     onRunCreated: (runId, projectId, providers2, location) => {
       jobRunner.executeRun(runId, projectId, providers2, location).catch((err) => {
         app.log.error({ runId, err }, "Job runner failed");
@@ -23143,7 +24222,7 @@ async function createServer(opts) {
         const targetProjectIds = affectedProjectIds.length > 0 ? affectedProjectIds : [null];
         const createdAt = (/* @__PURE__ */ new Date()).toISOString();
         opts.db.insert(auditLog).values(targetProjectIds.map((projectId) => ({
-          id: crypto28.randomUUID(),
+          id: crypto30.randomUUID(),
           projectId,
           actor: "api",
           action: existing ? "provider.updated" : "provider.created",