@ainyc/canonry 4.11.1 → 4.13.1

package/dist/{chunk-PBQ4Z4P4.js → chunk-RIGQFQJJ.js}

@@ -4,13 +4,14 @@ import {
   configExists,
   loadConfig,
   saveConfigPatch
-} from "./chunk-5J5BVJF7.js";
+} from "./chunk-LNRDWAG3.js";
 import {
   DEFAULT_RUN_HISTORY_LIMIT,
   IntelligenceService,
   MIN_TREND_POINTS,
   agentMemory,
   agentSessions,
+  aiReferralEventsHourly,
   apiKeys,
   auditLog,
   backlinkDomains,
@@ -36,6 +37,7 @@ import {
   categorizeQueryByIntent,
   ccReleaseSyncs,
   competitors,
+  crawlerEventsHourly,
   createLogger,
   dropLegacyCredentialColumns,
   extractLegacyCredentials,
@@ -58,10 +60,12 @@ import {
   projects,
   queries,
   querySnapshots,
+  rawEventSamples,
   runs,
   schedules,
+  trafficSources,
   usageCounters
-} from "./chunk-3SFDZPKU.js";
+} from "./chunk-DCE3B6KD.js";
 import {
   AGENT_MEMORY_VALUE_MAX_BYTES,
   AGENT_PROVIDER_IDS,
@@ -76,6 +80,11 @@ import {
   RunKinds,
   RunStatuses,
   RunTriggers,
+  TrafficEventConfidences,
+  TrafficEvidenceKinds,
+  TrafficSourceAuthModes,
+  TrafficSourceStatuses,
+  TrafficSourceTypes,
   absolutizeProjectUrl,
   actionConfidenceLabel,
   agentBusy,
@@ -137,7 +146,7 @@ import {
   visibilityStateFromAnswerMentioned,
   windowCutoff,
   wordpressEnvSchema
-} from "./chunk-565T7PMC.js";
+} from "./chunk-YDGT5CAY.js";
 
 // src/telemetry.ts
 import crypto from "crypto";
@@ -213,11 +222,11 @@ function trackEvent(event, properties) {
 
 // src/server.ts
 import { createRequire as createRequire3 } from "module";
-import crypto28 from "crypto";
+import crypto30 from "crypto";
 import fs12 from "fs";
 import path14 from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
-import { eq as eq34 } from "drizzle-orm";
+import { eq as eq35 } from "drizzle-orm";
 import Fastify from "fastify";
 
 // ../api-routes/src/auth.ts
@@ -2654,6 +2663,47 @@ function gscDateRange(report) {
 function pluralize(count, singular, plural = `${singular}s`) {
   return count === 1 ? singular : plural;
 }
+var PROVIDER_DISPLAY_NAMES = {
+  gemini: "Gemini",
+  openai: "ChatGPT",
+  claude: "Claude",
+  perplexity: "Perplexity",
+  local: "Local model",
+  "cdp:chatgpt": "ChatGPT (browser)"
+};
+function providerDisplayName(name) {
+  return PROVIDER_DISPLAY_NAMES[name] ?? name.charAt(0).toUpperCase() + name.slice(1);
+}
+function clientHorizonLabel(horizon) {
+  switch (horizon) {
+    case "immediate":
+      return "Do now";
+    case "short-term":
+      return "This month";
+    case "medium-term":
+      return "Next quarter";
+  }
+}
+function clientConfidenceLabel(confidence) {
+  switch (confidence) {
+    case "high":
+      return "Strong evidence";
+    case "medium":
+      return "Some evidence";
+    case "low":
+      return "Worth trying";
+  }
+}
+function clientTrendCopy(delta) {
+  if (!delta) return null;
+  if (delta.direction === "up") {
+    return { text: `Up ${delta.deltaAbs.toFixed(1)} points since last check (was ${delta.prior}%)`, tone: "positive", arrow: "\u2191" };
+  }
+  if (delta.direction === "down") {
+    return { text: `Down ${Math.abs(delta.deltaAbs).toFixed(1)} points since last check (was ${delta.prior}%)`, tone: "negative", arrow: "\u2193" };
+  }
+  return { text: `Holding steady since last check (was ${delta.prior}%)`, tone: "neutral", arrow: "\u2192" };
+}
 function compactInlineList(items, limit = 3) {
   const visible = items.slice(0, limit);
   const more = items.length - visible.length;
@@ -3183,6 +3233,222 @@ table.report-table td .badge {
   color: ${COLORS.textFaint};
   font-size: 12px;
 }
+.client-hero {
+  background: ${COLORS.surface};
+  border: 1px solid ${COLORS.border};
+  border-radius: 16px;
+  padding: 32px;
+  margin-bottom: 24px;
+}
+.client-hero .client-hero-eyebrow {
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+  font-size: 11px;
+  font-weight: 600;
+  color: ${COLORS.textFaint};
+}
+.client-hero .client-hero-number {
+  font-size: 80px;
+  line-height: 1;
+  font-weight: 800;
+  letter-spacing: -0.02em;
+  color: ${COLORS.text};
+  margin: 14px 0 18px;
+}
+.client-hero .client-hero-sentence {
+  font-size: 17px;
+  color: #d4d4d8;
+  max-width: 720px;
+  margin: 0;
+}
+.client-hero .client-hero-trend {
+  margin-top: 14px;
+  font-size: 14px;
+  font-weight: 500;
+}
+.client-hero .client-hero-trend.tone-positive { color: ${COLORS.positive}; }
+.client-hero .client-hero-trend.tone-negative { color: ${COLORS.negative}; }
+.client-hero .client-hero-trend.tone-neutral { color: ${COLORS.textMuted}; }
+.client-metric-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(220px, 1fr));
+  gap: 16px;
+  margin-bottom: 24px;
+}
+.client-metric-tile {
+  background: ${COLORS.surface};
+  border: 1px solid ${COLORS.border};
+  border-radius: 12px;
+  padding: 22px 24px;
+}
+.client-metric-tile .label {
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+  font-size: 11px;
+  font-weight: 600;
+  color: ${COLORS.textFaint};
+  margin-bottom: 14px;
+}
+.client-metric-tile .value {
+  font-size: 48px;
+  line-height: 1;
+  font-weight: 800;
+  letter-spacing: -0.02em;
+  color: ${COLORS.text};
+}
+.client-metric-tile .subtitle {
+  margin-top: 10px;
+  font-size: 12px;
+  color: ${COLORS.textMuted};
+}
+.client-card {
+  background: ${COLORS.surface};
+  border: 1px solid ${COLORS.border};
+  border-radius: 12px;
+  padding: 22px 24px;
+  margin-bottom: 16px;
+}
+.client-card h3 {
+  font-size: 15px;
+  font-weight: 600;
+  margin: 0 0 4px;
+}
+.client-card .card-subtitle {
+  font-size: 12px;
+  color: ${COLORS.textMuted};
+  margin: 0 0 18px;
+}
+.client-bar-list {
+  display: flex;
+  flex-direction: column;
+  gap: 14px;
+}
+.client-bar-row {
+  display: grid;
+  grid-template-columns: 140px 1fr 130px;
+  align-items: center;
+  gap: 14px;
+  font-size: 13px;
+}
+.client-bar-row .bar-label { color: #d4d4d8; }
+.client-bar-row .bar-track {
+  height: 10px;
+  background: ${COLORS.border};
+  border-radius: 999px;
+  overflow: hidden;
+}
+.client-bar-row .bar-fill {
+  height: 100%;
+  border-radius: 999px;
+  background: ${COLORS.positive}b3;
+}
+.client-bar-row .bar-fill.bar-fill-neutral { background: #a1a1aaaa; }
+.client-bar-row .bar-fill.bar-fill-sky { background: #38bdf8b3; }
+.client-bar-row .bar-value {
+  text-align: right;
+  font-size: 13px;
+  font-weight: 600;
+  color: ${COLORS.text};
+  font-variant-numeric: tabular-nums;
+}
+.client-bar-row .bar-value-sub { color: ${COLORS.textFaint}; font-weight: 400; }
+.client-progress-number {
+  font-size: 56px;
+  font-weight: 800;
+  line-height: 1;
+  letter-spacing: -0.02em;
+  margin: 12px 0 4px;
+}
+.client-progress-number.tone-positive { color: ${COLORS.positive}; }
+.client-progress-number.tone-caution { color: ${COLORS.caution}; }
+.client-progress-number.tone-negative { color: ${COLORS.negative}; }
+.client-progress-bar {
+  height: 12px;
+  background: ${COLORS.border};
+  border-radius: 999px;
+  overflow: hidden;
+  margin: 12px 0 14px;
+}
+.client-progress-fill { height: 100%; border-radius: 999px; }
+.client-progress-fill.tone-positive { background: ${COLORS.positive}b3; }
+.client-progress-fill.tone-caution { background: ${COLORS.caution}b3; }
+.client-progress-fill.tone-negative { background: ${COLORS.negative}b3; }
+.client-evidence-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(360px, 1fr));
+  gap: 16px;
+}
+.client-opportunity-list {
+  display: flex;
+  flex-direction: column;
+  gap: 8px;
+  margin: 0;
+  padding: 0;
+  list-style: none;
+}
+.client-opportunity-list li {
+  background: #09090b;
+  border: 1px solid ${COLORS.border};
+  border-radius: 8px;
+  padding: 10px 14px;
+}
+.client-opportunity-list li .op-query {
+  font-weight: 500;
+  color: ${COLORS.text};
+  font-size: 13px;
+}
+.client-opportunity-list li .op-action {
+  margin-top: 2px;
+  font-size: 11px;
+  color: ${COLORS.textMuted};
+}
+.client-confidence-note {
+  background: ${COLORS.surface};
+  border: 1px solid ${COLORS.border};
+  border-radius: 8px;
+  padding: 10px 14px;
+  font-size: 12px;
+  color: ${COLORS.textMuted};
+  margin-bottom: 6px;
+}
+.client-explainer {
+  background: #09090b;
+  border: 1px solid ${COLORS.border};
+  border-radius: 12px;
+  padding: 12px 16px;
+  font-size: 12px;
+  color: ${COLORS.textMuted};
+  margin-bottom: 16px;
+  line-height: 1.6;
+}
+.client-explainer strong { color: ${COLORS.text}; }
+.client-explainer .term { color: #d4d4d8; font-weight: 500; }
+.client-questions-list {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
+  gap: 8px;
+  margin: 0;
+  padding: 0;
+  list-style: none;
+}
+.client-questions-list li {
+  display: flex;
+  align-items: flex-start;
+  gap: 12px;
+  background: #09090b;
+  border: 1px solid ${COLORS.border};
+  border-radius: 8px;
+  padding: 10px 14px;
+  font-size: 13px;
+  color: #d4d4d8;
+}
+.client-questions-list li .qnum {
+  flex-shrink: 0;
+  font-size: 11px;
+  font-weight: 600;
+  color: ${COLORS.textFaint};
+  font-variant-numeric: tabular-nums;
+}
 @media (max-width: 760px) {
   .container { padding: 32px 16px 72px; }
   .executive-hero { grid-template-columns: 1fr; }
@@ -3190,6 +3456,9 @@ table.report-table td .badge {
   .source-bar-row { grid-template-columns: 1fr; gap: 6px; }
   .source-bar-value { text-align: left; }
   .chart-grid { grid-template-columns: 1fr; }
+  .client-hero .client-hero-number { font-size: 56px; }
+  .client-metric-tile .value { font-size: 36px; }
+  .client-bar-row { grid-template-columns: 100px 1fr 100px; gap: 10px; }
 }
 @media print {
   body { background: white; color: black; }
@@ -3380,68 +3649,82 @@ function renderTrafficDeltaTile(label, delta, countLabel) {
   </div>`;
 }
 var WHATS_CHANGED_PERIOD_DAYS = 14;
-function renderProviderMovements(movements) {
+function renderProviderMovements(movements, audience) {
   const meaningful = movements.filter((m) => m.direction !== "flat");
   if (meaningful.length === 0) return "";
+  const isClient = audience === "client";
   const rows = meaningful.map((m) => {
     const sign = m.deltaAbs > 0 ? "+" : "";
     return `<tr>
-      <td>${escapeHtml(m.provider)}</td>
+      <td>${escapeHtml(isClient ? providerDisplayName(m.provider) : m.provider)}</td>
       <td class="numeric">${m.prior}%</td>
       <td class="numeric">${m.current}%</td>
       <td class="numeric ${deltaToneClass(m.direction)}">${sign}${m.deltaAbs.toFixed(1)}% ${deltaArrow(m.direction)}</td>
     </tr>`;
   }).join("");
-  return `<div class="chart-card"><h3>AI engine movements</h3>
+  const heading = isClient ? "How each AI tool changed" : "AI engine movements";
+  const colA = isClient ? "AI tool" : "Engine";
+  const colB = isClient ? "Was" : "Prior";
+  const colC = isClient ? "Now" : "Current";
+  return `<div class="chart-card"><h3>${heading}</h3>
     <table class="report-table">
-      <thead><tr><th>Engine</th><th class="numeric">Prior</th><th class="numeric">Current</th><th class="numeric">Change</th></tr></thead>
+      <thead><tr><th>${colA}</th><th class="numeric">${colB}</th><th class="numeric">${colC}</th><th class="numeric">Change</th></tr></thead>
       <tbody>${rows}</tbody>
     </table>
   </div>`;
 }
-function renderWinsLosses(insights2, heading, emptyMessage) {
+function renderWinsLosses(insights2, heading, emptyMessage, audience) {
   if (insights2.length === 0) {
     return `<div class="chart-card"><h3>${escapeHtml(heading)}</h3>
       <p class="section-intro">${escapeHtml(emptyMessage)}</p>
     </div>`;
   }
+  const isClient = audience === "client";
   const rows = insights2.map((i) => {
     const tone = severityTone(i.severity);
     const countChip = i.instanceCount > 1 ? ` <span class="badge tone-neutral">\xD7 ${i.instanceCount}</span>` : "";
+    const severityCell = isClient ? "" : `<td><span class="badge tone-${tone}">${escapeHtml(reportSeverityLabel(i.severity))}</span></td>`;
     return `<tr>
-      <td><span class="badge tone-${tone}">${escapeHtml(reportSeverityLabel(i.severity))}</span></td>
+      ${severityCell}
       <td>${escapeHtml(i.title)}${countChip}</td>
       <td>${escapeHtml(i.query)}</td>
-      <td>${escapeHtml(i.provider)}</td>
+      <td>${escapeHtml(isClient ? providerDisplayName(i.provider) : i.provider)}</td>
     </tr>`;
   }).join("");
+  const headers = isClient ? `<tr><th>What changed</th><th>Customer question</th><th>AI tool</th></tr>` : `<tr><th>Severity</th><th>Title</th><th>Query</th><th>Provider</th></tr>`;
   return `<div class="chart-card"><h3>${escapeHtml(heading)}</h3>
     <table class="report-table">
-      <thead><tr><th>Severity</th><th>Title</th><th>Query</th><th>Provider</th></tr></thead>
+      <thead>${headers}</thead>
       <tbody>${rows}</tbody>
     </table>
   </div>`;
 }
-function renderWhatsChanged(report) {
+function renderWhatsChanged(report, audience) {
   const w = report.whatsChanged;
+  const isClient = audience === "client";
+  const eyebrow = isClient ? "Since last check" : "Section 2";
+  const title = isClient ? "What's different since last check" : "What's Changed";
+  const intro = isClient ? "" : w.headline;
   if (!w.enoughHistory && !w.gscClicksDelta && !w.aiReferralsDelta && w.wins.length === 0 && w.regressions.length === 0) {
     return section(
-      { id: "whats-changed", eyebrow: "Section 2", title: "What's Changed", intro: w.headline },
-      renderEmpty("Trends will appear after a few more checks.")
+      { id: "whats-changed", eyebrow, title, intro },
+      renderEmpty(isClient ? "No comparison yet \u2014 trends will appear after a few more checks." : "Trends will appear after a few more checks.")
     );
   }
   const rateTiles = `<div class="metric-grid">
-    ${renderRateDeltaTile("Citation rate", w.citationRate, "%")}
-    ${renderRateDeltaTile("Mention rate", w.mentionRate, "%")}
-    ${renderRateDeltaTile("Cited queries", w.citedQueryCount, "count")}
-    ${renderTrafficDeltaTile("GSC clicks", w.gscClicksDelta, "clicks")}
-    ${renderTrafficDeltaTile("AI referral sessions", w.aiReferralsDelta, "sessions")}
+    ${renderRateDeltaTile(isClient ? "AI links to your website" : "Citation rate", w.citationRate, "%")}
+    ${renderRateDeltaTile(isClient ? "AI mentions your name" : "Mention rate", w.mentionRate, "%")}
+    ${renderRateDeltaTile(isClient ? "Questions AI answered with you" : "Cited queries", w.citedQueryCount, "count")}
+    ${renderTrafficDeltaTile(isClient ? "Visitors from Google" : "GSC clicks", w.gscClicksDelta, isClient ? "visits" : "clicks")}
+    ${renderTrafficDeltaTile(isClient ? "Visitors from AI tools" : "AI referral sessions", w.aiReferralsDelta, isClient ? "visits" : "sessions")}
   </div>`;
-  const movements = renderProviderMovements(w.providerMovements);
-  const wins = renderWinsLosses(w.wins, "Wins", "No new gains in the latest check.");
-  const regressions = renderWinsLosses(w.regressions, "Regressions", "No new regressions in the latest check.");
+  const movements = renderProviderMovements(w.providerMovements, audience);
+  const winsHeading = isClient ? "What got better" : "Wins";
+  const lossesHeading = isClient ? "What got worse" : "Regressions";
+  const wins = renderWinsLosses(w.wins, winsHeading, isClient ? "No new wins this period." : "No new gains in the latest check.", audience);
+  const regressions = renderWinsLosses(w.regressions, lossesHeading, isClient ? "Nothing got worse this period." : "No new regressions in the latest check.", audience);
   return section(
-    { id: "whats-changed", eyebrow: "Section 2", title: "What's Changed", intro: w.headline },
+    { id: "whats-changed", eyebrow, title, intro },
     `${rateTiles}${movements}${wins}${regressions}`
   );
 }
@@ -4095,8 +4378,9 @@ function renderRecommendedNextSteps(report) {
 function actionAudienceMatches(action, audience) {
   return action.audience === "both" || action.audience === audience;
 }
-function renderActionCards(actions) {
-  if (actions.length === 0) return renderEmpty("No prioritized actions yet.");
+function renderActionCards(actions, audience) {
+  const isClient = audience === "client";
+  if (actions.length === 0) return renderEmpty(isClient ? "No recommendations yet \u2014 run an AI check to populate this." : "No prioritized actions yet.");
   return `<div class="action-card-grid">
     ${actions.map((action, idx) => {
     const tone = reportActionTone(action);
@@ -4104,18 +4388,22 @@ function renderActionCards(actions) {
     const evidence = action.evidence.length > 0 ? `<ul>${action.evidence.map((item) => `<li>${escapeHtml(item)}</li>`).join("")}</ul>` : "";
     const proof = renderProofChips(action.evidence.length > 0 ? action.evidence : action.why, 3);
     const details = why || evidence ? `<details class="action-details">
-            <summary>Evidence details</summary>
-            ${why ? `<div><strong>Why</strong>${why}</div>` : ""}
-            ${evidence ? `<div><strong>Evidence</strong>${evidence}</div>` : ""}
+            <summary>${isClient ? "See the data behind this" : "Evidence details"}</summary>
+            ${why ? `<div><strong>${isClient ? "Why this matters" : "Why"}</strong>${why}</div>` : ""}
+            ${evidence ? `<div><strong>${isClient ? "What we saw" : "Evidence"}</strong>${evidence}</div>` : ""}
           </details>` : "";
+    const horizonLabel = isClient ? clientHorizonLabel(action.horizon) : reportHorizonLabel(action.horizon);
+    const confidenceLabel = isClient ? clientConfidenceLabel(action.confidence) : `${reportConfidenceLabel(action.confidence)} confidence`;
+    const categoryBadge = isClient ? "" : `<span class="badge tone-neutral">${escapeHtml(reportActionCategoryLabel(action.category))}</span>`;
+    const successLabel = isClient ? "What success looks like:" : "Win condition:";
     return `<article class="action-card">
         <div class="action-head">
-          <div class="action-rank" title="Impact rank \u2014 1 is the highest-leverage action">${idx + 1}</div>
+          <div class="action-rank" title="${isClient ? "Priority \u2014 1 will move the needle fastest" : "Impact rank \u2014 1 is the highest-leverage action"}">${idx + 1}</div>
           <div>
             <div class="action-meta">
-              <span class="badge tone-${tone}">${escapeHtml(reportHorizonLabel(action.horizon))}</span>
-              <span class="badge tone-neutral">${escapeHtml(reportActionCategoryLabel(action.category))}</span>
-              <span class="badge tone-neutral">${escapeHtml(reportConfidenceLabel(action.confidence))} confidence</span>
+              <span class="badge tone-${tone}">${escapeHtml(horizonLabel)}</span>
+              ${categoryBadge}
+              <span class="badge tone-neutral">${escapeHtml(confidenceLabel)}</span>
             </div>
             <h3>${escapeHtml(action.title)}</h3>
           </div>
@@ -4123,7 +4411,7 @@ function renderActionCards(actions) {
         <p>${escapeHtml(action.action)}</p>
         ${proof}
         ${details}
-        <div class="success-metric"><strong>Win condition:</strong> ${escapeHtml(action.successMetric)}</div>
+        <div class="success-metric"><strong>${successLabel}</strong> ${escapeHtml(action.successMetric)}</div>
       </article>`;
   }).join("")}
   </div>`;
@@ -4134,76 +4422,150 @@ function renderAudienceActionPlan(report, audience) {
   return section(
     {
       id: audience === "client" ? "client-action-plan" : "agency-action-plan",
-      eyebrow: audience === "client" ? "Client actions" : "Agency actions",
-      title: audience === "client" ? "What We Recommend Next" : "Agency Action Plan",
-      intro: audience === "client" ? "The short list to approve and execute." : "The highest-leverage work, sorted by urgency and evidence strength."
+      eyebrow: audience === "client" ? "Action plan" : "Agency actions",
+      title: audience === "client" ? "What to do next" : "Agency Action Plan",
+      intro: audience === "client" ? "Approve these in order. They are sorted by what will move the needle fastest." : "The highest-leverage work, sorted by urgency and evidence strength."
     },
-    renderActionCards(actions)
+    renderActionCards(actions, audience)
   );
 }
 function renderClientSummary(report) {
   const s = report.executiveSummary;
-  const metrics = `<div class="metric-grid">
-    <div class="metric"><div class="label">Citation coverage</div><div class="value">${s.citationRate}%</div><div class="delta">${s.citedQueryCount}/${s.totalQueryCount} tracked queries cited</div></div>
-    <div class="metric"><div class="label">Mention coverage</div><div class="value">${s.mentionRate}%</div><div class="delta">${s.mentionedQueryCount}/${s.totalQueryCount} tracked queries mentioned</div></div>
-    <div class="metric"><div class="label">Providers checked</div><div class="value">${formatNumber(s.providerCount)}</div><div class="delta">${formatNumber(s.queryCount)} tracked queries</div></div>
+  const sc = report.citationScorecard;
+  const totalQ = s.totalQueryCount;
+  const heroNumber = totalQ > 0 ? `${s.citationRate}%` : "\u2014";
+  const heroSentence = totalQ > 0 ? `When customers asked AI ${totalQ} ${pluralize(totalQ, "question")} about your industry, AI linked to your website in ${s.citedQueryCount} of ${totalQ === 1 ? "them" : "those answers"}.` : "No AI check has been run yet. Run a check to see how AI tools answer customer questions about your business.";
+  const trend = clientTrendCopy(report.whatsChanged.citationRate);
+  const heroTrend = trend ? `<p class="client-hero-trend tone-${trend.tone}"><span style="margin-right:6px;">${trend.arrow}</span>${escapeHtml(trend.text)}</p>` : "";
+  const hero = `<div class="client-hero">
+    <div class="client-hero-eyebrow">Overview</div>
+    <div class="client-hero-number">${heroNumber}</div>
+    <p class="client-hero-sentence">${escapeHtml(heroSentence)}</p>
+    ${heroTrend}
   </div>`;
-  const notes = report.clientSummary.confidenceNotes.length > 0 ? `<div class="client-notes">${report.clientSummary.confidenceNotes.map((note) => `<div class="client-note">${escapeHtml(note)}</div>`).join("")}</div>` : "";
-  return section(
-    {
-      id: "client-summary",
-      eyebrow: "Client summary",
-      title: "How You're Appearing",
-      intro: report.clientSummary.overview
-    },
-    `<div class="chart-card">
-      <h3>${escapeHtml(report.clientSummary.headline)}</h3>
-      <p class="source-origin-headline">${escapeHtml(report.clientSummary.overview)}</p>
+  const providerSubtitle = sc.providers.length > 0 ? sc.providers.map(providerDisplayName).join(", ") : `${formatNumber(s.queryCount)} ${pluralize(s.queryCount, "question")} tested`;
+  const tiles = `<div class="client-metric-grid">
+    <div class="client-metric-tile">
+      <div class="label">AI mentions your name</div>
+      <div class="value">${s.mentionRate}%</div>
+      <div class="subtitle">${totalQ > 0 ? `Says your name in ${s.mentionedQueryCount} of ${totalQ} ${pluralize(totalQ, "answer")}` : "No data yet"}</div>
     </div>
-    ${metrics}
-    ${notes}`
-  );
+    <div class="client-metric-tile">
+      <div class="label">AI links to your website</div>
+      <div class="value">${s.citationRate}%</div>
+      <div class="subtitle">${totalQ > 0 ? `Cites your site as a source in ${s.citedQueryCount} of ${totalQ} ${pluralize(totalQ, "answer")}` : "No data yet"}</div>
+    </div>
+    <div class="client-metric-tile">
+      <div class="label">AI tools tested</div>
+      <div class="value">${formatNumber(s.providerCount)}</div>
+      <div class="subtitle">${escapeHtml(providerSubtitle)}</div>
+    </div>
+  </div>`;
+  const explainer = `<div class="client-explainer">
+    <strong>Mentions and links are different.</strong>
+    A <span class="term">mention</span> is when AI says your name out loud in its answer.
+    A <span class="term">link</span> is when AI lists your website as a source it used.
+    AI can do either, both, or neither \u2014 that's why we track both.
+  </div>`;
+  const questions = sc.queries.length > 0 ? `<div class="client-card">
+        <h3>Customer questions we tested</h3>
+        <p class="card-subtitle">These are the ${sc.queries.length} ${pluralize(sc.queries.length, "question we asked", "questions we asked")} every AI tool. The numbers above measure how often you came up.</p>
+        <ol class="client-questions-list">
+          ${sc.queries.map((q, i) => `<li><span class="qnum">${String(i + 1).padStart(2, "0")}</span><span>"${escapeHtml(q)}"</span></li>`).join("")}
+        </ol>
+      </div>` : "";
+  const providerBars = sc.providerRates.length > 0 ? `<div class="client-card">
+        <h3>How often each AI tool links to your website</h3>
+        <p class="card-subtitle">Higher is better. Each bar shows the share of customer questions where the AI cited your site.</p>
+        <div class="client-bar-list">
+          ${sc.providerRates.map((r) => {
+    const pct = Math.max(r.citationRate, 1.5);
+    return `<div class="client-bar-row">
+              <span class="bar-label">${escapeHtml(providerDisplayName(r.provider))}</span>
+              <div class="bar-track"><div class="bar-fill" style="width:${pct}%"></div></div>
+              <span class="bar-value">${r.citationRate}% <span class="bar-value-sub">(${r.citedCount}/${r.totalCount})</span></span>
+            </div>`;
+  }).join("")}
+        </div>
+      </div>` : "";
+  const notes = report.clientSummary.confidenceNotes.length > 0 ? `<div>${report.clientSummary.confidenceNotes.map((note) => `<div class="client-confidence-note">${escapeHtml(note)}</div>`).join("")}</div>` : "";
+  return `<section class="report-section" id="client-summary">${hero}${tiles}${explainer}${questions}${providerBars}${notes}</section>`;
 }
 function renderClientEvidenceSummary(report) {
-  const evidenceCards = [];
-  if (report.aiSourceOrigin.topDomains.length > 0) {
-    evidenceCards.push(`<div class="diagnostic-card tone-neutral">
-      <h3>Sources AI engines trust</h3>
-      <p>These domains appeared most often as cited sources outside your owned domain.</p>
-      <ul>${report.aiSourceOrigin.topDomains.slice(0, 5).map((d) => `<li>${escapeHtml(d.domain)}: ${formatNumber(d.count)} citation${d.count === 1 ? "" : "s"}</li>`).join("")}</ul>
+  const ai = report.aiSourceOrigin.topDomains.slice(0, 5);
+  const gsc = report.gsc;
+  const indexing = report.indexingHealth;
+  const opportunities = dedupeReportOpportunities(report).slice(0, 5);
+  const aiMax = ai.length > 0 ? Math.max(...ai.map((d) => d.count)) : 0;
+  const gscMax = gsc ? Math.max(...gsc.topQueries.slice(0, 5).map((q) => q.impressions), 1) : 0;
+  const cards = [];
+  if (ai.length > 0) {
+    cards.push(`<div class="client-card">
+      <h3>Where AI gets its answers</h3>
+      <p class="card-subtitle">The websites AI tools cited most often when answering customer questions about your industry.</p>
+      <div class="client-bar-list">
+        ${ai.map((d) => {
+      const pct = aiMax > 0 ? Math.max(d.count / aiMax * 100, 1.5) : 0;
+      const label = escapeHtml(d.domain) + (d.isCompetitor ? ' <span style="color:' + COLORS.textFaint + ';font-size:11px;">(competitor)</span>' : "");
+      return `<div class="client-bar-row">
+            <span class="bar-label">${label}</span>
+            <div class="bar-track"><div class="bar-fill bar-fill-neutral" style="width:${pct}%"></div></div>
+            <span class="bar-value">${formatNumber(d.count)}\xD7</span>
+          </div>`;
+    }).join("")}
+      </div>
     </div>`);
   }
-  if (report.gsc) {
-    evidenceCards.push(`<div class="diagnostic-card tone-neutral">
-      <h3>Search demand</h3>
-      <p>Search Console shows ${formatNumber(report.gsc.totalImpressions)} impressions and ${formatNumber(report.gsc.totalClicks)} clicks in the report window.</p>
-      <ul>${report.gsc.topQueries.slice(0, 5).map((q) => `<li>${escapeHtml(q.query)}: ${formatNumber(q.impressions)} impressions</li>`).join("")}</ul>
+  if (indexing) {
+    const tone = indexing.indexedPct >= 90 ? "positive" : indexing.indexedPct >= 70 ? "caution" : "negative";
+    const fillPct = Math.max(indexing.indexedPct, 1.5);
+    cards.push(`<div class="client-card">
+      <h3>Pages Google can find on your site</h3>
+      <p class="card-subtitle">Google indexing your site increases the chances of it appearing in AI search (especially Gemini).</p>
+      <div class="client-progress-number tone-${tone}">${indexing.indexedPct}%</div>
+      <div style="font-size:12px;color:${COLORS.textMuted};">${formatNumber(indexing.indexed)} of ${formatNumber(indexing.total)} pages indexed</div>
+      <div class="client-progress-bar"><div class="client-progress-fill tone-${tone}" style="width:${fillPct}%"></div></div>
+      <p style="margin:0;font-size:12px;color:${COLORS.textMuted};"><strong style="color:${COLORS.text};">${formatNumber(indexing.notIndexed)}</strong> ${pluralize(indexing.notIndexed, "page is", "pages are")} not indexed yet.</p>
     </div>`);
   }
-  if (report.indexingHealth) {
-    const tone = report.indexingHealth.indexedPct >= 90 ? "positive" : report.indexingHealth.indexedPct >= 70 ? "caution" : "negative";
-    evidenceCards.push(`<div class="diagnostic-card tone-${tone}">
-      <h3>Indexing readiness</h3>
-      <p>${report.indexingHealth.indexedPct}% of inspected URLs are indexed.</p>
-      <ul><li>${formatNumber(report.indexingHealth.indexed)} indexed</li><li>${formatNumber(report.indexingHealth.notIndexed)} not indexed</li></ul>
+  if (gsc) {
+    const queries2 = gsc.topQueries.slice(0, 5);
+    const queryRows = queries2.length > 0 ? `<div class="client-bar-list">
+          ${queries2.map((q) => {
+      const pct = gscMax > 0 ? Math.max(q.impressions / gscMax * 100, 1.5) : 0;
+      return `<div class="client-bar-row">
+              <span class="bar-label">${escapeHtml(q.query)}</span>
+              <div class="bar-track"><div class="bar-fill bar-fill-sky" style="width:${pct}%"></div></div>
+              <span class="bar-value">${formatNumber(q.impressions)} ${pluralize(q.impressions, "search", "searches")}</span>
+            </div>`;
+    }).join("")}
+        </div>` : "";
+    cards.push(`<div class="client-card">
+      <h3>What people search Google for</h3>
+      <p class="card-subtitle">You appeared in <strong style="color:${COLORS.text};">${formatNumber(gsc.totalImpressions)}</strong> Google searches and got <strong style="color:${COLORS.text};">${formatNumber(gsc.totalClicks)}</strong> ${pluralize(gsc.totalClicks, "click")} this period.</p>
+      ${queryRows}
     </div>`);
   }
-  const opportunities = dedupeReportOpportunities(report);
   if (opportunities.length > 0) {
-    evidenceCards.push(`<div class="diagnostic-card tone-caution">
-      <h3>Content opportunities</h3>
-      <p>Canonry found topics where better content could improve AI citations.</p>
-      <ul>${opportunities.slice(0, 5).map((o) => `<li>${escapeHtml(o.query)}: ${escapeHtml(o.action)} (${Math.round(o.score)})</li>`).join("")}</ul>
+    cards.push(`<div class="client-card">
+      <h3>Topics where you could improve</h3>
+      <p class="card-subtitle">Customer questions where better content on your site would help AI cite you.</p>
+      <ul class="client-opportunity-list">
+        ${opportunities.map((o) => `<li>
+          <div class="op-query">${escapeHtml(o.query)}</div>
+          <div class="op-action">${escapeHtml(contentActionLabel(o.action))}</div>
+        </li>`).join("")}
+      </ul>
     </div>`);
   }
   return section(
     {
       id: "client-evidence-summary",
-      eyebrow: "Evidence",
-      title: "Why This Is The Plan",
-      intro: "A concise evidence view for the client summary. The agency report keeps the full matrices and detailed tables."
+      eyebrow: "What we based this on",
+      title: "The signals behind this plan",
+      intro: "The data behind the recommendations above. Switch to Agency for the full breakdowns."
     },
-    evidenceCards.length > 0 ? `<div class="diagnostics-grid">${evidenceCards.join("")}</div>` : renderEmpty("No supporting evidence sections are populated yet.")
+    cards.length > 0 ? `<div class="client-evidence-grid">${cards.join("")}</div>` : renderEmpty("No supporting evidence yet \u2014 this fills in after the first AI check.")
   );
 }
 function renderAgencyDiagnostics(report) {
@@ -4233,12 +4595,12 @@ function renderReportHtml(report, opts = {}) {
   const title = opts.title ?? `Canonry ${audience} report \u2014 ${report.meta.project.displayName}`;
   const sections = audience === "client" ? [
     renderClientSummary(report),
-    renderWhatsChanged(report),
+    renderWhatsChanged(report, "client"),
     renderAudienceActionPlan(report, "client"),
     renderClientEvidenceSummary(report)
   ].join("\n") : [
     renderExecutiveSummary(report),
-    renderWhatsChanged(report),
+    renderWhatsChanged(report, "agency"),
     renderAudienceActionPlan(report, "agency"),
     renderAgencyDiagnostics(report),
     renderCitationScorecard(report),
@@ -4267,7 +4629,7 @@ function renderReportHtml(report, opts = {}) {
 <body>
 <div class="container">
   <header class="header">
-    <div class="eyebrow">${audience === "client" ? "AEO Client Summary" : "AEO Agency Report"}</div>
+    <div class="eyebrow">AI Visibility Report</div>
     <h1>${escapeHtml(report.meta.project.displayName)}</h1>
     <div class="subtitle">${escapeHtml(report.meta.project.canonicalDomain)} \xB7 ${escapeHtml(report.meta.project.country)} / ${escapeHtml(report.meta.project.language.toUpperCase())}${renderHeaderLocationFragment(report.meta.location)} \xB7 Generated ${formatDate(report.meta.generatedAt)}</div>
   </header>
@@ -9160,6 +9522,66 @@ var routeCatalog = [
       200: { description: "History returned oldest-first by queriedAt." },
       404: { description: "Project not found." }
     }
+  },
+  {
+    method: "post",
+    path: "/api/v1/projects/{name}/traffic/connect/cloud-run",
+    summary: "Connect a Cloud Run traffic source",
+    description: "Stores the service-account JSON in `~/.canonry/config.yaml` and creates a `traffic_sources` row for the project. Reconnecting updates the existing active source rather than creating a duplicate.",
+    tags: ["traffic"],
+    parameters: [nameParameter],
+    requestBody: {
+      required: true,
+      content: {
+        "application/json": {
+          schema: {
+            type: "object",
+            required: ["gcpProjectId", "keyJson"],
+            properties: {
+              gcpProjectId: stringSchema,
+              serviceName: stringSchema,
+              location: stringSchema,
+              displayName: stringSchema,
+              keyJson: { ...stringSchema, description: "Service-account JSON content." }
+            }
+          }
+        }
+      }
+    },
+    responses: {
+      200: { description: "Traffic source DTO returned." },
+      400: { description: "Invalid Cloud Run connection request." },
+      404: { description: "Project not found." }
+    }
+  },
+  {
+    method: "post",
+    path: "/api/v1/projects/{name}/traffic/sources/{id}/sync",
+    summary: "Trigger a sync run for a traffic source",
+    description: "Pulls request logs from the configured Cloud Run service for the lookback window, classifies crawler / AI-referral hits, and upserts hourly buckets and a bounded sample tail.",
+    tags: ["traffic"],
+    parameters: [
+      nameParameter,
+      { name: "id", in: "path", required: true, description: "Traffic source ID.", schema: stringSchema }
+    ],
+    requestBody: {
+      required: false,
+      content: {
+        "application/json": {
+          schema: {
+            type: "object",
+            properties: {
+              sinceMinutes: { ...integerSchema, description: "Lookback window in minutes (default 60)." }
+            }
+          }
+        }
+      }
+    },
+    responses: {
+      200: { description: "Sync summary returned." },
+      400: { description: "Invalid sync request, missing credentials, or upstream pull error." },
+      404: { description: "Project or traffic source not found." }
+    }
   }
 ];
 var canonryLocalRouteCatalog = [
@@ -14908,7 +15330,7 @@ async function queryBacklinks(opts) {
   const reversed = opts.targets.map(reverseDomain);
   const targetList = reversed.map(quote).join(", ");
   const limitClause = opts.limitPerTarget ? `QUALIFY row_number() OVER (PARTITION BY t.target_rev_domain ORDER BY v.num_hosts DESC) <= ${Math.floor(opts.limitPerTarget)}` : "";
-  const sql11 = `
+  const sql12 = `
     WITH vertices AS (
       SELECT * FROM read_csv(
         ${quote(opts.vertexPath)},
@@ -14944,7 +15366,7 @@ async function queryBacklinks(opts) {
   const conn = await instance.connect();
   let rows;
   try {
-    const reader = await conn.runAndReadAll(sql11);
+    const reader = await conn.runAndReadAll(sql12);
     rows = reader.getRowObjects();
   } finally {
     conn.disconnectSync?.();
@@ -15332,78 +15754,1016 @@ async function backlinksRoutes(app, opts) {
   );
 }
 
-// ../api-routes/src/doctor/checks/bing-auth.ts
-var BING_AUTH_CHECKS = [
-  {
-    id: "bing.auth.connection",
-    category: CheckCategories.auth,
-    scope: CheckScopes.project,
-    title: "Bing WMT connection",
-    run: async (ctx) => {
-      if (!ctx.project) {
-        return {
-          status: CheckStatuses.skipped,
-          code: "bing.auth.no-project",
-          summary: "Project context required.",
-          remediation: null
-        };
-      }
-      const store = ctx.bingConnectionStore;
-      if (!store) {
-        return {
-          status: CheckStatuses.skipped,
-          code: "bing.auth.store-unavailable",
-          summary: "Bing connection store is not configured for this deployment.",
-          remediation: null
-        };
-      }
-      const conn = store.getConnection(ctx.project.canonicalDomain);
-      if (!conn) {
-        return {
-          status: CheckStatuses.fail,
-          code: "bing.auth.no-connection",
-          summary: `No Bing connection for ${ctx.project.canonicalDomain}.`,
-          remediation: `Run \`canonry bing connect ${ctx.project.name} --api-key <key>\` to authorize.`
-        };
-      }
-      if (!conn.apiKey) {
-        return {
-          status: CheckStatuses.fail,
-          code: "bing.auth.no-api-key",
-          summary: "Bing connection exists but has no API key stored.",
-          remediation: `Run \`canonry bing connect ${ctx.project.name} --api-key <key>\` to re-authorize.`
-        };
-      }
-      try {
-        await getSites(conn.apiKey);
-        return {
-          status: CheckStatuses.ok,
-          code: "bing.auth.connected",
-          summary: "Bing API key is valid and can list sites.",
-          remediation: null
-        };
-      } catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        return {
-          status: CheckStatuses.fail,
-          code: "bing.auth.verification-failed",
-          summary: "Bing API key verification failed.",
-          remediation: "Verify your Bing API key is correct and active in Bing Webmaster Tools.",
-          details: { error: message }
-        };
-      }
-    }
-  },
-  {
-    id: "bing.auth.site-access",
-    category: CheckCategories.auth,
-    scope: CheckScopes.project,
-    title: "Bing site access",
-    run: async (ctx) => {
-      if (!ctx.project) {
-        return {
-          status: CheckStatuses.skipped,
-          code: "bing.auth.no-project",
+// ../api-routes/src/traffic.ts
+import crypto20 from "crypto";
+import { eq as eq23, sql as sql7 } from "drizzle-orm";
+
+// ../integration-cloud-run/src/auth.ts
+import crypto19 from "crypto";
+var GOOGLE_TOKEN_URL3 = "https://oauth2.googleapis.com/token";
+var CLOUD_LOGGING_READ_SCOPE = "https://www.googleapis.com/auth/logging.read";
+var TOKEN_REQUEST_TIMEOUT_MS = 3e4;
+var CloudRunAuthError = class extends Error {
+  constructor(message, httpStatus, body) {
+    super(message);
+    this.httpStatus = httpStatus;
+    this.body = body;
+    this.name = "CloudRunAuthError";
+  }
+};
+function createServiceAccountJwt2(clientEmail, privateKey, scope) {
+  if (!clientEmail) throw new CloudRunAuthError("clientEmail is required");
+  if (!privateKey) throw new CloudRunAuthError("privateKey is required");
+  if (!scope) throw new CloudRunAuthError("scope is required");
+  const now = Math.floor(Date.now() / 1e3);
+  const header = { alg: "RS256", typ: "JWT" };
+  const payload = {
+    iss: clientEmail,
+    scope,
+    aud: GOOGLE_TOKEN_URL3,
+    iat: now,
+    exp: now + 3600
+  };
+  const encode = (obj) => Buffer.from(JSON.stringify(obj)).toString("base64url");
+  const headerB64 = encode(header);
+  const payloadB64 = encode(payload);
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const sign = crypto19.createSign("RSA-SHA256");
+  sign.update(signingInput);
+  const signature = sign.sign(privateKey, "base64url");
+  return `${signingInput}.${signature}`;
+}
+async function getCloudLoggingAccessToken(clientEmail, privateKey) {
+  const jwt = createServiceAccountJwt2(clientEmail, privateKey, CLOUD_LOGGING_READ_SCOPE);
+  const res = await fetch(GOOGLE_TOKEN_URL3, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+      assertion: jwt
+    }),
+    signal: AbortSignal.timeout(TOKEN_REQUEST_TIMEOUT_MS)
+  });
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new CloudRunAuthError(
+      `Service-account token exchange failed (HTTP ${res.status})`,
+      res.status,
+      body.slice(0, 500)
+    );
+  }
+  const data = await res.json();
+  if (!data.access_token) {
+    throw new CloudRunAuthError("Service-account token response missing access_token", res.status);
+  }
+  return data.access_token;
+}
+
+// ../integration-cloud-run/src/filter.ts
+function assertNonEmpty(name, value) {
+  if (!value.trim()) {
+    throw new Error(`${name} must be a non-empty string`);
+  }
+}
+function quoteLogFilterValue(value) {
+  return JSON.stringify(value);
+}
+function normalizeTimestamp(value) {
+  const date = value instanceof Date ? value : new Date(value);
+  if (Number.isNaN(date.getTime())) {
+    throw new Error(`Invalid timestamp: ${String(value)}`);
+  }
+  return date.toISOString();
+}
+function buildCloudRunLogFilter(options = {}) {
+  const clauses = ['resource.type="cloud_run_revision"'];
+  if (options.serviceName !== void 0) {
+    assertNonEmpty("serviceName", options.serviceName);
+    clauses.push(`resource.labels.service_name=${quoteLogFilterValue(options.serviceName)}`);
+  }
+  if (options.location !== void 0) {
+    assertNonEmpty("location", options.location);
+    clauses.push(`resource.labels.location=${quoteLogFilterValue(options.location)}`);
+  }
+  if (options.startTime !== void 0) {
+    clauses.push(`timestamp >= ${quoteLogFilterValue(normalizeTimestamp(options.startTime))}`);
+  }
+  if (options.endTime !== void 0) {
+    clauses.push(`timestamp < ${quoteLogFilterValue(normalizeTimestamp(options.endTime))}`);
+  }
+  const userAgentSubstrings = (options.userAgentSubstrings ?? []).map((pattern) => pattern.trim()).filter(Boolean);
+  if (userAgentSubstrings.length > 0) {
+    const uaClauses = userAgentSubstrings.map((pattern) => `httpRequest.userAgent:${quoteLogFilterValue(pattern)}`);
+    clauses.push(`(${uaClauses.join(" OR ")})`);
+  }
+  const requestUrlSubstrings = (options.requestUrlSubstrings ?? []).map((pattern) => pattern.trim()).filter(Boolean);
+  if (requestUrlSubstrings.length > 0) {
+    const urlClauses = requestUrlSubstrings.map((pattern) => `httpRequest.requestUrl:${quoteLogFilterValue(pattern)}`);
+    clauses.push(`(${urlClauses.join(" OR ")})`);
+  }
+  return clauses.join(" AND ");
+}
+
+// ../integration-cloud-run/src/normalize.ts
+function numberOrNull(value) {
+  if (value === void 0 || value === null) return null;
+  const parsed = typeof value === "number" ? value : Number(value);
+  return Number.isFinite(parsed) ? parsed : null;
+}
+function latencyToMs(value) {
+  if (!value) return null;
+  const secondsMatch = /^([0-9]+(?:\.[0-9]+)?)s$/.exec(value.trim());
+  if (!secondsMatch) return null;
+  const seconds = Number(secondsMatch[1]);
+  return Number.isFinite(seconds) ? Math.round(seconds * 1e6) / 1e3 : null;
+}
+function normalizeLabels(labels) {
+  if (!labels) return {};
+  return Object.fromEntries(
+    Object.entries(labels).filter((entry) => typeof entry[0] === "string" && typeof entry[1] === "string")
+  );
+}
+function parseRequestUrl(requestUrl) {
+  try {
+    const url = requestUrl.startsWith("/") ? new URL(requestUrl, "https://canonry.local") : new URL(requestUrl);
+    return {
+      host: url.hostname === "canonry.local" ? null : url.hostname,
+      path: url.pathname || "/",
+      queryString: url.search ? url.search.slice(1) : null
+    };
+  } catch {
+    return null;
+  }
+}
+function buildEventId(entry, observedAt, requestUrl) {
+  if (entry.insertId?.trim()) {
+    return `cloud-run:${observedAt}:${entry.insertId}`;
+  }
+  return `cloud-run:${observedAt}:${requestUrl}`;
+}
+function normalizeCloudRunLogEntry(entry) {
+  const request = entry.httpRequest;
+  if (!request?.requestUrl) return null;
+  const observedAt = entry.timestamp ?? entry.receiveTimestamp;
+  if (!observedAt) return null;
+  const urlParts = parseRequestUrl(request.requestUrl);
+  if (!urlParts) return null;
+  return {
+    sourceType: TrafficSourceTypes["cloud-run"],
+    evidenceKind: TrafficEvidenceKinds["raw-request"],
+    confidence: TrafficEventConfidences.observed,
+    eventId: buildEventId(entry, observedAt, request.requestUrl),
+    observedAt,
+    method: request.requestMethod ?? null,
+    requestUrl: request.requestUrl,
+    host: urlParts.host,
+    path: urlParts.path,
+    queryString: urlParts.queryString,
+    status: numberOrNull(request.status),
+    userAgent: request.userAgent ?? null,
+    remoteIp: request.remoteIp ?? null,
+    referer: request.referer ?? null,
+    latencyMs: latencyToMs(request.latency),
+    requestSizeBytes: numberOrNull(request.requestSize),
+    responseSizeBytes: numberOrNull(request.responseSize),
+    providerResource: {
+      type: entry.resource?.type ?? null,
+      labels: normalizeLabels(entry.resource?.labels)
+    },
+    providerLabels: normalizeLabels(entry.labels)
+  };
+}
+
+// ../integration-cloud-run/src/client.ts
+var CLOUD_LOGGING_ENTRIES_LIST_URL = "https://logging.googleapis.com/v2/entries:list";
+var DEFAULT_PAGE_SIZE = 1e3;
+var DEFAULT_MAX_PAGES = 1;
+var DEFAULT_TIMEOUT_MS = 3e4;
+var CloudRunLoggingApiError = class extends Error {
+  constructor(message, status, body) {
+    super(message);
+    this.status = status;
+    this.body = body;
+    this.name = "CloudRunLoggingApiError";
+  }
+};
+function validateAccessToken3(accessToken) {
+  if (!accessToken.trim()) {
+    throw new CloudRunLoggingApiError("Cloud Logging access token is required", 400);
+  }
+}
+function validateProjectId(gcpProjectId) {
+  if (!gcpProjectId.trim()) {
+    throw new CloudRunLoggingApiError("GCP project ID is required", 400);
+  }
+}
+function normalizePageSize(pageSize) {
+  if (pageSize === void 0) return DEFAULT_PAGE_SIZE;
+  if (!Number.isInteger(pageSize) || pageSize < 1) {
+    throw new CloudRunLoggingApiError("pageSize must be a positive integer", 400);
+  }
+  return pageSize;
+}
+function normalizeMaxPages(maxPages) {
+  if (maxPages === void 0) return DEFAULT_MAX_PAGES;
+  if (!Number.isInteger(maxPages) || maxPages < 1) {
+    throw new CloudRunLoggingApiError("maxPages must be a positive integer", 400);
+  }
+  return maxPages;
+}
+async function readErrorBody(response) {
+  const text = await response.text().catch(() => "");
+  if (!text) return void 0;
+  return text.length <= 500 ? text : `${text.slice(0, 500)}... [truncated]`;
+}
+async function listCloudRunTrafficEvents(accessToken, options) {
+  validateAccessToken3(accessToken);
+  validateProjectId(options.gcpProjectId);
+  const filter = buildCloudRunLogFilter(options);
+  const pageSize = normalizePageSize(options.pageSize);
+  const maxPages = normalizeMaxPages(options.maxPages);
+  const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  let pageToken = options.pageToken;
+  let rawEntryCount = 0;
+  let skippedEntryCount = 0;
+  const events = [];
+  for (let page = 0; page < maxPages; page += 1) {
+    const requestBody = {
+      resourceNames: [`projects/${options.gcpProjectId}`],
+      filter,
+      orderBy: options.orderBy ?? "timestamp asc",
+      pageSize
+    };
+    if (pageToken) {
+      requestBody.pageToken = pageToken;
+    }
+    const response = await fetch(CLOUD_LOGGING_ENTRIES_LIST_URL, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(requestBody),
+      signal: AbortSignal.timeout(timeoutMs)
+    });
+    if (!response.ok) {
+      const body2 = await readErrorBody(response);
+      throw new CloudRunLoggingApiError(
+        `Cloud Logging entries.list failed with HTTP ${response.status}`,
+        response.status,
+        body2
+      );
+    }
+    const body = await response.json();
+    const entries = body.entries ?? [];
+    rawEntryCount += entries.length;
+    for (const entry of entries) {
+      const event = normalizeCloudRunLogEntry(entry);
+      if (event) {
+        events.push(event);
+      } else {
+        skippedEntryCount += 1;
+      }
+    }
+    pageToken = body.nextPageToken;
+    if (!pageToken) break;
+  }
+  return {
+    events,
+    rawEntryCount,
+    skippedEntryCount,
+    nextPageToken: pageToken,
+    filter
+  };
+}
+
+// ../integration-traffic/src/rules.ts
+var DEFAULT_AI_CRAWLER_RULES = [
+  {
+    id: "openai-gptbot",
+    operator: "OpenAI",
+    product: "GPTBot",
+    purpose: "training",
+    userAgentPatterns: [/GPTBot\//i]
+  },
+  {
+    id: "openai-searchbot",
+    operator: "OpenAI",
+    product: "OAI-SearchBot",
+    purpose: "search",
+    userAgentPatterns: [/OAI-SearchBot\//i]
+  },
+  {
+    id: "openai-chatgpt-user",
+    operator: "OpenAI",
+    product: "ChatGPT-User",
+    purpose: "user-agent",
+    userAgentPatterns: [/ChatGPT-User\//i]
+  },
+  {
+    id: "anthropic-claudebot",
+    operator: "Anthropic",
+    product: "ClaudeBot",
+    purpose: "training",
+    userAgentPatterns: [/ClaudeBot\//i, /Claude-Web\//i, /anthropic-ai/i]
+  },
+  {
+    id: "perplexity-bot",
+    operator: "Perplexity",
+    product: "PerplexityBot",
+    purpose: "search",
+    userAgentPatterns: [/PerplexityBot\//i]
+  },
+  {
+    id: "google-extended",
+    operator: "Google",
+    product: "Google-Extended",
+    purpose: "training-control",
+    userAgentPatterns: [/Google-Extended/i]
+  },
+  {
+    id: "bytespider",
+    operator: "ByteDance",
+    product: "Bytespider",
+    purpose: "training",
+    userAgentPatterns: [/Bytespider/i]
+  },
+  {
+    id: "applebot-extended",
+    operator: "Apple",
+    product: "Applebot-Extended",
+    purpose: "training",
+    userAgentPatterns: [/Applebot-Extended/i]
+  },
+  {
+    id: "meta-externalagent",
+    operator: "Meta",
+    product: "meta-externalagent",
+    purpose: "training",
+    userAgentPatterns: [/meta-externalagent/i]
+  },
+  {
+    id: "ccbot",
+    operator: "Common Crawl",
+    product: "CCBot",
+    purpose: "crawl",
+    userAgentPatterns: [/CCBot\//i]
+  },
+  {
+    id: "cohere-ai",
+    operator: "Cohere",
+    product: "cohere-ai",
+    purpose: "training",
+    userAgentPatterns: [/cohere-ai/i]
+  },
+  {
+    id: "diffbot",
+    operator: "Diffbot",
+    product: "Diffbot",
+    purpose: "crawl",
+    userAgentPatterns: [/Diffbot/i]
+  },
+  {
+    id: "mistral-ai",
+    operator: "Mistral AI",
+    product: "MistralAI-User",
+    purpose: "crawl",
+    userAgentPatterns: [/MistralAI/i]
+  }
+];
+var DEFAULT_AI_REFERRER_RULES = [
+  { domain: "chatgpt.com", operator: "OpenAI", product: "ChatGPT" },
+  { domain: "chat.openai.com", operator: "OpenAI", product: "ChatGPT" },
+  { domain: "perplexity.ai", operator: "Perplexity", product: "Perplexity" },
+  { domain: "claude.ai", operator: "Anthropic", product: "Claude" },
+  { domain: "gemini.google.com", operator: "Google", product: "Gemini" },
+  { domain: "copilot.microsoft.com", operator: "Microsoft", product: "Copilot" },
+  { domain: "phind.com", operator: "Phind", product: "Phind" },
+  { domain: "you.com", operator: "You.com", product: "You.com" },
+  { domain: "meta.ai", operator: "Meta", product: "Meta AI" }
+];
+
+// ../integration-traffic/src/classifier.ts
+function normalizeHost(host) {
+  return host.trim().toLowerCase().replace(/^www\./, "");
+}
+function hostMatches(host, domain) {
+  const normalizedHost = normalizeHost(host);
+  const normalizedDomain = normalizeHost(domain);
+  return normalizedHost === normalizedDomain || normalizedHost.endsWith(`.${normalizedDomain}`);
+}
+function hostFromUrl(value) {
+  if (!value) return null;
+  try {
+    return normalizeHost(new URL(value).hostname);
+  } catch {
+    return null;
+  }
+}
+function utmSourceFromQuery(queryString) {
+  if (!queryString) return null;
+  const params = new URLSearchParams(queryString);
+  const source = params.get("utm_source");
+  return source ? normalizeHost(source) : null;
+}
+function classifyCrawler(event) {
+  const userAgent = event.userAgent?.trim();
+  if (!userAgent) return null;
+  for (const rule of DEFAULT_AI_CRAWLER_RULES) {
+    if (rule.userAgentPatterns.some((pattern) => pattern.test(userAgent))) {
+      return {
+        botId: rule.id,
+        operator: rule.operator,
+        product: rule.product,
+        purpose: rule.purpose,
+        verificationStatus: "claimed_unverified",
+        matchedUserAgent: userAgent
+      };
+    }
+  }
+  return null;
+}
+function classifyAiReferral(event) {
+  const refererHost = hostFromUrl(event.referer);
+  if (refererHost) {
+    const rule = DEFAULT_AI_REFERRER_RULES.find((candidate) => hostMatches(refererHost, candidate.domain));
+    if (rule) {
+      return {
+        operator: rule.operator,
+        product: rule.product,
+        sourceDomain: refererHost,
+        evidenceType: "referer"
+      };
+    }
+  }
+  const utmSource = utmSourceFromQuery(event.queryString);
+  if (utmSource) {
+    const rule = DEFAULT_AI_REFERRER_RULES.find((candidate) => hostMatches(utmSource, candidate.domain));
+    if (rule) {
+      return {
+        operator: rule.operator,
+        product: rule.product,
+        sourceDomain: utmSource,
+        evidenceType: "utm"
+      };
+    }
+  }
+  return null;
+}
+
+// ../integration-traffic/src/rollup.ts
+var DEFAULT_SAMPLE_LIMIT = 25;
+var UUID_SEGMENT = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+var LONG_HEX_SEGMENT = /^[0-9a-f]{16,}$/i;
+var NUMERIC_SEGMENT = /^\d+$/;
+function normalizeTrafficPathPattern(path15) {
+  const cleanPath = path15.trim() || "/";
+  const pathOnly = cleanPath.split("?")[0] || "/";
+  const segments = pathOnly.split("/").map((segment) => {
+    if (!segment) return segment;
+    if (UUID_SEGMENT.test(segment) || LONG_HEX_SEGMENT.test(segment) || NUMERIC_SEGMENT.test(segment)) {
+      return ":id";
+    }
+    return segment;
+  });
+  const normalized = segments.join("/");
+  return normalized.startsWith("/") ? normalized : `/${normalized}`;
+}
+function hourBucket(value) {
+  const date = new Date(value);
+  if (Number.isNaN(date.getTime())) return value;
+  date.setUTCMinutes(0, 0, 0);
+  return date.toISOString();
+}
+function sortCrawlerBuckets(a, b) {
+  return a.tsHour.localeCompare(b.tsHour) || a.botId.localeCompare(b.botId) || a.pathNormalized.localeCompare(b.pathNormalized) || String(a.status).localeCompare(String(b.status));
+}
+function sortReferralBuckets(a, b) {
+  return a.tsHour.localeCompare(b.tsHour) || a.product.localeCompare(b.product) || a.sourceDomain.localeCompare(b.sourceDomain) || a.landingPathNormalized.localeCompare(b.landingPathNormalized) || String(a.status).localeCompare(String(b.status));
+}
+function topEntries(map, limit) {
+  return [...map.values()].sort((a, b) => b.hits - a.hits || JSON.stringify(a.fields).localeCompare(JSON.stringify(b.fields))).slice(0, limit).map((entry) => ({ ...entry.fields, hits: entry.hits }));
+}
+function buildTrafficProbeReport(events, options = {}) {
+  const sampleLimit = options.sampleLimit ?? DEFAULT_SAMPLE_LIMIT;
+  const crawlerBuckets = /* @__PURE__ */ new Map();
+  const aiReferralBuckets = /* @__PURE__ */ new Map();
+  const topBots = /* @__PURE__ */ new Map();
+  const topCrawlerPaths = /* @__PURE__ */ new Map();
+  const topAiReferrers = /* @__PURE__ */ new Map();
+  const topAiReferralLandingPaths = /* @__PURE__ */ new Map();
+  let crawlerHits = 0;
+  let aiReferralHits = 0;
+  let unknownHits = 0;
+  const samples = [];
+  for (const event of events) {
+    const tsHour = hourBucket(event.observedAt);
+    const pathNormalized = normalizeTrafficPathPattern(event.path);
+    const crawler = classifyCrawler(event);
+    const aiReferral = classifyAiReferral(event);
+    if (crawler) {
+      crawlerHits += 1;
+      const key = [
+        tsHour,
+        crawler.botId,
+        crawler.verificationStatus,
+        pathNormalized,
+        event.status ?? "null"
+      ].join("	");
+      const existing = crawlerBuckets.get(key);
+      if (existing) {
+        existing.hits += 1;
+      } else {
+        crawlerBuckets.set(key, {
+          tsHour,
+          botId: crawler.botId,
+          operator: crawler.operator,
+          product: crawler.product,
+          verificationStatus: crawler.verificationStatus,
+          pathNormalized,
+          status: event.status,
+          hits: 1,
+          sampledUserAgent: event.userAgent
+        });
+      }
+      const botKey = `${crawler.botId}	${crawler.operator}`;
+      const botEntry = topBots.get(botKey);
+      if (botEntry) botEntry.hits += 1;
+      else topBots.set(botKey, { fields: { botId: crawler.botId, operator: crawler.operator }, hits: 1 });
+      incrementBucket(topCrawlerPaths, pathNormalized, { pathNormalized });
+    }
+    if (aiReferral) {
+      aiReferralHits += 1;
+      const key = [
+        tsHour,
+        aiReferral.product,
+        aiReferral.sourceDomain,
+        aiReferral.evidenceType,
+        pathNormalized,
+        event.status ?? "null"
+      ].join("	");
+      const existing = aiReferralBuckets.get(key);
+      if (existing) {
+        existing.hits += 1;
+      } else {
+        aiReferralBuckets.set(key, {
+          tsHour,
+          operator: aiReferral.operator,
+          product: aiReferral.product,
+          sourceDomain: aiReferral.sourceDomain,
+          evidenceType: aiReferral.evidenceType,
+          landingPathNormalized: pathNormalized,
+          status: event.status,
+          hits: 1
+        });
+      }
+      incrementBucket(topAiReferrers, aiReferral.sourceDomain, {
+        sourceDomain: aiReferral.sourceDomain,
+        product: aiReferral.product
+      });
+      incrementBucket(topAiReferralLandingPaths, pathNormalized, { landingPathNormalized: pathNormalized });
+    }
+    if (!crawler && !aiReferral) unknownHits += 1;
+    if (samples.length < sampleLimit) {
+      samples.push({
+        eventId: event.eventId,
+        observedAt: event.observedAt,
+        sourceType: event.sourceType,
+        path: event.path,
+        pathNormalized,
+        status: event.status,
+        userAgent: event.userAgent,
+        referer: event.referer,
+        crawler,
+        aiReferral
+      });
+    }
+  }
+  return {
+    generatedAt: options.generatedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
+    totals: {
+      normalizedEvents: events.length,
+      crawlerHits,
+      aiReferralHits,
+      unknownHits
+    },
+    crawlerEventsHourly: [...crawlerBuckets.values()].sort(sortCrawlerBuckets),
+    aiReferralEventsHourly: [...aiReferralBuckets.values()].sort(sortReferralBuckets),
+    topBots: topEntries(topBots, 10),
+    topCrawlerPaths: topEntries(topCrawlerPaths, 10),
+    topAiReferrers: topEntries(topAiReferrers, 10),
+    topAiReferralLandingPaths: topEntries(topAiReferralLandingPaths, 10),
+    samples
+  };
+}
+function incrementBucket(map, key, fields) {
+  const existing = map.get(key);
+  if (existing) existing.hits += 1;
+  else map.set(key, { fields, hits: 1 });
+}
+
+// ../api-routes/src/traffic.ts
+var DEFAULT_SYNC_WINDOW_MINUTES = 60;
+var DEFAULT_PAGE_SIZE2 = 1e3;
+var DEFAULT_MAX_PAGES2 = 5;
+var DEFAULT_SAMPLE_LIMIT2 = 100;
+function parseSourceConfig(row) {
+  return parseJsonColumn(row.configJson, {});
+}
+function rowToDto(row) {
+  return {
+    id: row.id,
+    projectId: row.projectId,
+    sourceType: row.sourceType,
+    displayName: row.displayName,
+    status: row.status,
+    lastSyncedAt: row.lastSyncedAt ?? null,
+    lastCursor: row.lastCursor ?? null,
+    lastError: row.lastError ?? null,
+    archivedAt: row.archivedAt ?? null,
+    config: parseSourceConfig(row),
+    createdAt: row.createdAt,
+    updatedAt: row.updatedAt
+  };
+}
+async function defaultResolveAccessToken(record) {
+  if (record.authMode === TrafficSourceAuthModes["service-account"]) {
+    if (!record.clientEmail || !record.privateKey) {
+      throw validationError("Service-account credentials missing client_email or private_key");
+    }
+    return getCloudLoggingAccessToken(record.clientEmail, record.privateKey);
+  }
+  throw validationError(
+    "OAuth-mode Cloud Run sync is not yet supported in v1. Provide a service-account key file."
+  );
+}
+async function trafficRoutes(app, opts) {
+  const pullEvents = opts.pullCloudRunEvents ?? listCloudRunTrafficEvents;
+  const resolveAccessToken2 = opts.resolveCloudRunAccessToken ?? defaultResolveAccessToken;
+  const syncWindowMinutes = opts.defaultSyncWindowMinutes ?? DEFAULT_SYNC_WINDOW_MINUTES;
+  const pageSize = opts.defaultPageSize ?? DEFAULT_PAGE_SIZE2;
+  const maxPages = opts.defaultMaxPages ?? DEFAULT_MAX_PAGES2;
+  const sampleLimit = opts.defaultSampleLimit ?? DEFAULT_SAMPLE_LIMIT2;
+  app.post("/projects/:name/traffic/connect/cloud-run", async (request) => {
+    const project = resolveProject(app.db, request.params.name);
+    const body = request.body ?? {};
+    const { gcpProjectId, serviceName, location, displayName, keyJson } = body;
+    if (!gcpProjectId || typeof gcpProjectId !== "string") {
+      throw validationError("gcpProjectId is required");
+    }
+    if (!keyJson) {
+      throw validationError(
+        "keyJson is required for v1 (service-account JSON content). OAuth-mode Cloud Run is not yet supported."
+      );
+    }
+    if (!opts.cloudRunCredentialStore) {
+      throw validationError("Cloud Run credential storage is not configured for this deployment");
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(keyJson);
+    } catch {
+      throw validationError("Invalid JSON in keyJson");
+    }
+    if (!parsed.client_email || !parsed.private_key) {
+      throw validationError("Service-account JSON must contain client_email and private_key");
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const existing = opts.cloudRunCredentialStore.getConnection(project.name);
+    opts.cloudRunCredentialStore.upsertConnection({
+      projectName: project.name,
+      gcpProjectId,
+      serviceName: serviceName ?? void 0,
+      location: location ?? void 0,
+      authMode: TrafficSourceAuthModes["service-account"],
+      clientEmail: parsed.client_email,
+      privateKey: parsed.private_key,
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now
+    });
+    const activeSource = app.db.select().from(trafficSources).where(eq23(trafficSources.projectId, project.id)).all().find((row) => row.sourceType === TrafficSourceTypes["cloud-run"] && row.status !== TrafficSourceStatuses.archived);
+    const config = {
+      gcpProjectId,
+      serviceName: serviceName ?? null,
+      location: location ?? null,
+      authMode: TrafficSourceAuthModes["service-account"]
+    };
+    const fallbackName = displayName ?? `Cloud Run \xB7 ${gcpProjectId}${serviceName ? ` / ${serviceName}` : ""}`;
+    let sourceRow;
+    if (activeSource) {
+      app.db.update(trafficSources).set({
+        displayName: fallbackName,
+        status: TrafficSourceStatuses.connected,
+        lastError: null,
+        configJson: JSON.stringify(config),
+        updatedAt: now
+      }).where(eq23(trafficSources.id, activeSource.id)).run();
+      sourceRow = app.db.select().from(trafficSources).where(eq23(trafficSources.id, activeSource.id)).get();
+    } else {
+      const newId = crypto20.randomUUID();
+      app.db.insert(trafficSources).values({
+        id: newId,
+        projectId: project.id,
+        sourceType: TrafficSourceTypes["cloud-run"],
+        displayName: fallbackName,
+        status: TrafficSourceStatuses.connected,
+        lastSyncedAt: null,
+        lastCursor: null,
+        lastError: null,
+        archivedAt: null,
+        configJson: JSON.stringify(config),
+        createdAt: now,
+        updatedAt: now
+      }).run();
+      sourceRow = app.db.select().from(trafficSources).where(eq23(trafficSources.id, newId)).get();
+    }
+    writeAuditLog(app.db, {
+      projectId: project.id,
+      actor: "api",
+      action: "traffic.cloud-run.connected",
+      entityType: "traffic_source",
+      entityId: sourceRow.id
+    });
+    return rowToDto(sourceRow);
+  });
+  app.post("/projects/:name/traffic/sources/:id/sync", async (request) => {
+    const project = resolveProject(app.db, request.params.name);
+    const sourceRow = app.db.select().from(trafficSources).where(eq23(trafficSources.id, request.params.id)).get();
+    if (!sourceRow || sourceRow.projectId !== project.id) {
+      throw notFound("Traffic source", request.params.id);
+    }
+    if (sourceRow.sourceType !== TrafficSourceTypes["cloud-run"]) {
+      throw validationError(
+        `Sync for source type "${sourceRow.sourceType}" is not implemented yet \u2014 only cloud-run is supported in v1.`
+      );
+    }
+    const credentialStore = opts.cloudRunCredentialStore;
+    if (!credentialStore) {
+      throw validationError("Cloud Run credential storage is not configured for this deployment");
+    }
+    const credential = credentialStore.getConnection(project.name);
+    if (!credential) {
+      throw validationError(
+        `No Cloud Run credential found for project "${project.name}". Run "canonry traffic connect cloud-run" first.`
+      );
+    }
+    const config = parseSourceConfig(sourceRow);
+    const gcpProjectId = config.gcpProjectId ?? credential.gcpProjectId;
+    const serviceName = config.serviceName ?? credential.serviceName ?? void 0;
+    const location = config.location ?? credential.location ?? void 0;
+    const requestedMinutes = request.body?.sinceMinutes;
+    const windowMinutes = Number.isFinite(requestedMinutes) && requestedMinutes && requestedMinutes > 0 ? Math.floor(requestedMinutes) : syncWindowMinutes;
+    const windowEnd = /* @__PURE__ */ new Date();
+    const requestedStartMs = windowEnd.getTime() - windowMinutes * 6e4;
+    const lastSyncedMs = sourceRow.lastSyncedAt ? new Date(sourceRow.lastSyncedAt).getTime() : Number.NEGATIVE_INFINITY;
+    const windowStart = new Date(
+      Math.min(windowEnd.getTime(), Math.max(requestedStartMs, lastSyncedMs))
+    );
+    const startedAt = windowEnd.toISOString();
+    const runId = crypto20.randomUUID();
+    app.db.insert(runs).values({
+      id: runId,
+      projectId: project.id,
+      kind: RunKinds["traffic-sync"],
+      status: RunStatuses.running,
+      trigger: RunTriggers.manual,
+      startedAt,
+      createdAt: startedAt
+    }).run();
+    let accessToken;
+    try {
+      accessToken = await resolveAccessToken2(credential);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      app.db.update(runs).set({ status: RunStatuses.failed, error: msg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq23(runs.id, runId)).run();
+      app.db.update(trafficSources).set({ status: TrafficSourceStatuses.error, lastError: msg, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq23(trafficSources.id, sourceRow.id)).run();
+      throw validationError(`Failed to resolve Cloud Run access token: ${msg}`);
+    }
+    let allEvents = [];
+    try {
+      const page = await pullEvents(accessToken, {
+        gcpProjectId,
+        serviceName,
+        location,
+        startTime: windowStart.toISOString(),
+        endTime: windowEnd.toISOString(),
+        pageSize,
+        maxPages
+      });
+      allEvents = page.events;
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      app.db.update(runs).set({ status: RunStatuses.failed, error: msg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq23(runs.id, runId)).run();
+      app.db.update(trafficSources).set({ status: TrafficSourceStatuses.error, lastError: msg, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq23(trafficSources.id, sourceRow.id)).run();
+      throw validationError(`Cloud Run pull failed: ${msg}`);
+    }
+    const report = buildTrafficProbeReport(allEvents, { sampleLimit });
+    const finishedAt = (/* @__PURE__ */ new Date()).toISOString();
+    let crawlerBucketRows = 0;
+    let aiReferralBucketRows = 0;
+    let sampleRows = 0;
+    app.db.transaction((tx) => {
+      for (const bucket of report.crawlerEventsHourly) {
+        const status = bucket.status ?? 0;
+        tx.insert(crawlerEventsHourly).values({
+          projectId: project.id,
+          sourceId: sourceRow.id,
+          tsHour: bucket.tsHour,
+          botId: bucket.botId,
+          operator: bucket.operator,
+          verificationStatus: bucket.verificationStatus,
+          pathNormalized: bucket.pathNormalized,
+          status,
+          hits: bucket.hits,
+          sampledUserAgent: bucket.sampledUserAgent,
+          createdAt: finishedAt,
+          updatedAt: finishedAt
+        }).onConflictDoUpdate({
+          target: [
+            crawlerEventsHourly.projectId,
+            crawlerEventsHourly.sourceId,
+            crawlerEventsHourly.tsHour,
+            crawlerEventsHourly.botId,
+            crawlerEventsHourly.verificationStatus,
+            crawlerEventsHourly.pathNormalized,
+            crawlerEventsHourly.status
+          ],
+          set: {
+            hits: sql7`${crawlerEventsHourly.hits} + ${bucket.hits}`,
+            sampledUserAgent: bucket.sampledUserAgent,
+            updatedAt: finishedAt
+          }
+        }).run();
+        crawlerBucketRows += 1;
+      }
+      for (const bucket of report.aiReferralEventsHourly) {
+        const status = bucket.status ?? 0;
+        tx.insert(aiReferralEventsHourly).values({
+          projectId: project.id,
+          sourceId: sourceRow.id,
+          tsHour: bucket.tsHour,
+          product: bucket.product,
+          operator: bucket.operator,
+          sourceDomain: bucket.sourceDomain,
+          evidenceType: bucket.evidenceType,
+          landingPathNormalized: bucket.landingPathNormalized,
+          status,
+          sessionsOrHits: bucket.hits,
+          usersEstimated: null,
+          createdAt: finishedAt,
+          updatedAt: finishedAt
+        }).onConflictDoUpdate({
+          target: [
+            aiReferralEventsHourly.projectId,
+            aiReferralEventsHourly.sourceId,
+            aiReferralEventsHourly.tsHour,
+            aiReferralEventsHourly.product,
+            aiReferralEventsHourly.sourceDomain,
+            aiReferralEventsHourly.evidenceType,
+            aiReferralEventsHourly.landingPathNormalized,
+            aiReferralEventsHourly.status
+          ],
+          set: {
+            sessionsOrHits: sql7`${aiReferralEventsHourly.sessionsOrHits} + ${bucket.hits}`,
+            updatedAt: finishedAt
+          }
+        }).run();
+        aiReferralBucketRows += 1;
+      }
+      for (const sample of report.samples) {
+        const eventType = sample.crawler ? "crawler" : sample.aiReferral ? "ai_referral" : "unknown";
+        const refererHost = (() => {
+          if (!sample.referer) return null;
+          try {
+            return new URL(sample.referer).hostname;
+          } catch {
+            return null;
+          }
+        })();
+        tx.insert(rawEventSamples).values({
+          id: crypto20.randomUUID(),
+          projectId: project.id,
+          sourceId: sourceRow.id,
+          ts: sample.observedAt,
+          eventType,
+          ipHash: null,
+          userAgent: sample.userAgent,
+          pathNormalized: sample.pathNormalized,
+          status: sample.status,
+          refererHost,
+          classifierDetailsJson: JSON.stringify({
+            crawler: sample.crawler,
+            aiReferral: sample.aiReferral
+          }),
+          createdAt: finishedAt
+        }).run();
+        sampleRows += 1;
+      }
+      tx.update(trafficSources).set({
+        status: TrafficSourceStatuses.connected,
+        lastSyncedAt: finishedAt,
+        lastError: null,
+        updatedAt: finishedAt
+      }).where(eq23(trafficSources.id, sourceRow.id)).run();
+      tx.update(runs).set({ status: RunStatuses.completed, finishedAt }).where(eq23(runs.id, runId)).run();
+    });
+    writeAuditLog(app.db, {
+      projectId: project.id,
+      actor: "api",
+      action: "traffic.cloud-run.synced",
+      entityType: "traffic_source",
+      entityId: sourceRow.id
+    });
+    const response = {
+      sourceId: sourceRow.id,
+      runId,
+      syncedAt: finishedAt,
+      pulledEvents: report.totals.normalizedEvents,
+      crawlerHits: report.totals.crawlerHits,
+      aiReferralHits: report.totals.aiReferralHits,
+      unknownHits: report.totals.unknownHits,
+      crawlerBucketRows,
+      aiReferralBucketRows,
+      sampleRows,
+      windowStart: windowStart.toISOString(),
+      windowEnd: windowEnd.toISOString()
+    };
+    return response;
+  });
+}
+
+// ../api-routes/src/doctor/checks/bing-auth.ts
+var BING_AUTH_CHECKS = [
+  {
+    id: "bing.auth.connection",
+    category: CheckCategories.auth,
+    scope: CheckScopes.project,
+    title: "Bing WMT connection",
+    run: async (ctx) => {
+      if (!ctx.project) {
+        return {
+          status: CheckStatuses.skipped,
+          code: "bing.auth.no-project",
+          summary: "Project context required.",
+          remediation: null
+        };
+      }
+      const store = ctx.bingConnectionStore;
+      if (!store) {
+        return {
+          status: CheckStatuses.skipped,
+          code: "bing.auth.store-unavailable",
+          summary: "Bing connection store is not configured for this deployment.",
+          remediation: null
+        };
+      }
+      const conn = store.getConnection(ctx.project.canonicalDomain);
+      if (!conn) {
+        return {
+          status: CheckStatuses.fail,
+          code: "bing.auth.no-connection",
+          summary: `No Bing connection for ${ctx.project.canonicalDomain}.`,
+          remediation: `Run \`canonry bing connect ${ctx.project.name} --api-key <key>\` to authorize.`
+        };
+      }
+      if (!conn.apiKey) {
+        return {
+          status: CheckStatuses.fail,
+          code: "bing.auth.no-api-key",
+          summary: "Bing connection exists but has no API key stored.",
+          remediation: `Run \`canonry bing connect ${ctx.project.name} --api-key <key>\` to re-authorize.`
+        };
+      }
+      try {
+        await getSites(conn.apiKey);
+        return {
+          status: CheckStatuses.ok,
+          code: "bing.auth.connected",
+          summary: "Bing API key is valid and can list sites.",
+          remediation: null
+        };
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+          status: CheckStatuses.fail,
+          code: "bing.auth.verification-failed",
+          summary: "Bing API key verification failed.",
+          remediation: "Verify your Bing API key is correct and active in Bing Webmaster Tools.",
+          details: { error: message }
+        };
+      }
+    }
+  },
+  {
+    id: "bing.auth.site-access",
+    category: CheckCategories.auth,
+    scope: CheckScopes.project,
+    title: "Bing site access",
+    run: async (ctx) => {
+      if (!ctx.project) {
+        return {
+          status: CheckStatuses.skipped,
+          code: "bing.auth.no-project",
           summary: "Project context required.",
           remediation: null
         };
@@ -16183,6 +17543,11 @@ async function apiRoutes(app, opts) {
       googleConnectionStore: opts.googleConnectionStore,
       getGoogleAuthConfig: opts.getGoogleAuthConfig
     });
+    await api.register(trafficRoutes, {
+      cloudRunCredentialStore: opts.cloudRunCredentialStore,
+      pullCloudRunEvents: opts.pullCloudRunEvents,
+      resolveCloudRunAccessToken: opts.resolveCloudRunAccessToken
+    });
     await api.register(backlinksRoutes, {
       getBacklinksStatus: opts.getBacklinksStatus,
       onInstallBacklinks: opts.onInstallBacklinks,
@@ -18608,8 +19973,40 @@ function removeGa4Connection(config, projectName) {
   return true;
 }
 
-// src/wordpress-config.ts
+// src/cloud-run-config.ts
 function ensureConnections3(config) {
+  if (!config.cloudRun) config.cloudRun = {};
+  if (!config.cloudRun.connections) config.cloudRun.connections = [];
+  return config.cloudRun.connections;
+}
+function getCloudRunConnection(config, projectName) {
+  return (config.cloudRun?.connections ?? []).find((c) => c.projectName === projectName);
+}
+function upsertCloudRunConnection(config, connection) {
+  const connections = ensureConnections3(config);
+  const index = connections.findIndex((c) => c.projectName === connection.projectName);
+  if (index === -1) {
+    connections.push(connection);
+    return connection;
+  }
+  connections[index] = connection;
+  return connection;
+}
+function removeCloudRunConnection(config, projectName) {
+  const connections = config.cloudRun?.connections;
+  if (!connections?.length) return false;
+  const next = connections.filter((c) => c.projectName !== projectName);
+  if (next.length === connections.length) return false;
+  if (!config.cloudRun) return false;
+  config.cloudRun.connections = next;
+  if (next.length === 0) {
+    delete config.cloudRun;
+  }
+  return true;
+}
+
+// src/wordpress-config.ts
+function ensureConnections4(config) {
   if (!config.wordpress) config.wordpress = {};
   if (!config.wordpress.connections) config.wordpress.connections = [];
   return config.wordpress.connections;
@@ -18626,7 +20023,7 @@ function getWordpressConnection(config, projectName) {
   return (config.wordpress?.connections ?? []).find((connection) => connection.projectName === projectName);
 }
 function upsertWordpressConnection(config, connection) {
-  const connections = ensureConnections3(config);
+  const connections = ensureConnections4(config);
   const normalized = normalizeConnection(connection);
   const index = connections.findIndex((entry) => entry.projectName === connection.projectName);
   if (index === -1) {
@@ -18660,11 +20057,11 @@ function removeWordpressConnection(config, projectName) {
 }
 
 // src/job-runner.ts
-import crypto19 from "crypto";
+import crypto21 from "crypto";
 import fs7 from "fs";
 import path9 from "path";
 import os4 from "os";
-import { and as and12, eq as eq23, inArray as inArray7, sql as sql7 } from "drizzle-orm";
+import { and as and12, eq as eq24, inArray as inArray7, sql as sql8 } from "drizzle-orm";
 
 // src/citation-utils.ts
 function domainMatches(domain, canonicalDomain) {
@@ -18925,7 +20322,7 @@ var JobRunner = class {
     if (stale.length === 0) return;
     const now = (/* @__PURE__ */ new Date()).toISOString();
     for (const run of stale) {
-      this.db.update(runs).set({ status: "failed", finishedAt: now, error: "Server restarted while run was in progress" }).where(eq23(runs.id, run.id)).run();
+      this.db.update(runs).set({ status: "failed", finishedAt: now, error: "Server restarted while run was in progress" }).where(eq24(runs.id, run.id)).run();
       log.warn("run.recovered-stale", { runId: run.id, previousStatus: run.status });
     }
   }
@@ -18953,10 +20350,10 @@ var JobRunner = class {
         throw new Error(`Run ${runId} is not executable from status '${existingRun.status}'`);
       }
       if (existingRun.status === "queued") {
-        this.db.update(runs).set({ status: "running", startedAt: now }).where(and12(eq23(runs.id, runId), eq23(runs.status, "queued"))).run();
+        this.db.update(runs).set({ status: "running", startedAt: now }).where(and12(eq24(runs.id, runId), eq24(runs.status, "queued"))).run();
       }
       this.throwIfRunCancelled(runId);
-      const project = this.db.select().from(projects).where(eq23(projects.id, projectId)).get();
+      const project = this.db.select().from(projects).where(eq24(projects.id, projectId)).get();
       if (!project) {
         throw new Error(`Project ${projectId} not found`);
       }
@@ -18976,8 +20373,8 @@ var JobRunner = class {
         throw new Error("No providers configured. Add at least one provider API key.");
       }
       log.info("run.dispatch", { runId, providerCount: activeProviders.length, providers: activeProviders.map((p) => p.adapter.name) });
-      projectQueries = this.db.select().from(queries).where(eq23(queries.projectId, projectId)).all();
-      const projectCompetitors = this.db.select().from(competitors).where(eq23(competitors.projectId, projectId)).all();
+      projectQueries = this.db.select().from(queries).where(eq24(queries.projectId, projectId)).all();
+      const projectCompetitors = this.db.select().from(competitors).where(eq24(competitors.projectId, projectId)).all();
       const competitorDomains = projectCompetitors.map((c) => c.domain);
       const allDomains = effectiveDomains({
         canonicalDomain: project.canonicalDomain,
@@ -18993,7 +20390,7 @@ var JobRunner = class {
       const todayPeriod = getCurrentUsageDay();
       for (const p of activeProviders) {
         const providerScope = `${projectId}:${p.adapter.name}`;
-        const providerUsage = this.db.select().from(usageCounters).where(eq23(usageCounters.scope, providerScope)).all().filter((r) => r.period === todayPeriod && r.metric === "queries").reduce((sum, r) => sum + r.count, 0);
+        const providerUsage = this.db.select().from(usageCounters).where(eq24(usageCounters.scope, providerScope)).all().filter((r) => r.period === todayPeriod && r.metric === "queries").reduce((sum, r) => sum + r.count, 0);
         const limit = p.config.quotaPolicy.maxRequestsPerDay;
         if (providerUsage + queriesPerProvider > limit) {
           throw new Error(
@@ -19053,7 +20450,7 @@ var JobRunner = class {
             );
             let screenshotRelPath = null;
             if (raw.screenshotPath && fs7.existsSync(raw.screenshotPath)) {
-              const snapshotId = crypto19.randomUUID();
+              const snapshotId = crypto21.randomUUID();
               const screenshotDir = path9.join(os4.homedir(), ".canonry", "screenshots", runId);
               if (!fs7.existsSync(screenshotDir)) fs7.mkdirSync(screenshotDir, { recursive: true });
               const destPath = path9.join(screenshotDir, `${snapshotId}.png`);
@@ -19083,7 +20480,7 @@ var JobRunner = class {
               }).run();
             } else {
               this.db.insert(querySnapshots).values({
-                id: crypto19.randomUUID(),
+                id: crypto21.randomUUID(),
                 runId,
                 queryId: q.id,
                 provider: providerName,
@@ -19134,12 +20531,12 @@ var JobRunner = class {
       const someFailed = providerErrors.size > 0;
       if (allFailed) {
         const errorDetail = serializeRunError(buildRunErrorFromMessages(providerErrors));
-        this.db.update(runs).set({ status: "failed", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq23(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "failed", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq24(runs.id, runId)).run();
       } else if (someFailed) {
         const errorDetail = serializeRunError(buildRunErrorFromMessages(providerErrors));
-        this.db.update(runs).set({ status: "partial", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq23(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "partial", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq24(runs.id, runId)).run();
       } else {
-        this.db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq23(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq24(runs.id, runId)).run();
       }
       this.flushProviderUsage(projectId, providerDispatchCounts);
       const finalStatus = allFailed ? "failed" : someFailed ? "partial" : "completed";
@@ -19174,7 +20571,7 @@ var JobRunner = class {
         status: "failed",
         finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
         error: errorMessage
-      }).where(eq23(runs.id, runId)).run();
+      }).where(eq24(runs.id, runId)).run();
       this.flushProviderUsage(projectId, providerDispatchCounts);
       trackEvent("run.completed", {
         status: "failed",
@@ -19195,7 +20592,7 @@ var JobRunner = class {
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const period = now.slice(0, 10);
     this.db.insert(usageCounters).values({
-      id: crypto19.randomUUID(),
+      id: crypto21.randomUUID(),
       scope,
       period,
       metric,
@@ -19203,7 +20600,7 @@ var JobRunner = class {
       updatedAt: now
     }).onConflictDoUpdate({
       target: [usageCounters.scope, usageCounters.period, usageCounters.metric],
-      set: { count: sql7`${usageCounters.count} + ${count}`, updatedAt: now }
+      set: { count: sql8`${usageCounters.count} + ${count}`, updatedAt: now }
     }).run();
   }
   flushProviderUsage(projectId, providerDispatchCounts) {
@@ -19217,7 +20614,7 @@ var JobRunner = class {
       status: runs.status,
       finishedAt: runs.finishedAt,
       error: runs.error
-    }).from(runs).where(eq23(runs.id, runId)).get();
+    }).from(runs).where(eq24(runs.id, runId)).get();
   }
   isRunCancelled(runId) {
     return this.getRunState(runId)?.status === "cancelled";
@@ -19233,7 +20630,7 @@ var JobRunner = class {
       this.db.update(runs).set({
         finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
         error: currentRun.error ?? "Cancelled by user"
-      }).where(eq23(runs.id, runId)).run();
+      }).where(eq24(runs.id, runId)).run();
     }
     trackEvent("run.completed", {
       status: "cancelled",
@@ -19255,8 +20652,8 @@ function getCurrentUsageDay() {
 }
 
 // src/gsc-sync.ts
-import crypto20 from "crypto";
-import { eq as eq24, and as and13, sql as sql8 } from "drizzle-orm";
+import crypto22 from "crypto";
+import { eq as eq25, and as and13, sql as sql9 } from "drizzle-orm";
 var log2 = createLogger("GscSync");
 function formatDate3(d) {
   return d.toISOString().split("T")[0];
@@ -19268,13 +20665,13 @@ function daysAgo(n) {
 }
 async function executeGscSync(db, runId, projectId, opts) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: "running", startedAt: now }).where(eq24(runs.id, runId)).run();
+  db.update(runs).set({ status: "running", startedAt: now }).where(eq25(runs.id, runId)).run();
   try {
     const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
     if (!googleClientId || !googleClientSecret) {
       throw new Error("Google OAuth is not configured in the local Canonry config");
     }
-    const project = db.select().from(projects).where(eq24(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq25(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -19309,9 +20706,9 @@ async function executeGscSync(db, runId, projectId, opts) {
     log2.info("fetch.complete", { runId, projectId, rowCount: rows.length });
     db.delete(gscSearchData).where(
       and13(
-        eq24(gscSearchData.projectId, projectId),
-        sql8`${gscSearchData.date} >= ${startDate}`,
-        sql8`${gscSearchData.date} <= ${endDate}`
+        eq25(gscSearchData.projectId, projectId),
+        sql9`${gscSearchData.date} >= ${startDate}`,
+        sql9`${gscSearchData.date} <= ${endDate}`
       )
     ).run();
     const batchSize = 500;
@@ -19321,7 +20718,7 @@ async function executeGscSync(db, runId, projectId, opts) {
       for (const row of batch) {
         const [query, page, country, device, date] = row.keys;
         db.insert(gscSearchData).values({
-          id: crypto20.randomUUID(),
+          id: crypto22.randomUUID(),
           projectId,
           syncRunId: runId,
           date: date ?? "",
@@ -19355,7 +20752,7 @@ async function executeGscSync(db, runId, projectId, opts) {
         const rich = ir.richResultsResult;
         const inspectedAt = (/* @__PURE__ */ new Date()).toISOString();
         db.insert(gscUrlInspections).values({
-          id: crypto20.randomUUID(),
+          id: crypto22.randomUUID(),
           projectId,
           syncRunId: runId,
           url: pageUrl,
@@ -19376,7 +20773,7 @@ async function executeGscSync(db, runId, projectId, opts) {
         log2.error("inspect.url-failed", { runId, projectId, url: pageUrl, error: err instanceof Error ? err.message : String(err) });
       }
     }
-    const allInspections = db.select().from(gscUrlInspections).where(eq24(gscUrlInspections.projectId, projectId)).all();
+    const allInspections = db.select().from(gscUrlInspections).where(eq25(gscUrlInspections.projectId, projectId)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
       const existing = latestByUrl.get(row.url);
@@ -19397,9 +20794,9 @@ async function executeGscSync(db, runId, projectId, opts) {
       }
     }
     const snapshotDate = formatDate3(/* @__PURE__ */ new Date());
-    db.delete(gscCoverageSnapshots).where(and13(eq24(gscCoverageSnapshots.projectId, projectId), eq24(gscCoverageSnapshots.date, snapshotDate))).run();
+    db.delete(gscCoverageSnapshots).where(and13(eq25(gscCoverageSnapshots.projectId, projectId), eq25(gscCoverageSnapshots.date, snapshotDate))).run();
     db.insert(gscCoverageSnapshots).values({
-      id: crypto20.randomUUID(),
+      id: crypto22.randomUUID(),
       projectId,
       syncRunId: runId,
       date: snapshotDate,
@@ -19408,19 +20805,19 @@ async function executeGscSync(db, runId, projectId, opts) {
       reasonBreakdown: JSON.stringify(reasonCounts),
       createdAt: (/* @__PURE__ */ new Date()).toISOString()
     }).run();
-    db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq24(runs.id, runId)).run();
+    db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq25(runs.id, runId)).run();
     log2.info("sync.completed", { runId, projectId, searchDataRows: rows.length, urlInspections: topPages.length, indexed: snapIndexed, notIndexed: snapNotIndexed });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq24(runs.id, runId)).run();
+    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq25(runs.id, runId)).run();
     log2.error("sync.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
 }
 
 // src/gsc-inspect-sitemap.ts
-import crypto21 from "crypto";
-import { eq as eq25, and as and14 } from "drizzle-orm";
+import crypto23 from "crypto";
+import { eq as eq26, and as and14 } from "drizzle-orm";
 
 // src/sitemap-parser.ts
 var log3 = createLogger("SitemapParser");
@@ -19541,13 +20938,13 @@ async function parseSitemapRecursive(url, urls, visited, depth, isChild) {
 var log4 = createLogger("InspectSitemap");
 async function executeInspectSitemap(db, runId, projectId, opts) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: "running", startedAt: now }).where(eq25(runs.id, runId)).run();
+  db.update(runs).set({ status: "running", startedAt: now }).where(eq26(runs.id, runId)).run();
   try {
     const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
     if (!googleClientId || !googleClientSecret) {
       throw new Error("Google OAuth is not configured in the local Canonry config");
     }
-    const project = db.select().from(projects).where(eq25(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq26(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -19588,7 +20985,7 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
         const rich = ir.richResultsResult;
         const inspectedAt = (/* @__PURE__ */ new Date()).toISOString();
         db.insert(gscUrlInspections).values({
-          id: crypto21.randomUUID(),
+          id: crypto23.randomUUID(),
           projectId,
           syncRunId: runId,
           url: pageUrl,
@@ -19615,7 +21012,7 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
         await new Promise((r) => setTimeout(r, 1e3));
       }
     }
-    const allInspections = db.select().from(gscUrlInspections).where(eq25(gscUrlInspections.projectId, projectId)).all();
+    const allInspections = db.select().from(gscUrlInspections).where(eq26(gscUrlInspections.projectId, projectId)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
       const existing = latestByUrl.get(row.url);
@@ -19636,9 +21033,9 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
       }
     }
     const snapshotDate = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-    db.delete(gscCoverageSnapshots).where(and14(eq25(gscCoverageSnapshots.projectId, projectId), eq25(gscCoverageSnapshots.date, snapshotDate))).run();
+    db.delete(gscCoverageSnapshots).where(and14(eq26(gscCoverageSnapshots.projectId, projectId), eq26(gscCoverageSnapshots.date, snapshotDate))).run();
     db.insert(gscCoverageSnapshots).values({
-      id: crypto21.randomUUID(),
+      id: crypto23.randomUUID(),
       projectId,
       syncRunId: runId,
       date: snapshotDate,
@@ -19648,19 +21045,19 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
       createdAt: (/* @__PURE__ */ new Date()).toISOString()
     }).run();
     const status = errors > 0 && inspected > 0 ? "partial" : errors === urls.length ? "failed" : "completed";
-    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq25(runs.id, runId)).run();
+    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq26(runs.id, runId)).run();
     log4.info("inspect.completed", { runId, projectId, inspected, errors, total: urls.length, indexed: snapIndexed, notIndexed: snapNotIndexed });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq25(runs.id, runId)).run();
+    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq26(runs.id, runId)).run();
     log4.error("inspect.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
 }
 
 // src/bing-inspect-sitemap.ts
-import crypto22 from "crypto";
-import { eq as eq26, desc as desc12 } from "drizzle-orm";
+import crypto24 from "crypto";
+import { eq as eq27, desc as desc12 } from "drizzle-orm";
 var log5 = createLogger("BingInspectSitemap");
 function parseBingDate2(value) {
   if (!value) return null;
@@ -19678,9 +21075,9 @@ function isBlockingIssueType2(issueType) {
 }
 async function executeBingInspectSitemap(db, runId, projectId, opts) {
   const startedAt = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: RunStatuses.running, startedAt }).where(eq26(runs.id, runId)).run();
+  db.update(runs).set({ status: RunStatuses.running, startedAt }).where(eq27(runs.id, runId)).run();
   try {
-    const project = db.select().from(projects).where(eq26(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq27(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -19698,7 +21095,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
     if (sitemapUrls.length === 0) {
       throw new Error("No URLs found in sitemap");
     }
-    const trackedRows = db.select({ url: bingUrlInspections.url }).from(bingUrlInspections).where(eq26(bingUrlInspections.projectId, projectId)).all();
+    const trackedRows = db.select({ url: bingUrlInspections.url }).from(bingUrlInspections).where(eq27(bingUrlInspections.projectId, projectId)).all();
     const trackedUrls = new Set(trackedRows.map((r) => r.url));
     const discovered = sitemapUrls.filter((u) => !trackedUrls.has(u));
     log5.info("sitemap.diff", {
@@ -19747,7 +21144,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
           derivedInIndex = false;
         }
         db.insert(bingUrlInspections).values({
-          id: crypto22.randomUUID(),
+          id: crypto24.randomUUID(),
           projectId,
           url: pageUrl,
           httpCode,
@@ -19781,7 +21178,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
         await new Promise((r) => setTimeout(r, 1e3));
       }
     }
-    const allInspections = db.select().from(bingUrlInspections).where(eq26(bingUrlInspections.projectId, projectId)).orderBy(desc12(bingUrlInspections.inspectedAt)).all();
+    const allInspections = db.select().from(bingUrlInspections).where(eq27(bingUrlInspections.projectId, projectId)).orderBy(desc12(bingUrlInspections.inspectedAt)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     const definitiveByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
@@ -19805,7 +21202,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
     const snapshotDate = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
     const snapNow = (/* @__PURE__ */ new Date()).toISOString();
     db.insert(bingCoverageSnapshots).values({
-      id: crypto22.randomUUID(),
+      id: crypto24.randomUUID(),
       projectId,
       syncRunId: runId,
       date: snapshotDate,
@@ -19824,7 +21221,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
       }
     }).run();
     const status = errors === sitemapUrls.length ? RunStatuses.failed : errors > 0 ? RunStatuses.partial : RunStatuses.completed;
-    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq26(runs.id, runId)).run();
+    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq27(runs.id, runId)).run();
     log5.info("inspect.completed", {
       runId,
       projectId,
@@ -19838,16 +21235,16 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
     });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: RunStatuses.failed, error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq26(runs.id, runId)).run();
+    db.update(runs).set({ status: RunStatuses.failed, error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq27(runs.id, runId)).run();
     log5.error("inspect.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
 }
 
 // src/commoncrawl-sync.ts
-import crypto23 from "crypto";
+import crypto25 from "crypto";
 import path10 from "path";
-import { and as and15, eq as eq27, sql as sql9 } from "drizzle-orm";
+import { and as and15, eq as eq28, sql as sql10 } from "drizzle-orm";
 var log6 = createLogger("CommonCrawlSync");
 var INSERT_CHUNK_SIZE = 1e4;
 function defaultDeps() {
@@ -19873,7 +21270,7 @@ async function executeReleaseSync(db, syncId, opts) {
       phaseDetail: "downloading vertices + edges",
       updatedAt: downloadStartedAt,
       error: null
-    }).where(eq27(ccReleaseSyncs.id, syncId)).run();
+    }).where(eq28(ccReleaseSyncs.id, syncId)).run();
     const paths = ccReleasePaths(release);
     const releaseCacheDir = path10.join(deps.cacheDir, release);
     const vertexPath = path10.join(releaseCacheDir, paths.vertexFilename);
@@ -19896,7 +21293,7 @@ async function executeReleaseSync(db, syncId, opts) {
       vertexSha256: vertex.sha256,
       edgesSha256: edges.sha256,
       updatedAt: downloadFinishedAt
-    }).where(eq27(ccReleaseSyncs.id, syncId)).run();
+    }).where(eq28(ccReleaseSyncs.id, syncId)).run();
     const allProjects = db.select().from(projects).all();
     const targets = Array.from(new Set(allProjects.map((p) => p.canonicalDomain)));
     let rows = [];
@@ -19912,15 +21309,15 @@ async function executeReleaseSync(db, syncId, opts) {
     }
     const queriedAt = deps.now().toISOString();
     db.transaction((tx) => {
-      tx.delete(backlinkDomains).where(eq27(backlinkDomains.releaseSyncId, syncId)).run();
-      tx.delete(backlinkSummaries).where(eq27(backlinkSummaries.releaseSyncId, syncId)).run();
+      tx.delete(backlinkDomains).where(eq28(backlinkDomains.releaseSyncId, syncId)).run();
+      tx.delete(backlinkSummaries).where(eq28(backlinkSummaries.releaseSyncId, syncId)).run();
       const expanded = [];
       for (const r of rows) {
         const projectIds = projectsByDomain.get(r.targetDomain);
         if (!projectIds) continue;
         for (const projectId of projectIds) {
           expanded.push({
-            id: crypto23.randomUUID(),
+            id: crypto25.randomUUID(),
             projectId,
             releaseSyncId: syncId,
             release,
@@ -19940,7 +21337,7 @@ async function executeReleaseSync(db, syncId, opts) {
         const projectRows = rowsByProject.get(p.id) ?? [];
         const summary = computeSummary(projectRows);
         tx.insert(backlinkSummaries).values({
-          id: crypto23.randomUUID(),
+          id: crypto25.randomUUID(),
           projectId: p.id,
           releaseSyncId: syncId,
           release,
@@ -19972,7 +21369,7 @@ async function executeReleaseSync(db, syncId, opts) {
       domainsDiscovered: rows.length,
       updatedAt: finishedAt,
       error: null
-    }).where(eq27(ccReleaseSyncs.id, syncId)).run();
+    }).where(eq28(ccReleaseSyncs.id, syncId)).run();
     log6.info("sync.completed", {
       syncId,
       release,
@@ -20002,7 +21399,7 @@ async function executeReleaseSync(db, syncId, opts) {
       error: errorMsg,
       phaseDetail: null,
       updatedAt: finishedAt
-    }).where(eq27(ccReleaseSyncs.id, syncId)).run();
+    }).where(eq28(ccReleaseSyncs.id, syncId)).run();
     log6.error("sync.failed", { syncId, release, error: errorMsg });
     throw err;
   }
@@ -20036,9 +21433,9 @@ function computeSummary(rows) {
 }
 
 // src/backlink-extract.ts
-import crypto24 from "crypto";
+import crypto26 from "crypto";
 import fs8 from "fs";
-import { and as and16, desc as desc13, eq as eq28 } from "drizzle-orm";
+import { and as and16, desc as desc13, eq as eq29 } from "drizzle-orm";
 var log7 = createLogger("BacklinkExtract");
 function defaultDeps2() {
   return {
@@ -20050,13 +21447,13 @@ function defaultDeps2() {
 async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
   const deps = { ...defaultDeps2(), ...opts.deps };
   const startedAt = deps.now().toISOString();
-  db.update(runs).set({ status: RunStatuses.running, startedAt }).where(eq28(runs.id, runId)).run();
+  db.update(runs).set({ status: RunStatuses.running, startedAt }).where(eq29(runs.id, runId)).run();
   try {
-    const project = db.select().from(projects).where(eq28(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq29(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
-    const sync = opts.release ? db.select().from(ccReleaseSyncs).where(eq28(ccReleaseSyncs.release, opts.release)).get() : db.select().from(ccReleaseSyncs).where(eq28(ccReleaseSyncs.status, CcReleaseSyncStatuses.ready)).orderBy(desc13(ccReleaseSyncs.createdAt)).limit(1).get();
+    const sync = opts.release ? db.select().from(ccReleaseSyncs).where(eq29(ccReleaseSyncs.release, opts.release)).get() : db.select().from(ccReleaseSyncs).where(eq29(ccReleaseSyncs.status, CcReleaseSyncStatuses.ready)).orderBy(desc13(ccReleaseSyncs.createdAt)).limit(1).get();
     if (!sync) {
       throw new Error("No ready release sync available \u2014 run `canonry backlinks sync` first");
     }
@@ -20084,11 +21481,11 @@ async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
     const targetDomain = project.canonicalDomain;
     db.transaction((tx) => {
       tx.delete(backlinkDomains).where(
-        and16(eq28(backlinkDomains.projectId, projectId), eq28(backlinkDomains.release, release))
+        and16(eq29(backlinkDomains.projectId, projectId), eq29(backlinkDomains.release, release))
       ).run();
       if (rows.length > 0) {
         const values = rows.map((r) => ({
-          id: crypto24.randomUUID(),
+          id: crypto26.randomUUID(),
           projectId,
           releaseSyncId: syncId,
           release,
@@ -20101,7 +21498,7 @@ async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
       }
       const summary = computeSummary2(rows);
       tx.insert(backlinkSummaries).values({
-        id: crypto24.randomUUID(),
+        id: crypto26.randomUUID(),
         projectId,
         releaseSyncId: syncId,
         release,
@@ -20124,7 +21521,7 @@ async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
       }).run();
     });
     const finishedAt = deps.now().toISOString();
-    db.update(runs).set({ status: RunStatuses.completed, finishedAt }).where(eq28(runs.id, runId)).run();
+    db.update(runs).set({ status: RunStatuses.completed, finishedAt }).where(eq29(runs.id, runId)).run();
     log7.info("extract.completed", { runId, projectId, release, rows: rows.length });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
@@ -20133,7 +21530,7 @@ async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
       status: RunStatuses.failed,
       error: errorMsg,
       finishedAt
-    }).where(eq28(runs.id, runId)).run();
+    }).where(eq29(runs.id, runId)).run();
     log7.error("extract.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
@@ -20206,7 +21603,7 @@ var ProviderRegistry = class {
 
 // src/scheduler.ts
 import cron from "node-cron";
-import { eq as eq29 } from "drizzle-orm";
+import { eq as eq30 } from "drizzle-orm";
 var log8 = createLogger("Scheduler");
 var Scheduler = class {
   db;
@@ -20218,7 +21615,7 @@ var Scheduler = class {
   }
   /** Load all enabled schedules from DB and register cron jobs. */
   start() {
-    const allSchedules = this.db.select().from(schedules).where(eq29(schedules.enabled, 1)).all();
+    const allSchedules = this.db.select().from(schedules).where(eq30(schedules.enabled, 1)).all();
     for (const schedule of allSchedules) {
       const missedRunAt = schedule.nextRunAt;
       this.registerCronTask(schedule);
@@ -20243,7 +21640,7 @@ var Scheduler = class {
       this.stopTask(projectId, existing, "Stopped");
       this.tasks.delete(projectId);
     }
-    const schedule = this.db.select().from(schedules).where(eq29(schedules.projectId, projectId)).get();
+    const schedule = this.db.select().from(schedules).where(eq30(schedules.projectId, projectId)).get();
     if (schedule && schedule.enabled === 1) {
       this.registerCronTask(schedule);
     }
@@ -20276,14 +21673,14 @@ var Scheduler = class {
     this.db.update(schedules).set({
       nextRunAt: task.getNextRun()?.toISOString() ?? null,
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    }).where(eq29(schedules.id, scheduleId)).run();
+    }).where(eq30(schedules.id, scheduleId)).run();
     const label = schedule.preset ?? cronExpr;
     log8.info("cron.registered", { projectId, schedule: label, timezone });
   }
   triggerRun(scheduleId, projectId) {
     try {
       const now = (/* @__PURE__ */ new Date()).toISOString();
-      const currentSchedule = this.db.select().from(schedules).where(eq29(schedules.id, scheduleId)).get();
+      const currentSchedule = this.db.select().from(schedules).where(eq30(schedules.id, scheduleId)).get();
       if (!currentSchedule || currentSchedule.enabled !== 1) {
         log8.warn("schedule.stale", { scheduleId, projectId, msg: "schedule no longer exists or is disabled" });
         this.remove(projectId);
@@ -20291,7 +21688,7 @@ var Scheduler = class {
       }
       const task = this.tasks.get(projectId);
       const nextRunAt = task?.getNextRun()?.toISOString() ?? null;
-      const project = this.db.select().from(projects).where(eq29(projects.id, projectId)).get();
+      const project = this.db.select().from(projects).where(eq30(projects.id, projectId)).get();
       if (!project) {
         log8.error("project.not-found", { projectId, msg: "skipping scheduled run" });
         this.remove(projectId);
@@ -20320,7 +21717,7 @@ var Scheduler = class {
         this.db.update(schedules).set({
           nextRunAt,
           updatedAt: now
-        }).where(eq29(schedules.id, currentSchedule.id)).run();
+        }).where(eq30(schedules.id, currentSchedule.id)).run();
         return;
       }
       const runId = queueResult.runId;
@@ -20328,7 +21725,7 @@ var Scheduler = class {
         lastRunAt: now,
         nextRunAt,
         updatedAt: now
-      }).where(eq29(schedules.id, currentSchedule.id)).run();
+      }).where(eq30(schedules.id, currentSchedule.id)).run();
       const scheduleProviders = parseJsonColumn(currentSchedule.providers, []);
       const providers = scheduleProviders.length > 0 ? scheduleProviders : void 0;
       log8.info("run.triggered", { runId, projectName: project.name, providers: providers ?? "all" });
@@ -20340,8 +21737,8 @@ var Scheduler = class {
 };
 
 // src/notifier.ts
-import { eq as eq30, desc as desc14, and as and17, or as or4 } from "drizzle-orm";
-import crypto25 from "crypto";
+import { eq as eq31, desc as desc14, and as and17, or as or4 } from "drizzle-orm";
+import crypto27 from "crypto";
 var log9 = createLogger("Notifier");
 var Notifier = class {
   db;
@@ -20353,18 +21750,18 @@ var Notifier = class {
   /** Called after a run completes (success, partial, or failed). */
   async onRunCompleted(runId, projectId) {
     log9.info("run.completed", { runId, projectId });
-    const notifs = this.db.select().from(notifications).where(eq30(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
+    const notifs = this.db.select().from(notifications).where(eq31(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
     if (notifs.length === 0) {
       log9.info("notifications.none-enabled", { projectId });
       return;
     }
     log9.info("notifications.found", { projectId, count: notifs.length });
-    const run = this.db.select().from(runs).where(eq30(runs.id, runId)).get();
+    const run = this.db.select().from(runs).where(eq31(runs.id, runId)).get();
     if (!run) {
       log9.error("run.not-found", { runId, msg: "skipping notification dispatch" });
       return;
     }
-    const project = this.db.select().from(projects).where(eq30(projects.id, projectId)).get();
+    const project = this.db.select().from(projects).where(eq31(projects.id, projectId)).get();
     if (!project) {
       log9.error("project.not-found", { projectId, msg: "skipping notification dispatch" });
       return;
@@ -20411,11 +21808,11 @@ var Notifier = class {
     if (criticalInsights.length > 0) insightEvents.push("insight.critical");
     if (highInsights.length > 0) insightEvents.push("insight.high");
     if (insightEvents.length === 0) return;
-    const notifs = this.db.select().from(notifications).where(eq30(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
+    const notifs = this.db.select().from(notifications).where(eq31(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
     if (notifs.length === 0) return;
-    const run = this.db.select().from(runs).where(eq30(runs.id, runId)).get();
+    const run = this.db.select().from(runs).where(eq31(runs.id, runId)).get();
     if (!run) return;
-    const project = this.db.select().from(projects).where(eq30(projects.id, projectId)).get();
+    const project = this.db.select().from(projects).where(eq31(projects.id, projectId)).get();
     if (!project) return;
     for (const notif of notifs) {
       const config = parseJsonColumn(notif.config, { url: "", events: [] });
@@ -20447,8 +21844,8 @@ var Notifier = class {
   computeTransitions(runId, projectId) {
     const recentRuns = this.db.select().from(runs).where(
       and17(
-        eq30(runs.projectId, projectId),
-        or4(eq30(runs.status, "completed"), eq30(runs.status, "partial"))
+        eq31(runs.projectId, projectId),
+        or4(eq31(runs.status, "completed"), eq31(runs.status, "partial"))
       )
     ).orderBy(desc14(runs.createdAt)).limit(2).all();
     if (recentRuns.length < 2) return [];
@@ -20460,12 +21857,12 @@ var Notifier = class {
       query: queries.query,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).leftJoin(queries, eq30(querySnapshots.queryId, queries.id)).where(eq30(querySnapshots.runId, currentRunId)).all();
+    }).from(querySnapshots).leftJoin(queries, eq31(querySnapshots.queryId, queries.id)).where(eq31(querySnapshots.runId, currentRunId)).all();
     const previousSnapshots = this.db.select({
       queryId: querySnapshots.queryId,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).where(eq30(querySnapshots.runId, previousRunId)).all();
+    }).from(querySnapshots).where(eq31(querySnapshots.runId, previousRunId)).all();
     const prevMap = /* @__PURE__ */ new Map();
     for (const s of previousSnapshots) {
       prevMap.set(`${s.queryId}:${s.provider}`, s.citationState);
@@ -20523,7 +21920,7 @@ var Notifier = class {
   }
   logDelivery(projectId, notificationId, event, status, error) {
     this.db.insert(auditLog).values({
-      id: crypto25.randomUUID(),
+      id: crypto27.randomUUID(),
       projectId,
       actor: "scheduler",
       action: `notification.${status}`,
@@ -20581,8 +21978,8 @@ var RunCoordinator = class {
 };
 
 // src/agent/session-registry.ts
-import crypto27 from "crypto";
-import { eq as eq32 } from "drizzle-orm";
+import crypto29 from "crypto";
+import { eq as eq33 } from "drizzle-orm";
 
 // src/agent/session.ts
 import fs11 from "fs";
@@ -20931,11 +22328,11 @@ function resolveSessionProviderAndModel(config, opts) {
 }
 
 // src/agent/memory-store.ts
-import crypto26 from "crypto";
-import { and as and18, desc as desc15, eq as eq31, like as like2, sql as sql10 } from "drizzle-orm";
+import crypto28 from "crypto";
+import { and as and18, desc as desc15, eq as eq32, like as like2, sql as sql11 } from "drizzle-orm";
 var COMPACTION_KEY_PREFIX = "compaction:";
 var COMPACTION_NOTES_PER_SESSION = 3;
-function rowToDto(row) {
+function rowToDto2(row) {
   return {
     id: row.id,
     key: row.key,
@@ -20946,9 +22343,9 @@ function rowToDto(row) {
   };
 }
 function listMemoryEntries(db, projectId, opts = {}) {
-  const query = db.select().from(agentMemory).where(eq31(agentMemory.projectId, projectId)).orderBy(desc15(agentMemory.updatedAt));
+  const query = db.select().from(agentMemory).where(eq32(agentMemory.projectId, projectId)).orderBy(desc15(agentMemory.updatedAt));
   const rows = opts.limit === void 0 ? query.all() : query.limit(opts.limit).all();
-  return rows.map(rowToDto);
+  return rows.map(rowToDto2);
 }
 function upsertMemoryEntry(db, args) {
   if (Buffer.byteLength(args.value, "utf8") > AGENT_MEMORY_VALUE_MAX_BYTES) {
@@ -20960,7 +22357,7 @@ function upsertMemoryEntry(db, args) {
     throw new Error(`memory key prefix "${COMPACTION_KEY_PREFIX}" is reserved for compaction notes`);
   }
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  const id = crypto26.randomUUID();
+  const id = crypto28.randomUUID();
   db.insert(agentMemory).values({
     id,
     projectId: args.projectId,
@@ -20977,12 +22374,12 @@ function upsertMemoryEntry(db, args) {
       updatedAt: now
     }
   }).run();
-  const row = db.select().from(agentMemory).where(and18(eq31(agentMemory.projectId, args.projectId), eq31(agentMemory.key, args.key))).get();
+  const row = db.select().from(agentMemory).where(and18(eq32(agentMemory.projectId, args.projectId), eq32(agentMemory.key, args.key))).get();
   if (!row) throw new Error("memory upsert produced no row");
-  return rowToDto(row);
+  return rowToDto2(row);
 }
 function deleteMemoryEntry(db, projectId, key) {
-  const result = db.delete(agentMemory).where(and18(eq31(agentMemory.projectId, projectId), eq31(agentMemory.key, key))).run();
+  const result = db.delete(agentMemory).where(and18(eq32(agentMemory.projectId, projectId), eq32(agentMemory.key, key))).run();
   const changes = result.changes ?? 0;
   return changes > 0;
 }
@@ -20997,7 +22394,7 @@ function writeCompactionNote(db, args) {
   }
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const key = `${COMPACTION_KEY_PREFIX}${args.sessionId}:${now}`;
-  const id = crypto26.randomUUID();
+  const id = crypto28.randomUUID();
   let inserted;
   db.transaction((tx) => {
     tx.insert(agentMemory).values({
@@ -21012,16 +22409,16 @@ function writeCompactionNote(db, args) {
     const sessionPrefix = `${COMPACTION_KEY_PREFIX}${args.sessionId}:`;
     const existing = tx.select({ id: agentMemory.id, updatedAt: agentMemory.updatedAt }).from(agentMemory).where(
       and18(
-        eq31(agentMemory.projectId, args.projectId),
+        eq32(agentMemory.projectId, args.projectId),
         like2(agentMemory.key, `${sessionPrefix}%`)
       )
     ).orderBy(desc15(agentMemory.updatedAt)).all();
     const stale = existing.slice(COMPACTION_NOTES_PER_SESSION).map((r) => r.id);
     if (stale.length > 0) {
-      tx.delete(agentMemory).where(sql10`${agentMemory.id} IN (${sql10.join(stale.map((s) => sql10`${s}`), sql10`, `)})`).run();
+      tx.delete(agentMemory).where(sql11`${agentMemory.id} IN (${sql11.join(stale.map((s) => sql11`${s}`), sql11`, `)})`).run();
     }
-    const row = tx.select().from(agentMemory).where(and18(eq31(agentMemory.projectId, args.projectId), eq31(agentMemory.key, key))).get();
-    if (row) inserted = rowToDto(row);
+    const row = tx.select().from(agentMemory).where(and18(eq32(agentMemory.projectId, args.projectId), eq32(agentMemory.key, key))).get();
+    if (row) inserted = rowToDto2(row);
   });
   if (!inserted) throw new Error("compaction note write produced no row");
   return inserted;
@@ -21202,7 +22599,7 @@ var SessionRegistry = class {
           modelProvider: effectiveProvider,
           modelId: effectiveModelId,
           updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-        }).where(eq32(agentSessions.projectId, projectId)).run();
+        }).where(eq33(agentSessions.projectId, projectId)).run();
       }
       const agent2 = createAeroSession({
         projectName,
@@ -21416,7 +22813,7 @@ ${lines.join("\n")}
       modelProvider: nextProvider,
       modelId: nextModelId,
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    }).where(eq32(agentSessions.projectId, projectId)).run();
+    }).where(eq33(agentSessions.projectId, projectId)).run();
   }
   /** Persist a session's transcript back to the DB. Call after any run settles. */
   save(projectName) {
@@ -21578,17 +22975,17 @@ ${lines.join("\n")}
     return id;
   }
   tryResolveProjectId(projectName) {
-    const row = this.opts.db.select({ id: projects.id }).from(projects).where(eq32(projects.name, projectName)).get();
+    const row = this.opts.db.select({ id: projects.id }).from(projects).where(eq33(projects.name, projectName)).get();
     return row?.id;
   }
   loadRow(projectId) {
-    const row = this.opts.db.select().from(agentSessions).where(eq32(agentSessions.projectId, projectId)).get();
+    const row = this.opts.db.select().from(agentSessions).where(eq33(agentSessions.projectId, projectId)).get();
     return row ?? null;
   }
   insertRow(params) {
     const now = (/* @__PURE__ */ new Date()).toISOString();
     this.opts.db.insert(agentSessions).values({
-      id: crypto27.randomUUID(),
+      id: crypto29.randomUUID(),
       projectId: params.projectId,
       systemPrompt: params.systemPrompt,
       modelProvider: params.provider ?? params.modelProvider ?? AgentProviderIds.claude,
@@ -21601,14 +22998,14 @@ ${lines.join("\n")}
   }
   updateRow(projectId, patch) {
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    this.opts.db.update(agentSessions).set({ ...patch, updatedAt: now }).where(eq32(agentSessions.projectId, projectId)).run();
+    this.opts.db.update(agentSessions).set({ ...patch, updatedAt: now }).where(eq33(agentSessions.projectId, projectId)).run();
   }
 };
 
 // src/agent/agent-routes.ts
-import { eq as eq33 } from "drizzle-orm";
+import { eq as eq34 } from "drizzle-orm";
 function resolveProject2(db, name) {
-  const row = db.select({ id: projects.id, name: projects.name }).from(projects).where(eq33(projects.name, name)).get();
+  const row = db.select({ id: projects.id, name: projects.name }).from(projects).where(eq34(projects.name, name)).get();
   if (!row) throw notFound("project", name);
   return row;
 }
@@ -21617,7 +23014,7 @@ function registerAgentRoutes(app, opts) {
     "/projects/:name/agent/transcript",
     async (request) => {
       const project = resolveProject2(opts.db, request.params.name);
-      const row = opts.db.select().from(agentSessions).where(eq33(agentSessions.projectId, project.id)).get();
+      const row = opts.db.select().from(agentSessions).where(eq34(agentSessions.projectId, project.id)).get();
       if (!row) {
         return { messages: [], modelProvider: null, modelId: null, updatedAt: null };
       }
@@ -21641,7 +23038,7 @@ function registerAgentRoutes(app, opts) {
     async (request) => {
       const project = resolveProject2(opts.db, request.params.name);
       opts.sessionRegistry.reset(project.name);
-      opts.db.update(agentSessions).set({ messages: "[]", followUpQueue: "[]", updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq33(agentSessions.projectId, project.id)).run();
+      opts.db.update(agentSessions).set({ messages: "[]", followUpQueue: "[]", updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq34(agentSessions.projectId, project.id)).run();
       return { status: "reset" };
     }
   );
@@ -22505,7 +23902,7 @@ function summarizeProviderConfig(provider, config) {
   };
 }
 function hashApiKey(key) {
-  return crypto28.createHash("sha256").update(key).digest("hex");
+  return crypto30.createHash("sha256").update(key).digest("hex");
 }
 function parseCookies2(header) {
   if (!header) return {};
@@ -22663,7 +24060,7 @@ async function createServer(opts) {
     intelligenceService,
     (runId, projectId, result) => notifier.dispatchInsightWebhooks(runId, projectId, result),
     async ({ runId, projectId, insightCount, criticalOrHigh }) => {
-      const project = opts.db.select({ name: projects.name }).from(projects).where(eq34(projects.id, projectId)).get();
+      const project = opts.db.select({ name: projects.name }).from(projects).where(eq35(projects.id, projectId)).get();
       if (!project) return;
       sessionRegistry.queueFollowUp(project.name, {
         role: "user",
@@ -22757,7 +24154,22 @@ async function createServer(opts) {
       return removed;
     }
   };
-  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto28.randomBytes(32).toString("hex");
+  const cloudRunCredentialStore = {
+    getConnection: (projectName) => {
+      return getCloudRunConnection(opts.config, projectName);
+    },
+    upsertConnection: (record) => {
+      const updated = upsertCloudRunConnection(opts.config, record);
+      saveConfigPatch(opts.config);
+      return updated;
+    },
+    deleteConnection: (projectName) => {
+      const removed = removeCloudRunConnection(opts.config, projectName);
+      if (removed) saveConfigPatch(opts.config);
+      return removed;
+    }
+  };
+  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto30.randomBytes(32).toString("hex");
   const googleConnectionStore = {
     listConnections: (domain) => listGoogleConnections(opts.config, domain),
     getConnection: (domain, connectionType) => getGoogleConnection(opts.config, domain, connectionType),
@@ -22803,11 +24215,11 @@ async function createServer(opts) {
   const apiPrefix = basePath ? `${basePath}api/v1` : "/api/v1";
   if (opts.config.apiKey) {
     const keyHash = hashApiKey(opts.config.apiKey);
-    const existing = opts.db.select().from(apiKeys).where(eq34(apiKeys.keyHash, keyHash)).get();
+    const existing = opts.db.select().from(apiKeys).where(eq35(apiKeys.keyHash, keyHash)).get();
     if (!existing) {
       const prefix = opts.config.apiKey.slice(0, 12);
       opts.db.insert(apiKeys).values({
-        id: `key_${crypto28.randomBytes(8).toString("hex")}`,
+        id: `key_${crypto30.randomBytes(8).toString("hex")}`,
         name: "default",
         keyHash,
         keyPrefix: prefix,
@@ -22831,7 +24243,7 @@ async function createServer(opts) {
   };
   const createSession = (apiKeyId) => {
     pruneExpiredSessions();
-    const sessionId = crypto28.randomBytes(32).toString("hex");
+    const sessionId = crypto30.randomBytes(32).toString("hex");
     sessions.set(sessionId, {
       apiKeyId,
       expiresAt: Date.now() + SESSION_TTL_MS
@@ -22855,7 +24267,7 @@ async function createServer(opts) {
   };
   const getDefaultApiKey = () => {
     if (!opts.config.apiKey) return void 0;
-    return opts.db.select().from(apiKeys).where(eq34(apiKeys.keyHash, hashApiKey(opts.config.apiKey))).get();
+    return opts.db.select().from(apiKeys).where(eq35(apiKeys.keyHash, hashApiKey(opts.config.apiKey))).get();
   };
   const createPasswordSession = (reply) => {
     const key = getDefaultApiKey();
@@ -22912,12 +24324,12 @@ async function createServer(opts) {
       return reply.send({ authenticated: true });
     }
     if (apiKey) {
-      const key = opts.db.select().from(apiKeys).where(eq34(apiKeys.keyHash, hashApiKey(apiKey))).get();
+      const key = opts.db.select().from(apiKeys).where(eq35(apiKeys.keyHash, hashApiKey(apiKey))).get();
       if (!key || key.revokedAt) {
         const err2 = authInvalid();
         return reply.status(err2.statusCode).send(err2.toJSON());
       }
-      opts.db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq34(apiKeys.id, key.id)).run();
+      opts.db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq35(apiKeys.id, key.id)).run();
       const sessionId = createSession(key.id);
       reply.header("set-cookie", serializeSessionCookie({
         name: SESSION_COOKIE_NAME,
@@ -23027,7 +24439,7 @@ async function createServer(opts) {
         deps: {
           enqueueAutoExtract: ({ projectId, release: r }) => {
             const now = (/* @__PURE__ */ new Date()).toISOString();
-            const runId = crypto28.randomUUID();
+            const runId = crypto30.randomUUID();
             opts.db.insert(runs).values({
               id: runId,
               projectId,
@@ -23100,6 +24512,7 @@ async function createServer(opts) {
     },
     wordpressConnectionStore,
     ga4CredentialStore,
+    cloudRunCredentialStore,
     onRunCreated: (runId, projectId, providers2, location) => {
       jobRunner.executeRun(runId, projectId, providers2, location).catch((err) => {
         app.log.error({ runId, err }, "Job runner failed");
@@ -23162,7 +24575,7 @@ async function createServer(opts) {
         const targetProjectIds = affectedProjectIds.length > 0 ? affectedProjectIds : [null];
         const createdAt = (/* @__PURE__ */ new Date()).toISOString();
         opts.db.insert(auditLog).values(targetProjectIds.map((projectId) => ({
-          id: crypto28.randomUUID(),
+          id: crypto30.randomUUID(),
           projectId,
           actor: "api",
           action: existing ? "provider.updated" : "provider.created",