@ainyc/canonry 4.21.4 → 4.23.1

package/dist/{chunk-3UGJUNQX.js → chunk-E5PZ23OS.js}

@@ -5,7 +5,7 @@ import {
   loadConfig,
   loadConfigRaw,
   saveConfigPatch
-} from "./chunk-VFKGHXVJ.js";
+} from "./chunk-6EJ54OX7.js";
 import {
   DEFAULT_RUN_HISTORY_LIMIT,
   IntelligenceService,
@@ -66,7 +66,7 @@ import {
   schedules,
   trafficSources,
   usageCounters
-} from "./chunk-GVQYROIK.js";
+} from "./chunk-OYYFXKRK.js";
 import {
   AGENT_MEMORY_VALUE_MAX_BYTES,
   AGENT_PROVIDER_IDS,
@@ -154,12 +154,13 @@ import {
   serializeRunError,
   snapshotRequestSchema,
   summarizeCheckResults,
+  trafficConnectWordpressRequestSchema,
   unsupportedKind,
   validationError,
   visibilityStateFromAnswerMentioned,
   windowCutoff,
   wordpressEnvSchema
-} from "./chunk-EY63PENL.js";
+} from "./chunk-EUGCQSFC.js";
 
 // src/telemetry.ts
 import crypto from "crypto";
@@ -4303,33 +4304,44 @@ function renderServerActivity(report, audience) {
     return `<span class="tone-${deltaTone(d.deltaPct)}">${escapeHtml(copy)}</span>`;
   };
   if (isClient) {
-    const clientOperators = sa.byOperator.filter((o) => o.verifiedHits > 0 || o.referralArrivals > 0).slice(0, 5);
+    const crawlerRequests = {
+      current: sa.verifiedCrawlerHits.current + sa.unverifiedCrawlerHits.current,
+      prior: sa.verifiedCrawlerHits.prior + sa.unverifiedCrawlerHits.prior,
+      deltaPct: deltaPercent(
+        sa.verifiedCrawlerHits.current + sa.unverifiedCrawlerHits.current,
+        sa.verifiedCrawlerHits.prior + sa.unverifiedCrawlerHits.prior
+      )
+    };
+    const crawlerTrustSummary = `${formatNumber(sa.verifiedCrawlerHits.current)} verified \xB7 ${formatNumber(sa.unverifiedCrawlerHits.current)} unverified`;
+    const crawlerDelta = formatDelta(crawlerRequests, "requests");
+    const crawlerSubtitle = crawlerDelta ? `${escapeHtml(crawlerTrustSummary)} \xB7 ${crawlerDelta}` : escapeHtml(crawlerTrustSummary);
+    const clientOperators = sa.byOperator.filter((o) => o.verifiedHits > 0 || o.unverifiedHits > 0 || o.referralArrivals > 0).slice(0, 5);
     const clientOperatorRows = clientOperators.map((o) => `
     <tr>
       <td>${escapeHtml(o.operator)}</td>
-      <td class="numeric">${formatNumber(o.verifiedHits)}</td>
+      <td class="numeric">${formatNumber(o.verifiedHits + o.unverifiedHits)}</td>
       <td class="numeric">${formatNumber(o.referralArrivals)}</td>
     </tr>`).join("");
     return section(
       serverActivityHeading("client", true),
       `<div class="metric-grid">
         <div class="metric">
-          <div class="label">AI bots visited your site</div>
-          <div class="value">${formatNumber(sa.verifiedCrawlerHits.current)}</div>
-          <div class="subtitle">${formatDelta(sa.verifiedCrawlerHits, "crawls")}</div>
+          <div class="label">AI bot requests observed</div>
+          <div class="value">${formatNumber(crawlerRequests.current)}</div>
+          <div class="subtitle">${crawlerSubtitle}</div>
         </div>
         <div class="metric">
-          <div class="label">People clicked through from AI</div>
+          <div class="label">AI referral sessions</div>
           <div class="value">${formatNumber(sa.referralArrivals.current)}</div>
-          <div class="subtitle">${formatDelta(sa.referralArrivals, "arrivals")}</div>
+          <div class="subtitle">${formatDelta(sa.referralArrivals, "sessions")}</div>
         </div>
       </div>
       ${clientOperatorRows ? `<div class="chart-card"><h3>By AI tool</h3>
         <table class="report-table">
-          <thead><tr><th>AI tool</th><th class="numeric">Bot visits (7d)</th><th class="numeric">Click-throughs</th></tr></thead>
+          <thead><tr><th>AI tool</th><th class="numeric">Bot requests (7d)</th><th class="numeric">Referral sessions</th></tr></thead>
           <tbody>${clientOperatorRows}</tbody>
         </table>
-        <p class="meta">Verified visits only. We confirm each bot via reverse-DNS so the numbers above can't be inflated by anyone faking a user agent.</p>
+        <p class="meta">Verified requests are reverse-DNS confirmed. Unverified requests are user-agent claims shown separately in agency diagnostics.</p>
       </div>` : ""}`
     );
   }
@@ -4377,16 +4389,21 @@ function renderServerActivity(report, audience) {
         <div class="subtitle">${formatDelta(sa.verifiedCrawlerHits, "hits")}</div>
       </div>
       <div class="metric">
-        <div class="label">AI-referral arrivals (7d)</div>
+        <div class="label">Unverified crawler hits (7d)</div>
+        <div class="value">${formatNumber(sa.unverifiedCrawlerHits.current)}</div>
+        <div class="subtitle">${formatDelta(sa.unverifiedCrawlerHits, "hits")}</div>
+      </div>
+      <div class="metric">
+        <div class="label">AI-referral sessions (7d)</div>
         <div class="value">${formatNumber(sa.referralArrivals.current)}</div>
-        <div class="subtitle">${formatDelta(sa.referralArrivals, "arrivals")}</div>
+        <div class="subtitle">${formatDelta(sa.referralArrivals, "sessions")}</div>
       </div>
     </div>
     ${trendChart}
     ${operatorRows ? `<div class="chart-card"><h3>Per AI operator</h3>
       <p class="meta">Verified means rDNS-confirmed. Unverified bots claim the user-agent but couldn't be verified \u2014 could be the real bot or an imitator.</p>
       <table class="report-table">
-        <thead><tr><th>Operator</th><th class="numeric">Verified hits</th><th class="numeric">Unverified</th><th class="numeric">Referral arrivals</th><th class="numeric">7d delta</th></tr></thead>
+        <thead><tr><th>Operator</th><th class="numeric">Verified hits</th><th class="numeric">Unverified</th><th class="numeric">Referral sessions</th><th class="numeric">7d delta</th></tr></thead>
         <tbody>${operatorRows}</tbody>
       </table>
     </div>` : ""}
@@ -4397,16 +4414,16 @@ function renderServerActivity(report, audience) {
         <tbody>${pathRows}</tbody>
       </table>
     </div>` : ""}
-    ${referralProductRows ? `<div class="chart-card"><h3>Click-throughs by AI product</h3>
+    ${referralProductRows ? `<div class="chart-card"><h3>AI-referral sessions by product</h3>
       <p class="meta">Where humans landed coming from each AI product (chatgpt.com, claude.ai, \u2026).</p>
       <table class="report-table">
-        <thead><tr><th>Product</th><th class="numeric">Arrivals</th><th class="numeric">Distinct landing paths</th></tr></thead>
+        <thead><tr><th>Product</th><th class="numeric">Sessions</th><th class="numeric">Distinct landing paths</th></tr></thead>
         <tbody>${referralProductRows}</tbody>
       </table>
     </div>` : ""}
     ${referralLandingRows ? `<div class="chart-card"><h3>Top AI-referral landing paths</h3>
       <table class="report-table">
-        <thead><tr><th>Path</th><th class="numeric">Arrivals</th><th class="numeric">Distinct products</th></tr></thead>
+        <thead><tr><th>Path</th><th class="numeric">Sessions</th><th class="numeric">Distinct products</th></tr></thead>
         <tbody>${referralLandingRows}</tbody>
       </table>
     </div>` : ""}`
@@ -5074,28 +5091,39 @@ function buildCandidateQueries(opts) {
   });
 }
 function aggregateGscByQuery(rows) {
-  const byQuery = /* @__PURE__ */ new Map();
+  const accumulators = /* @__PURE__ */ new Map();
   for (const r of rows) {
-    const existing = byQuery.get(r.query);
-    const candidate = {
-      // GSC stores `page` as a full URL for url-prefix properties; normalize to
-      // a path so it can be joined against `gaTrafficByPage` (which is keyed by
-      // path) and so `ourBestPage.url` / `targetRef` stay consistent regardless
-      // of whether the page is sourced from GSC or from inventory.
-      page: extractPath(r.page),
-      position: Number(r.position) || 0,
-      impressions: r.impressions,
-      clicks: r.clicks,
-      ctr: Number(r.ctr) || 0
-    };
+    const page = extractPath(r.page);
+    const position = Number(r.position) || 0;
+    const existing = accumulators.get(r.query);
     if (!existing) {
-      byQuery.set(r.query, candidate);
+      accumulators.set(r.query, {
+        bestPage: page,
+        bestPageImpressions: r.impressions,
+        totalClicks: r.clicks,
+        totalImpressions: r.impressions,
+        weightedPositionSum: position * r.impressions
+      });
       continue;
     }
-    if (candidate.impressions > existing.impressions) {
-      byQuery.set(r.query, candidate);
+    existing.totalClicks += r.clicks;
+    existing.totalImpressions += r.impressions;
+    existing.weightedPositionSum += position * r.impressions;
+    if (r.impressions > existing.bestPageImpressions) {
+      existing.bestPage = page;
+      existing.bestPageImpressions = r.impressions;
     }
   }
+  const byQuery = /* @__PURE__ */ new Map();
+  for (const [query, acc] of accumulators) {
+    byQuery.set(query, {
+      page: acc.bestPage,
+      position: acc.totalImpressions > 0 ? acc.weightedPositionSum / acc.totalImpressions : 0,
+      impressions: acc.totalImpressions,
+      clicks: acc.totalClicks,
+      ctr: acc.totalImpressions > 0 ? acc.totalClicks / acc.totalImpressions : 0
+    });
+  }
   return byQuery;
 }
 function aggregateCandidate(opts) {
@@ -5502,6 +5530,29 @@ function buildAiReferrals(db, projectId) {
   const topLandingPages = [...pageAgg.entries()].map(([page, data]) => ({ page, sessions: data.sessions, users: data.users })).sort((a, b) => b.sessions - a.sessions).slice(0, TOP_AI_REFERRAL_PAGES_LIMIT);
   return { totalSessions: total, totalUsers, bySource, trend, topLandingPages };
 }
+function nonSubresourceReferralPathCondition() {
+  return sql3`
+    LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '/_next/static/%'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '/assets/%'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '/static/%'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '/favicon.%'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.avif'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.css'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.gif'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.ico'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.jpeg'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.jpg'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.js'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.map'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.mjs'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.otf'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.png'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.svg'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.webmanifest'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.woff'
+    AND LOWER(${aiReferralEventsHourly.landingPathNormalized}) NOT LIKE '%.woff2'
+  `;
+}
 function buildServerActivity(db, projectId) {
   const sourceRows = db.select({ id: trafficSources.id }).from(trafficSources).where(
     and5(
@@ -5528,10 +5579,21 @@ function buildServerActivity(db, projectId) {
       )
     ).get()?.total ?? 0
   );
+  const sumUnverifiedCrawlers = (windowStartIso, windowEndIso, exclusiveEnd = false) => Number(
+    db.select({ total: sql3`COALESCE(SUM(${crawlerEventsHourly.hits}), 0)` }).from(crawlerEventsHourly).where(
+      and5(
+        eq13(crawlerEventsHourly.projectId, projectId),
+        ne(crawlerEventsHourly.verificationStatus, VerificationStatuses.verified),
+        gte(crawlerEventsHourly.tsHour, windowStartIso),
+        exclusiveEnd ? lt(crawlerEventsHourly.tsHour, windowEndIso) : lte(crawlerEventsHourly.tsHour, windowEndIso)
+      )
+    ).get()?.total ?? 0
+  );
   const sumReferrals = (windowStartIso, windowEndIso, exclusiveEnd = false) => Number(
     db.select({ total: sql3`COALESCE(SUM(${aiReferralEventsHourly.sessionsOrHits}), 0)` }).from(aiReferralEventsHourly).where(
       and5(
         eq13(aiReferralEventsHourly.projectId, projectId),
+        nonSubresourceReferralPathCondition(),
         gte(aiReferralEventsHourly.tsHour, windowStartIso),
         exclusiveEnd ? lt(aiReferralEventsHourly.tsHour, windowEndIso) : lte(aiReferralEventsHourly.tsHour, windowEndIso)
       )
@@ -5539,6 +5601,8 @@ function buildServerActivity(db, projectId) {
   );
   const verifiedCurrent = sumVerifiedCrawlers(headlineStart, headlineEnd);
   const verifiedPrior = sumVerifiedCrawlers(priorStart, headlineStart, true);
+  const unverifiedCurrent = sumUnverifiedCrawlers(headlineStart, headlineEnd);
+  const unverifiedPrior = sumUnverifiedCrawlers(priorStart, headlineStart, true);
   const referralCurrent = sumReferrals(headlineStart, headlineEnd);
   const referralPrior = sumReferrals(priorStart, headlineStart, true);
   const crawlerByOperatorRows = db.select({
@@ -5569,6 +5633,7 @@ function buildServerActivity(db, projectId) {
   }).from(aiReferralEventsHourly).where(
     and5(
       eq13(aiReferralEventsHourly.projectId, projectId),
+      nonSubresourceReferralPathCondition(),
       gte(aiReferralEventsHourly.tsHour, headlineStart),
       lte(aiReferralEventsHourly.tsHour, headlineEnd)
     )
@@ -5600,7 +5665,7 @@ function buildServerActivity(db, projectId) {
     referralArrivals: v.referrals,
     deltaPct: deltaPercent(v.verified, v.prior)
   })).sort(
-    (a, b) => b.verifiedHits - a.verifiedHits || b.referralArrivals - a.referralArrivals
+    (a, b) => b.verifiedHits - a.verifiedHits || b.unverifiedHits - a.unverifiedHits || b.referralArrivals - a.referralArrivals
   );
   const topPathsRows = db.select({
     path: crawlerEventsHourly.pathNormalized,
@@ -5626,6 +5691,7 @@ function buildServerActivity(db, projectId) {
   }).from(aiReferralEventsHourly).where(
     and5(
       eq13(aiReferralEventsHourly.projectId, projectId),
+      nonSubresourceReferralPathCondition(),
       gte(aiReferralEventsHourly.tsHour, headlineStart),
       lte(aiReferralEventsHourly.tsHour, headlineEnd)
     )
@@ -5642,6 +5708,7 @@ function buildServerActivity(db, projectId) {
   }).from(aiReferralEventsHourly).where(
     and5(
       eq13(aiReferralEventsHourly.projectId, projectId),
+      nonSubresourceReferralPathCondition(),
       gte(aiReferralEventsHourly.tsHour, headlineStart),
       lte(aiReferralEventsHourly.tsHour, headlineEnd)
     )
@@ -5668,6 +5735,7 @@ function buildServerActivity(db, projectId) {
   }).from(aiReferralEventsHourly).where(
     and5(
       eq13(aiReferralEventsHourly.projectId, projectId),
+      nonSubresourceReferralPathCondition(),
       gte(aiReferralEventsHourly.tsHour, trendStart),
       lte(aiReferralEventsHourly.tsHour, headlineEnd)
     )
@@ -5687,12 +5755,17 @@ function buildServerActivity(db, projectId) {
   return {
     windowStart: headlineStart,
     windowEnd: headlineEnd,
-    hasData: verifiedCurrent + referralCurrent + verifiedPrior + referralPrior > 0 || byOperator.length > 0 || topCrawledPaths.length > 0 || referralProducts.length > 0,
+    hasData: verifiedCurrent + unverifiedCurrent + referralCurrent + verifiedPrior + unverifiedPrior + referralPrior > 0 || byOperator.length > 0 || topCrawledPaths.length > 0 || referralProducts.length > 0,
     verifiedCrawlerHits: {
       current: verifiedCurrent,
       prior: verifiedPrior,
       deltaPct: deltaPercent(verifiedCurrent, verifiedPrior)
     },
+    unverifiedCrawlerHits: {
+      current: unverifiedCurrent,
+      prior: unverifiedPrior,
+      deltaPct: deltaPercent(unverifiedCurrent, unverifiedPrior)
+    },
     referralArrivals: {
       current: referralCurrent,
       prior: referralPrior,
@@ -8656,6 +8729,7 @@ var routeCatalog = [
       { name: "query", in: "query", description: "Filter by search query.", schema: stringSchema },
       { name: "page", in: "query", description: "Filter by page URL.", schema: stringSchema },
       limitQueryParameter,
+      offsetQueryParameter,
       analyticsWindowParameter
     ],
     responses: {
@@ -10007,11 +10081,42 @@ var routeCatalog = [
       404: { description: "Project not found." }
     }
   },
+  {
+    method: "post",
+    path: "/api/v1/projects/{name}/traffic/connect/wordpress",
+    summary: "Connect a WordPress traffic-logger source",
+    description: "Probes the WordPress traffic-logger plugin endpoint with the supplied Application Password (single page, `limit=1`) before persisting. On success, stores the credential in `~/.canonry/config.yaml` and creates / updates the project's active WordPress `traffic_sources` row. A probe failure (HTTP 4xx/5xx, network error) surfaces as 502 with the upstream status in the message so the caller learns about a bad credential up front instead of at the first sync.",
+    tags: ["traffic"],
+    parameters: [nameParameter],
+    requestBody: {
+      required: true,
+      content: {
+        "application/json": {
+          schema: {
+            type: "object",
+            required: ["baseUrl", "username", "applicationPassword"],
+            properties: {
+              baseUrl: { ...stringSchema, description: "Absolute base URL of the WordPress site (e.g. `https://example.com`)." },
+              username: { ...stringSchema, description: "WordPress username paired with the Application Password." },
+              applicationPassword: { ...stringSchema, description: "WordPress Application Password (raw; the server base64-encodes it for Basic auth)." },
+              displayName: stringSchema
+            }
+          }
+        }
+      }
+    },
+    responses: {
+      200: { description: "Traffic source DTO returned." },
+      400: { description: "Invalid WordPress connection request." },
+      404: { description: "Project not found." },
+      502: { description: "WordPress plugin endpoint probe failed (bad credentials, unreachable host, etc.)." }
+    }
+  },
   {
     method: "post",
     path: "/api/v1/projects/{name}/traffic/sources/{id}/sync",
     summary: "Trigger a sync run for a traffic source",
-    description: "Pulls request logs from the configured Cloud Run service for the lookback window, classifies crawler / AI-referral hits, and upserts hourly buckets and a bounded sample tail.",
+    description: "Pulls request logs from the configured Cloud Run service for the lookback window, classifies crawler hits / AI-referral sessions, and upserts hourly buckets and a bounded sample tail.",
     tags: ["traffic"],
     parameters: [
       nameParameter,
@@ -10106,7 +10211,7 @@ var routeCatalog = [
   {
     method: "get",
     path: "/api/v1/projects/{name}/traffic/events",
-    summary: "List rolled-up crawler and AI-referral hits within a window",
+    summary: "List rolled-up crawler hits and AI-referral sessions within a window",
     description: "Returns hourly rollup rows from `crawler_events_hourly` and `ai_referral_events_hourly`. Defaults to the last 24h. Totals reflect the full window; the `events` array is capped by `limit` (default 500, max 5000).",
     tags: ["traffic"],
     parameters: [
@@ -11966,7 +12071,7 @@ async function googleRoutes(app, opts) {
   });
   app.get("/projects/:name/google/gsc/performance", async (request) => {
     const project = resolveProject(app.db, request.params.name);
-    const { startDate, endDate, query, page, limit } = request.query;
+    const { startDate, endDate, query, page, limit, offset } = request.query;
     const cutoffDate = !startDate ? windowCutoff(parseWindow(request.query.window))?.slice(0, 10) ?? null : null;
     const conditions = [eq18(gscSearchData.projectId, project.id)];
     if (startDate) conditions.push(sql5`${gscSearchData.date} >= ${startDate}`);
@@ -11974,7 +12079,9 @@ async function googleRoutes(app, opts) {
     if (endDate) conditions.push(sql5`${gscSearchData.date} <= ${endDate}`);
     if (query) conditions.push(sql5`${gscSearchData.query} LIKE ${"%" + query + "%"}`);
     if (page) conditions.push(sql5`${gscSearchData.page} LIKE ${"%" + page + "%"}`);
-    const rows = app.db.select().from(gscSearchData).where(and8(...conditions)).orderBy(desc8(gscSearchData.date)).limit(parseInt(limit ?? "500", 10)).all();
+    const limitVal = Math.max(parseInt(limit ?? "500", 10) || 0, 1);
+    const offsetVal = Math.max(parseInt(offset ?? "0", 10) || 0, 0);
+    const rows = app.db.select().from(gscSearchData).where(and8(...conditions)).orderBy(desc8(gscSearchData.date)).limit(limitVal).offset(offsetVal).all();
     return rows.map((r) => ({
       date: r.date,
       query: r.query,
@@ -16779,6 +16886,12 @@ function hostMatches(host, domain) {
   const normalizedDomain = normalizeHost(domain);
   return normalizedHost === normalizedDomain || normalizedHost.endsWith(`.${normalizedDomain}`);
 }
+function utmTokenMatchesDomain(utmSource, domain) {
+  if (hostMatches(utmSource, domain)) return true;
+  const normalizedUtm = normalizeHost(utmSource);
+  const firstLabel = normalizeHost(domain).split(".")[0];
+  return Boolean(firstLabel) && normalizedUtm === firstLabel;
+}
 function hostFromUrl(value) {
   if (!value) return null;
   try {
@@ -16833,7 +16946,7 @@ function classifyAiReferral(event) {
   }
   const utmSource = utmSourceFromQuery(event.queryString);
   if (utmSource) {
-    const rule = DEFAULT_AI_REFERRER_RULES.find((candidate) => hostMatches(utmSource, candidate.domain));
+    const rule = DEFAULT_AI_REFERRER_RULES.find((candidate) => utmTokenMatchesDomain(utmSource, candidate.domain));
     if (rule) {
       return {
         operator: rule.operator,
@@ -16845,7 +16958,7 @@ function classifyAiReferral(event) {
   }
   const refererUtmSource = utmSourceFromUrl(event.referer);
   if (refererUtmSource) {
-    const rule = DEFAULT_AI_REFERRER_RULES.find((candidate) => hostMatches(refererUtmSource, candidate.domain));
+    const rule = DEFAULT_AI_REFERRER_RULES.find((candidate) => utmTokenMatchesDomain(refererUtmSource, candidate.domain));
     if (rule) {
       return {
         operator: rule.operator,
@@ -16860,9 +16973,21 @@ function classifyAiReferral(event) {
 
 // ../integration-traffic/src/rollup.ts
 var DEFAULT_SAMPLE_LIMIT = 25;
+var DEFAULT_AI_REFERRAL_SESSION_WINDOW_MS = 6e4;
 var UUID_SEGMENT = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 var LONG_HEX_SEGMENT = /^[0-9a-f]{16,}$/i;
 var NUMERIC_SEGMENT = /^\d+$/;
+var ASSET_EXTENSION_PATTERN = /\.(?:avif|bmp|css|gif|ico|jpe?g|js|json|map|mjs|mp4|otf|png|svg|webm|webmanifest|woff2?|xml)$/i;
+var ASSET_PATH_PREFIXES = [
+  "/_next/static/",
+  "/assets/",
+  "/build/",
+  "/dist/",
+  "/fonts/",
+  "/images/",
+  "/img/",
+  "/static/"
+];
 function normalizeTrafficPathPattern(path15) {
   const cleanPath = path15.trim() || "/";
   const pathOnly = cleanPath.split("?")[0] || "/";
@@ -16882,6 +17007,69 @@ function hourBucket(value) {
   date.setUTCMinutes(0, 0, 0);
   return date.toISOString();
 }
+function sessionWindowBucket(value, windowMs) {
+  const date = new Date(value);
+  if (Number.isNaN(date.getTime())) return value;
+  return new Date(Math.floor(date.getTime() / windowMs) * windowMs).toISOString();
+}
+function normalizeHost2(host) {
+  if (!host) return null;
+  return host.trim().toLowerCase().replace(/^www\./, "") || null;
+}
+function sameHost(a, b) {
+  const normalizedA = normalizeHost2(a);
+  const normalizedB = normalizeHost2(b);
+  return !!normalizedA && !!normalizedB && normalizedA === normalizedB;
+}
+function pathFromSameOriginReferer(event) {
+  if (!event.referer) return null;
+  try {
+    const refererUrl = new URL(event.referer);
+    if (!sameHost(refererUrl.hostname, event.host)) return null;
+    return refererUrl.pathname || "/";
+  } catch {
+    return null;
+  }
+}
+function resolveAiReferralLandingPath(event, evidenceType) {
+  if (evidenceType === "referer-utm") {
+    const refererPath = pathFromSameOriginReferer(event);
+    if (refererPath) return normalizeTrafficPathPattern(refererPath);
+  }
+  return normalizeTrafficPathPattern(event.path);
+}
+function isLikelySubresourcePath(path15) {
+  const cleanPath = path15.split("?")[0] || "/";
+  return ASSET_PATH_PREFIXES.some((prefix) => cleanPath.startsWith(prefix)) || ASSET_EXTENSION_PATTERN.test(cleanPath);
+}
+function actorKey(event) {
+  const remoteIp = event.remoteIp?.trim();
+  const userAgent = event.userAgent?.trim();
+  if (remoteIp || userAgent) return `${remoteIp ?? "unknown-ip"}	${userAgent ?? "unknown-ua"}`;
+  return `event:${event.eventId}`;
+}
+function aiReferralSessionKey(event, aiReferral, landingPathNormalized, windowMs) {
+  return [
+    hourBucket(event.observedAt),
+    sessionWindowBucket(event.observedAt, windowMs),
+    actorKey(event),
+    aiReferral.sourceDomain,
+    landingPathNormalized
+  ].join("	");
+}
+function evidenceRank(evidenceType) {
+  switch (evidenceType) {
+    case "referer":
+      return 3;
+    case "utm":
+      return 2;
+    case "referer-utm":
+      return 1;
+  }
+}
+function strongerReferralEvidence(current, next) {
+  return evidenceRank(next.evidenceType) > evidenceRank(current.evidenceType) ? next : current;
+}
 function sortCrawlerBuckets(a, b) {
   return a.tsHour.localeCompare(b.tsHour) || a.botId.localeCompare(b.botId) || a.pathNormalized.localeCompare(b.pathNormalized) || String(a.status).localeCompare(String(b.status));
 }
@@ -16893,8 +17081,11 @@ function topEntries(map, limit) {
 }
 function buildTrafficProbeReport(events, options = {}) {
   const sampleLimit = options.sampleLimit ?? DEFAULT_SAMPLE_LIMIT;
+  const configuredSessionWindowMs = options.aiReferralSessionWindowMs ?? DEFAULT_AI_REFERRAL_SESSION_WINDOW_MS;
+  const aiReferralSessionWindowMs = configuredSessionWindowMs > 0 ? configuredSessionWindowMs : DEFAULT_AI_REFERRAL_SESSION_WINDOW_MS;
   const crawlerBuckets = /* @__PURE__ */ new Map();
   const aiReferralBuckets = /* @__PURE__ */ new Map();
+  const aiReferralSessions = /* @__PURE__ */ new Map();
   const topBots = /* @__PURE__ */ new Map();
   const topCrawlerPaths = /* @__PURE__ */ new Map();
   const topAiReferrers = /* @__PURE__ */ new Map();
@@ -16941,56 +17132,69 @@ function buildTrafficProbeReport(events, options = {}) {
     }
     if (aiReferral) {
       aiReferralHits += 1;
-      const key = [
-        tsHour,
-        aiReferral.product,
-        aiReferral.sourceDomain,
-        aiReferral.evidenceType,
-        pathNormalized,
-        event.status ?? "null"
-      ].join("	");
-      const existing = aiReferralBuckets.get(key);
-      if (existing) {
-        existing.hits += 1;
-      } else {
-        aiReferralBuckets.set(key, {
+      const landingPathNormalized = resolveAiReferralLandingPath(event, aiReferral.evidenceType);
+      if (!isLikelySubresourcePath(landingPathNormalized)) {
+        const session = {
           tsHour,
           operator: aiReferral.operator,
           product: aiReferral.product,
           sourceDomain: aiReferral.sourceDomain,
           evidenceType: aiReferral.evidenceType,
-          landingPathNormalized: pathNormalized,
-          status: event.status,
-          hits: 1
-        });
+          landingPathNormalized,
+          status: event.status
+        };
+        const key = aiReferralSessionKey(event, aiReferral, landingPathNormalized, aiReferralSessionWindowMs);
+        const existing = aiReferralSessions.get(key);
+        aiReferralSessions.set(key, existing ? strongerReferralEvidence(existing, session) : session);
       }
-      incrementBucket(topAiReferrers, aiReferral.sourceDomain, {
-        sourceDomain: aiReferral.sourceDomain,
-        product: aiReferral.product
-      });
-      incrementBucket(topAiReferralLandingPaths, pathNormalized, { landingPathNormalized: pathNormalized });
     }
     if (!crawler && !aiReferral) unknownHits += 1;
-    if (samples.length < sampleLimit) {
-      samples.push({
-        eventId: event.eventId,
-        observedAt: event.observedAt,
-        sourceType: event.sourceType,
-        path: event.path,
-        pathNormalized,
-        status: event.status,
-        userAgent: event.userAgent,
-        referer: event.referer,
-        crawler,
-        aiReferral
+    samples.push({
+      eventId: event.eventId,
+      observedAt: event.observedAt,
+      sourceType: event.sourceType,
+      path: event.path,
+      pathNormalized,
+      status: event.status,
+      userAgent: event.userAgent,
+      referer: event.referer,
+      crawler,
+      aiReferral
+    });
+    if (samples.length > sampleLimit) samples.shift();
+  }
+  for (const session of aiReferralSessions.values()) {
+    const key = [
+      session.tsHour,
+      session.product,
+      session.sourceDomain,
+      session.evidenceType,
+      session.landingPathNormalized,
+      session.status ?? "null"
+    ].join("	");
+    const existing = aiReferralBuckets.get(key);
+    if (existing) {
+      existing.hits += 1;
+    } else {
+      aiReferralBuckets.set(key, {
+        ...session,
+        hits: 1
       });
     }
+    incrementBucket(topAiReferrers, session.sourceDomain, {
+      sourceDomain: session.sourceDomain,
+      product: session.product
+    });
+    incrementBucket(topAiReferralLandingPaths, session.landingPathNormalized, {
+      landingPathNormalized: session.landingPathNormalized
+    });
   }
   return {
     generatedAt: options.generatedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
     totals: {
       normalizedEvents: events.length,
       crawlerHits,
+      aiReferralSessions: aiReferralSessions.size,
       aiReferralHits,
       unknownHits
     },
@@ -17009,10 +17213,155 @@ function incrementBucket(map, key, fields) {
   else map.set(key, { fields, hits: 1 });
 }
 
+// ../integration-wordpress-traffic/src/normalize.ts
+function trimOrNull(value) {
+  if (value === null || value === void 0) return null;
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function buildEventId2(event) {
+  return `wordpress:${event.observed_at}:${event.id}`;
+}
+function normalizeWordpressTrafficEvent(event) {
+  if (!event.observed_at) return null;
+  if (typeof event.id !== "number" || !Number.isFinite(event.id)) return null;
+  const path15 = event.path?.trim();
+  if (!path15) return null;
+  const queryString = trimOrNull(event.query_string);
+  const host = trimOrNull(event.host);
+  const requestUrl = host ? `https://${host}${path15}${queryString ? `?${queryString}` : ""}` : `${path15}${queryString ? `?${queryString}` : ""}`;
+  return {
+    sourceType: TrafficSourceTypes.wordpress,
+    evidenceKind: TrafficEvidenceKinds["raw-request"],
+    confidence: TrafficEventConfidences.observed,
+    eventId: buildEventId2(event),
+    observedAt: event.observed_at,
+    method: trimOrNull(event.method),
+    requestUrl,
+    host,
+    path: path15,
+    queryString,
+    status: typeof event.status === "number" && Number.isFinite(event.status) ? event.status : null,
+    userAgent: trimOrNull(event.user_agent),
+    remoteIp: trimOrNull(event.remote_ip_hash),
+    referer: trimOrNull(event.referer),
+    latencyMs: null,
+    requestSizeBytes: null,
+    responseSizeBytes: null,
+    providerResource: {
+      type: "wordpress_site",
+      labels: host ? { host } : {}
+    },
+    providerLabels: {}
+  };
+}
+
+// ../integration-wordpress-traffic/src/client.ts
+var WORDPRESS_TRAFFIC_ENDPOINT_PATH = "/wp-json/canonry/v1/events";
+var DEFAULT_PAGE_SIZE2 = 500;
+var DEFAULT_MAX_PAGES2 = 1;
+var DEFAULT_TIMEOUT_MS2 = 3e4;
+var WordpressTrafficApiError = class extends Error {
+  constructor(message, status, body) {
+    super(message);
+    this.status = status;
+    this.body = body;
+    this.name = "WordpressTrafficApiError";
+  }
+};
+function trimRequired(name, value) {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    throw new WordpressTrafficApiError(`${name} is required`, 400);
+  }
+  return trimmed;
+}
+function normalizePageSize2(pageSize) {
+  if (pageSize === void 0) return DEFAULT_PAGE_SIZE2;
+  if (!Number.isInteger(pageSize) || pageSize < 1) {
+    throw new WordpressTrafficApiError("pageSize must be a positive integer", 400);
+  }
+  return pageSize;
+}
+function normalizeMaxPages2(maxPages) {
+  if (maxPages === void 0) return DEFAULT_MAX_PAGES2;
+  if (!Number.isInteger(maxPages) || maxPages < 1) {
+    throw new WordpressTrafficApiError("maxPages must be a positive integer", 400);
+  }
+  return maxPages;
+}
+function resolveEndpoint(baseUrl) {
+  const trimmed = trimRequired("baseUrl", baseUrl).replace(/\/+$/, "");
+  return `${trimmed}${WORDPRESS_TRAFFIC_ENDPOINT_PATH}`;
+}
+function buildBasicAuthHeader(username, applicationPassword) {
+  const credentials = `${trimRequired("username", username)}:${trimRequired("applicationPassword", applicationPassword)}`;
+  return `Basic ${Buffer.from(credentials, "utf8").toString("base64")}`;
+}
+async function readErrorBody2(response) {
+  const text = await response.text().catch(() => "");
+  if (!text) return void 0;
+  return text.length <= 500 ? text : `${text.slice(0, 500)}... [truncated]`;
+}
+async function listWordpressTrafficEvents(options) {
+  const endpoint = resolveEndpoint(options.baseUrl);
+  const authHeader = buildBasicAuthHeader(options.username, options.applicationPassword);
+  const pageSize = normalizePageSize2(options.pageSize);
+  const maxPages = normalizeMaxPages2(options.maxPages);
+  const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS2;
+  let cursor = options.cursor;
+  let rawEntryCount = 0;
+  let skippedEntryCount = 0;
+  const events = [];
+  for (let page = 0; page < maxPages; page += 1) {
+    const url = new URL(endpoint);
+    url.searchParams.set("limit", String(pageSize));
+    if (cursor !== void 0 && cursor !== "") {
+      url.searchParams.set("cursor", cursor);
+    }
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: authHeader,
+        Accept: "application/json"
+      },
+      signal: AbortSignal.timeout(timeoutMs)
+    });
+    if (!response.ok) {
+      const body2 = await readErrorBody2(response);
+      throw new WordpressTrafficApiError(
+        `WordPress traffic endpoint returned HTTP ${response.status}`,
+        response.status,
+        body2
+      );
+    }
+    const body = await response.json();
+    const entries = body.events ?? [];
+    rawEntryCount += entries.length;
+    for (const entry of entries) {
+      const normalized = normalizeWordpressTrafficEvent(entry);
+      if (normalized) {
+        events.push(normalized);
+      } else {
+        skippedEntryCount += 1;
+      }
+    }
+    cursor = body.next_cursor ?? void 0;
+    if (!body.has_more || !cursor) break;
+  }
+  return {
+    events,
+    rawEntryCount,
+    skippedEntryCount,
+    nextCursor: cursor,
+    endpoint
+  };
+}
+
 // ../api-routes/src/traffic.ts
 var DEFAULT_SYNC_WINDOW_MINUTES = 43200;
-var DEFAULT_PAGE_SIZE2 = 1e3;
-var DEFAULT_MAX_PAGES2 = 5;
+var DEFAULT_PAGE_SIZE3 = 1e3;
+var DEFAULT_MAX_PAGES3 = 5;
 var DEFAULT_SAMPLE_LIMIT2 = 100;
 var MAX_TRACKED_EVENT_IDS = 1e3;
 var DEFAULT_BACKFILL_DAYS = 30;
@@ -17089,7 +17438,7 @@ async function runBackfillTask(options) {
       location,
       startTime: windowStart.toISOString(),
       endTime: windowEnd.toISOString(),
-      pageSize: DEFAULT_PAGE_SIZE2,
+      pageSize: DEFAULT_PAGE_SIZE3,
       maxPages: BACKFILL_MAX_PAGES,
       // Backfill is intentionally `firstSync: false`. We don't want desc
       // ordering — the in-memory rollup builder handles any order, and the
@@ -17118,7 +17467,7 @@ async function runBackfillTask(options) {
   const newSorted = allEvents.slice().sort((a, b) => a.observedAt < b.observedAt ? 1 : a.observedAt > b.observedAt ? -1 : 0).map((e) => e.eventId);
   const newRingBuffer = newSorted.slice(0, MAX_TRACKED_EVENT_IDS);
   const currentLastSyncedMs = sourceRow.lastSyncedAt ? new Date(sourceRow.lastSyncedAt).getTime() : Number.NEGATIVE_INFINITY;
-  const nextLastSyncedAt = Math.max(currentLastSyncedMs, windowEnd.getTime()) === windowEnd.getTime() ? finishedAt : sourceRow.lastSyncedAt;
+  const nextLastSyncedAt = Math.max(currentLastSyncedMs, windowEnd.getTime()) === windowEnd.getTime() ? windowEndIso : sourceRow.lastSyncedAt;
   try {
     app.db.transaction((tx) => {
       tx.delete(crawlerEventsHourly).where(
@@ -17219,9 +17568,10 @@ async function runBackfillTask(options) {
 async function trafficRoutes(app, opts) {
   const pullEvents = opts.pullCloudRunEvents ?? listCloudRunTrafficEvents;
   const resolveAccessToken2 = opts.resolveCloudRunAccessToken ?? defaultResolveAccessToken;
+  const pullWordpressEvents = opts.pullWordpressTrafficEvents ?? listWordpressTrafficEvents;
   const syncWindowMinutes = opts.defaultSyncWindowMinutes ?? DEFAULT_SYNC_WINDOW_MINUTES;
-  const pageSize = opts.defaultPageSize ?? DEFAULT_PAGE_SIZE2;
-  const maxPages = opts.defaultMaxPages ?? DEFAULT_MAX_PAGES2;
+  const pageSize = opts.defaultPageSize ?? DEFAULT_PAGE_SIZE3;
+  const maxPages = opts.defaultMaxPages ?? DEFAULT_MAX_PAGES3;
   const sampleLimit = opts.defaultSampleLimit ?? DEFAULT_SAMPLE_LIMIT2;
   app.post("/projects/:name/traffic/connect/cloud-run", async (request) => {
     const project = resolveProject(app.db, request.params.name);
@@ -17305,6 +17655,84 @@ async function trafficRoutes(app, opts) {
     });
     return rowToDto(sourceRow);
   });
+  app.post("/projects/:name/traffic/connect/wordpress", async (request) => {
+    const project = resolveProject(app.db, request.params.name);
+    if (!opts.wordpressTrafficCredentialStore) {
+      throw validationError("WordPress traffic credential storage is not configured for this deployment");
+    }
+    const credentialStore = opts.wordpressTrafficCredentialStore;
+    const parsed = trafficConnectWordpressRequestSchema.safeParse(request.body ?? {});
+    if (!parsed.success) {
+      throw validationError(parsed.error.issues.map((i) => i.message).join("; "));
+    }
+    const { baseUrl, username, applicationPassword, displayName } = parsed.data;
+    try {
+      await pullWordpressEvents({
+        baseUrl,
+        username,
+        applicationPassword,
+        pageSize: 1,
+        maxPages: 1
+      });
+    } catch (e) {
+      if (e instanceof WordpressTrafficApiError) {
+        throw providerError(
+          `WordPress traffic probe failed (HTTP ${e.status}): ${e.message}${e.body ? ` \u2014 ${e.body}` : ""}`
+        );
+      }
+      const msg = e instanceof Error ? e.message : String(e);
+      throw providerError(`WordPress traffic probe failed: ${msg}`);
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const existing = credentialStore.getConnection(project.name);
+    credentialStore.upsertConnection({
+      projectName: project.name,
+      baseUrl,
+      username,
+      applicationPassword,
+      createdAt: existing?.createdAt ?? now,
+      updatedAt: now
+    });
+    const activeSource = app.db.select().from(trafficSources).where(eq23(trafficSources.projectId, project.id)).all().find((row) => row.sourceType === TrafficSourceTypes.wordpress && row.status !== TrafficSourceStatuses.archived);
+    const config = { baseUrl, username };
+    const fallbackName = displayName ?? `WordPress \xB7 ${new URL(baseUrl).host}`;
+    let sourceRow;
+    if (activeSource) {
+      app.db.update(trafficSources).set({
+        displayName: fallbackName,
+        status: TrafficSourceStatuses.connected,
+        lastError: null,
+        configJson: JSON.stringify(config),
+        updatedAt: now
+      }).where(eq23(trafficSources.id, activeSource.id)).run();
+      sourceRow = app.db.select().from(trafficSources).where(eq23(trafficSources.id, activeSource.id)).get();
+    } else {
+      const newId = crypto20.randomUUID();
+      app.db.insert(trafficSources).values({
+        id: newId,
+        projectId: project.id,
+        sourceType: TrafficSourceTypes.wordpress,
+        displayName: fallbackName,
+        status: TrafficSourceStatuses.connected,
+        lastSyncedAt: null,
+        lastCursor: null,
+        lastError: null,
+        archivedAt: null,
+        configJson: JSON.stringify(config),
+        createdAt: now,
+        updatedAt: now
+      }).run();
+      sourceRow = app.db.select().from(trafficSources).where(eq23(trafficSources.id, newId)).get();
+    }
+    writeAuditLog(app.db, {
+      projectId: project.id,
+      actor: "api",
+      action: "traffic.wordpress.connected",
+      entityType: "traffic_source",
+      entityId: sourceRow.id
+    });
+    return rowToDto(sourceRow);
+  });
   app.post("/projects/:name/traffic/sources/:id/sync", async (request) => {
     const project = resolveProject(app.db, request.params.name);
     const sourceRow = app.db.select().from(trafficSources).where(eq23(trafficSources.id, request.params.id)).get();
@@ -17398,25 +17826,35 @@ async function trafficRoutes(app, opts) {
       markFailed(msg, "PROVIDER_PULL");
       throw providerError(`Cloud Run pull failed: ${msg}`);
     }
-    const seenEventIds = new Set(parseJsonColumn(sourceRow.lastEventIds, []));
-    const dedupedEvents = seenEventIds.size === 0 ? allEvents : allEvents.filter((e) => !seenEventIds.has(e.eventId));
-    const newSorted = dedupedEvents.slice().sort((a, b) => a.observedAt < b.observedAt ? 1 : a.observedAt > b.observedAt ? -1 : 0).map((e) => e.eventId);
-    const previousIds = parseJsonColumn(sourceRow.lastEventIds, []);
-    const merged = [];
-    const mergedSet = /* @__PURE__ */ new Set();
-    for (const id of [...newSorted, ...previousIds]) {
-      if (mergedSet.has(id)) continue;
-      mergedSet.add(id);
-      merged.push(id);
-      if (merged.length >= MAX_TRACKED_EVENT_IDS) break;
-    }
-    const nextEventIds = merged;
-    const report = buildTrafficProbeReport(dedupedEvents, { sampleLimit });
-    const finishedAt = (/* @__PURE__ */ new Date()).toISOString();
     let crawlerBucketRows = 0;
     let aiReferralBucketRows = 0;
     let sampleRows = 0;
+    let finishedAt = (/* @__PURE__ */ new Date()).toISOString();
+    let pulledEventsCount = 0;
+    let crawlerHitsCount = 0;
+    let aiReferralHitsCount = 0;
+    let unknownHitsCount = 0;
     app.db.transaction((tx) => {
+      const latestRow = tx.select().from(trafficSources).where(eq23(trafficSources.id, sourceRow.id)).get();
+      const previousIds = parseJsonColumn(latestRow.lastEventIds, []);
+      const seenEventIds = new Set(previousIds);
+      const dedupedEvents = seenEventIds.size === 0 ? allEvents : allEvents.filter((e) => !seenEventIds.has(e.eventId));
+      const newSorted = dedupedEvents.slice().sort((a, b) => a.observedAt < b.observedAt ? 1 : a.observedAt > b.observedAt ? -1 : 0).map((e) => e.eventId);
+      const merged = [];
+      const mergedSet = /* @__PURE__ */ new Set();
+      for (const id of [...newSorted, ...previousIds]) {
+        if (mergedSet.has(id)) continue;
+        mergedSet.add(id);
+        merged.push(id);
+        if (merged.length >= MAX_TRACKED_EVENT_IDS) break;
+      }
+      const nextEventIds = merged;
+      const report = buildTrafficProbeReport(dedupedEvents, { sampleLimit });
+      finishedAt = (/* @__PURE__ */ new Date()).toISOString();
+      pulledEventsCount = report.totals.normalizedEvents;
+      crawlerHitsCount = report.totals.crawlerHits;
+      aiReferralHitsCount = report.totals.aiReferralHits;
+      unknownHitsCount = report.totals.unknownHits;
       for (const bucket of report.crawlerEventsHourly) {
         const status = bucket.status ?? 0;
         tx.insert(crawlerEventsHourly).values({
@@ -17515,7 +17953,11 @@ async function trafficRoutes(app, opts) {
       }
       tx.update(trafficSources).set({
         status: TrafficSourceStatuses.connected,
-        lastSyncedAt: finishedAt,
+        // Advance to windowEnd, not finishedAt — events arriving at the
+        // source between windowEnd and finishedAt aren't in this pull's
+        // range. If we stored finishedAt, the next sync's clamp would skip
+        // past them and they'd be lost.
+        lastSyncedAt: windowEnd.toISOString(),
         lastError: null,
         lastEventIds: JSON.stringify(nextEventIds),
         updatedAt: finishedAt
@@ -17534,9 +17976,9 @@ async function trafficRoutes(app, opts) {
         status: "completed",
         sourceType: sourceRow.sourceType,
         sourceId: sourceRow.id,
-        pulledEvents: report.totals.normalizedEvents,
-        crawlerHits: report.totals.crawlerHits,
-        aiReferralHits: report.totals.aiReferralHits,
+        pulledEvents: pulledEventsCount,
+        crawlerHits: crawlerHitsCount,
+        aiReferralHits: aiReferralHitsCount,
         durationMs: Date.now() - syncStartedAtMs
       });
     } catch {
@@ -17545,10 +17987,10 @@ async function trafficRoutes(app, opts) {
       sourceId: sourceRow.id,
       runId,
       syncedAt: finishedAt,
-      pulledEvents: report.totals.normalizedEvents,
-      crawlerHits: report.totals.crawlerHits,
-      aiReferralHits: report.totals.aiReferralHits,
-      unknownHits: report.totals.unknownHits,
+      pulledEvents: pulledEventsCount,
+      crawlerHits: crawlerHitsCount,
+      aiReferralHits: aiReferralHitsCount,
+      unknownHits: unknownHitsCount,
       crawlerBucketRows,
       aiReferralBucketRows,
       sampleRows,
@@ -18467,7 +18909,7 @@ var sourceConnectedCheck = {
         status: CheckStatuses.skipped,
         code: "traffic.source.none",
         summary: "No server-side traffic source connected \u2014 server-log AI visibility data unavailable for this project.",
-        remediation: "Connect a traffic source via `canonry traffic connect <type> <project>` to surface crawler hits and AI-referral arrivals from your server logs.",
+        remediation: "Connect a traffic source via `canonry traffic connect <type> <project>` to surface crawler hits and AI-referral sessions from your server logs.",
         details: { sourceCount: 0 }
       };
     }
@@ -18548,12 +18990,20 @@ var recentDataCheck = {
         )
       ).get()?.total ?? 0
     );
+    const olderReferrals = Number(
+      ctx.db.select({ total: sql9`COALESCE(SUM(${aiReferralEventsHourly.sessionsOrHits}), 0)` }).from(aiReferralEventsHourly).where(
+        and15(
+          eq24(aiReferralEventsHourly.projectId, ctx.project.id),
+          gte3(aiReferralEventsHourly.tsHour, failCutoff)
+        )
+      ).get()?.total ?? 0
+    );
     const lastSyncedAt = sources.map((s) => s.lastSyncedAt).filter(Boolean).sort().at(-1) ?? null;
-    if (olderCrawlers > 0 || lastSyncedAt) {
+    if (olderCrawlers > 0 || olderReferrals > 0 || lastSyncedAt) {
       return {
         status: CheckStatuses.warn,
         code: "traffic.recent-data.stale",
-        summary: `No crawler hits or AI-referral arrivals in the last ${RECENT_DATA_WARN_DAYS} days, though older data exists.`,
+        summary: `No crawler hits or AI-referral sessions in the last ${RECENT_DATA_WARN_DAYS} days, though older data exists.`,
         remediation: lastSyncedAt ? `Last sync: ${lastSyncedAt}. Run \`canonry traffic sync <project>\` to refresh, or check the source connection.` : "Run `canonry traffic sync <project>` to pull recent events.",
         details: { lastSyncedAt, sourceCount: sources.length }
       };
@@ -18955,6 +19405,8 @@ async function apiRoutes(app, opts) {
       cloudRunCredentialStore: opts.cloudRunCredentialStore,
       pullCloudRunEvents: opts.pullCloudRunEvents,
       resolveCloudRunAccessToken: opts.resolveCloudRunAccessToken,
+      wordpressTrafficCredentialStore: opts.wordpressTrafficCredentialStore,
+      pullWordpressTrafficEvents: opts.pullWordpressTrafficEvents,
       onTrafficSynced: opts.onTrafficSynced
     });
     await api.register(backlinksRoutes, {
@@ -19021,6 +19473,50 @@ function buildTrafficSourceValidators(opts) {
       validateScopes: () => null
     };
   }
+  if (opts.wordpressTrafficCredentialStore) {
+    const store = opts.wordpressTrafficCredentialStore;
+    const pullEvents = opts.pullWordpressTrafficEvents ?? listWordpressTrafficEvents;
+    validators[TrafficSourceTypes.wordpress] = {
+      validateCredentials: async (source) => {
+        const record = store.getConnection(source.projectName);
+        if (!record) {
+          return {
+            status: CheckStatuses.fail,
+            code: "traffic.credentials.missing",
+            summary: `No WordPress traffic credential found in ~/.canonry/config.yaml for project "${source.projectName}".`,
+            remediation: "Re-run `canonry traffic connect wordpress <project> --url <site> --username <user> --app-password <password>`."
+          };
+        }
+        try {
+          await pullEvents({
+            baseUrl: record.baseUrl,
+            username: record.username,
+            applicationPassword: record.applicationPassword,
+            pageSize: 1,
+            maxPages: 1
+          });
+          return {
+            status: CheckStatuses.ok,
+            code: "traffic.credentials.resolved",
+            summary: `WordPress endpoint responds for "${source.displayName}" (${new URL(record.baseUrl).host}).`
+          };
+        } catch (e) {
+          const httpStatus = e instanceof WordpressTrafficApiError ? e.status : null;
+          const msg = e instanceof Error ? e.message : String(e);
+          return {
+            status: CheckStatuses.fail,
+            code: httpStatus === 401 || httpStatus === 403 ? "traffic.credentials.unauthorized" : "traffic.credentials.resolve-failed",
+            summary: httpStatus ? `WordPress endpoint returned HTTP ${httpStatus}: ${msg}.` : `WordPress endpoint probe failed: ${msg}.`,
+            remediation: "Verify the site URL is reachable and the Application Password is valid. Re-connect the source if needed."
+          };
+        }
+      },
+      // WordPress Application Passwords have no scope concept — auth is
+      // strictly "valid credential or not". Surface a skipped result so the
+      // framework is uniform without producing a false signal.
+      validateScopes: () => null
+    };
+  }
   return Object.keys(validators).length > 0 ? validators : void 0;
 }
 
@@ -21458,8 +21954,40 @@ function removeCloudRunConnection(config, projectName) {
   return true;
 }
 
-// src/wordpress-config.ts
+// src/wordpress-traffic-config.ts
 function ensureConnections4(config) {
+  if (!config.wordpressTraffic) config.wordpressTraffic = {};
+  if (!config.wordpressTraffic.connections) config.wordpressTraffic.connections = [];
+  return config.wordpressTraffic.connections;
+}
+function getWordpressTrafficConnection(config, projectName) {
+  return (config.wordpressTraffic?.connections ?? []).find((c) => c.projectName === projectName);
+}
+function upsertWordpressTrafficConnection(config, connection) {
+  const connections = ensureConnections4(config);
+  const index = connections.findIndex((c) => c.projectName === connection.projectName);
+  if (index === -1) {
+    connections.push(connection);
+    return connection;
+  }
+  connections[index] = connection;
+  return connection;
+}
+function removeWordpressTrafficConnection(config, projectName) {
+  const connections = config.wordpressTraffic?.connections;
+  if (!connections?.length) return false;
+  const next = connections.filter((c) => c.projectName !== projectName);
+  if (next.length === connections.length) return false;
+  if (!config.wordpressTraffic) return false;
+  config.wordpressTraffic.connections = next;
+  if (next.length === 0) {
+    delete config.wordpressTraffic;
+  }
+  return true;
+}
+
+// src/wordpress-config.ts
+function ensureConnections5(config) {
   if (!config.wordpress) config.wordpress = {};
   if (!config.wordpress.connections) config.wordpress.connections = [];
   return config.wordpress.connections;
@@ -21476,7 +22004,7 @@ function getWordpressConnection(config, projectName) {
   return (config.wordpress?.connections ?? []).find((connection) => connection.projectName === projectName);
 }
 function upsertWordpressConnection(config, connection) {
-  const connections = ensureConnections4(config);
+  const connections = ensureConnections5(config);
   const normalized = normalizeConnection(connection);
   const index = connections.findIndex((entry) => entry.projectName === connection.projectName);
   if (index === -1) {
@@ -25808,6 +26336,21 @@ async function createServer(opts) {
       return removed;
     }
   };
+  const wordpressTrafficCredentialStore = {
+    getConnection: (projectName) => {
+      return getWordpressTrafficConnection(opts.config, projectName);
+    },
+    upsertConnection: (record) => {
+      const updated = upsertWordpressTrafficConnection(opts.config, record);
+      saveConfigPatch(opts.config);
+      return updated;
+    },
+    deleteConnection: (projectName) => {
+      const removed = removeWordpressTrafficConnection(opts.config, projectName);
+      if (removed) saveConfigPatch(opts.config);
+      return removed;
+    }
+  };
   const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto31.randomBytes(32).toString("hex");
   const googleConnectionStore = {
     listConnections: (domain) => listGoogleConnections(opts.config, domain),
@@ -26152,6 +26695,7 @@ async function createServer(opts) {
     wordpressConnectionStore,
     ga4CredentialStore,
     cloudRunCredentialStore,
+    wordpressTrafficCredentialStore,
     onTrafficSynced: (event) => {
       trackEvent("traffic.synced", {
         status: event.status,