@ainyc/canonry 4.24.1 → 4.26.0

package/dist/{chunk-E5PZ23OS.js → chunk-H4RE4WLW.js}

@@ -5,7 +5,7 @@ import {
   loadConfig,
   loadConfigRaw,
   saveConfigPatch
-} from "./chunk-6EJ54OX7.js";
+} from "./chunk-2FAEQ56I.js";
 import {
   DEFAULT_RUN_HISTORY_LIMIT,
   IntelligenceService,
@@ -40,6 +40,8 @@ import {
   competitors,
   crawlerEventsHourly,
   createLogger,
+  discoveryProbes,
+  discoverySessions,
   dropLegacyCredentialColumns,
   extractLegacyCredentials,
   gaAiReferrals,
@@ -66,7 +68,7 @@ import {
   schedules,
   trafficSources,
   usageCounters
-} from "./chunk-OYYFXKRK.js";
+} from "./chunk-PN24DAGC.js";
 import {
   AGENT_MEMORY_VALUE_MAX_BYTES,
   AGENT_PROVIDER_IDS,
@@ -77,6 +79,8 @@ import {
   CheckScopes,
   CheckStatuses,
   CitationStates,
+  DiscoveryBuckets,
+  DiscoverySessionStatuses,
   MemorySources,
   RunKinds,
   RunStatuses,
@@ -101,7 +105,9 @@ import {
   buildRunErrorFromMessages,
   categorizeSource,
   categoryLabel,
+  citationStateSchema,
   citationStateToCited,
+  clusterByCosine,
   competitorBatchRequestSchema,
   contentActionLabel,
   dedupeReportActions,
@@ -110,6 +116,8 @@ import {
   deltaPercent,
   deltaTone,
   determineAnswerMentioned,
+  discoveryBucketSchema,
+  discoveryRunRequestSchema,
   effectiveDomains,
   emptyCitationVisibility,
   extractAnswerMentions,
@@ -134,6 +142,7 @@ import {
   notImplemented,
   parseRunError,
   parseWindow,
+  pickClusterRepresentative,
   projectConfigSchema,
   projectUpsertRequestSchema,
   providerError,
@@ -160,7 +169,7 @@ import {
   visibilityStateFromAnswerMentioned,
   windowCutoff,
   wordpressEnvSchema
-} from "./chunk-EUGCQSFC.js";
+} from "./chunk-HVW665A4.js";
 
 // src/telemetry.ts
 import crypto from "crypto";
@@ -315,11 +324,11 @@ function trackEvent(event, properties, options) {
 
 // src/server.ts
 import { createRequire as createRequire3 } from "module";
-import crypto31 from "crypto";
+import crypto34 from "crypto";
 import fs12 from "fs";
 import path14 from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
-import { eq as eq36 } from "drizzle-orm";
+import { eq as eq40 } from "drizzle-orm";
 import Fastify from "fastify";
 
 // ../api-routes/src/auth.ts
@@ -741,6 +750,7 @@ async function queryRoutes(app, opts) {
           id: crypto5.randomUUID(),
           projectId: project.id,
           query: q,
+          provenance: "cli",
           createdAt: now
         }).run();
       }
@@ -797,6 +807,7 @@ async function queryRoutes(app, opts) {
           id: crypto5.randomUUID(),
           projectId: project.id,
           query: q,
+          provenance: "cli",
           createdAt: now
         }).run();
         added.push(q);
@@ -874,6 +885,7 @@ async function queryRoutes(app, opts) {
           id: crypto5.randomUUID(),
           projectId: project.id,
           query: keyword,
+          provenance: "cli",
           createdAt: now
         }).run();
       }
@@ -930,6 +942,7 @@ async function queryRoutes(app, opts) {
           id: crypto5.randomUUID(),
           projectId: project.id,
           query: keyword,
+          provenance: "cli",
           createdAt: now
         }).run();
         added.push(keyword);
@@ -1032,6 +1045,7 @@ async function competitorRoutes(app) {
           id: crypto6.randomUUID(),
           projectId: project.id,
           domain,
+          provenance: "cli",
           createdAt: now
         }).run();
       }
@@ -1061,6 +1075,7 @@ async function competitorRoutes(app) {
           id: crypto6.randomUUID(),
           projectId: project.id,
           domain,
+          provenance: "cli",
           createdAt: now
         }).onConflictDoNothing({
           target: [competitors.projectId, competitors.domain]
@@ -1140,6 +1155,7 @@ function queueRunIfProjectIdle(db, params) {
       status: "queued",
       trigger,
       location: params.location ?? null,
+      queries: params.queries ?? null,
       createdAt
     }).run();
     return { conflict: false, runId };
@@ -1170,6 +1186,20 @@ async function runRoutes(app, opts) {
       rawProviders.splice(0, rawProviders.length, ...normalized);
     }
     const providers = rawProviders?.length ? rawProviders : void 0;
+    let scopedQueries = null;
+    if (body.queries?.length) {
+      const trackedRows = app.db.select({ query: queries.query }).from(queries).where(eq7(queries.projectId, project.id)).all();
+      const tracked = new Set(trackedRows.map((r) => r.query));
+      const missing = body.queries.filter((q) => !tracked.has(q));
+      if (missing.length) {
+        throw validationError(`Queries not tracked on project "${project.name}": ${missing.join(", ")}`, {
+          missing,
+          tracked: [...tracked]
+        });
+      }
+      scopedQueries = body.queries;
+    }
+    const queriesColumn = scopedQueries ? JSON.stringify(scopedQueries) : null;
     let resolvedLocation;
     const projectLocations = parseJsonColumn(project.locations, []);
     if (body.noLocation) {
@@ -1202,6 +1232,7 @@ async function runRoutes(app, opts) {
           status: "queued",
           trigger,
           location: loc.label,
+          queries: queriesColumn,
           createdAt: now
         }).run();
         newRuns.push({ runId: runId2, loc });
@@ -1229,7 +1260,8 @@ async function runRoutes(app, opts) {
       kind,
       projectId: project.id,
       trigger,
-      location: locationLabel
+      location: locationLabel,
+      queries: queriesColumn
     });
     if (queueResult.conflict) throw runInProgress(project.name);
     const runId = queueResult.runId;
@@ -1375,6 +1407,7 @@ function formatRun(row) {
     status: row.status,
     trigger: row.trigger,
     location: row.location,
+    queries: parseJsonColumn(row.queries, null),
     startedAt: row.startedAt,
     finishedAt: row.finishedAt,
     error: parseRunError(row.error),
@@ -1821,6 +1854,7 @@ async function applyRoutes(app, opts) {
           id: crypto10.randomUUID(),
           projectId,
           query: q,
+          provenance: "cli",
           createdAt: now
         }).run();
       }
@@ -1838,6 +1872,7 @@ async function applyRoutes(app, opts) {
           id: crypto10.randomUUID(),
           projectId,
           domain,
+          provenance: "cli",
           createdAt: now
         }).run();
       }
@@ -6789,6 +6824,15 @@ import { eq as eq15, and as and6, desc as desc7, sql as sql4, like, or as or3, i
 var TOP_INSIGHT_LIMIT = 5;
 var SEARCH_HIT_HARD_LIMIT = 50;
 var SEARCH_SNIPPET_RADIUS = 80;
+var INTEGRATION_SYNC_KINDS = /* @__PURE__ */ new Set([
+  RunKinds["gsc-sync"],
+  RunKinds["inspect-sitemap"],
+  RunKinds["ga-sync"],
+  RunKinds["bing-inspect"],
+  RunKinds["bing-inspect-sitemap"],
+  RunKinds["backlink-extract"],
+  RunKinds["traffic-sync"]
+]);
 async function compositeRoutes(app) {
   app.get("/projects/:name/overview", async (request, reply) => {
     const project = resolveProject(app.db, request.params.name);
@@ -7176,7 +7220,7 @@ function buildAttentionItems(insightRows, allRuns) {
   }
   const sortedRuns = [...allRuns].sort((a, b) => b.createdAt.localeCompare(a.createdAt));
   const latestVisRun = sortedRuns.find((r) => r.kind === RunKinds["answer-visibility"]);
-  const latestSyncRun = sortedRuns.find((r) => r.kind !== RunKinds["answer-visibility"]);
+  const latestSyncRun = sortedRuns.find((r) => INTEGRATION_SYNC_KINDS.has(r.kind));
   if (latestVisRun && latestSyncRun) {
     const visibilityAge = new Date(latestSyncRun.createdAt).getTime() - new Date(latestVisRun.createdAt).getTime();
     const ONE_DAY = 24 * 60 * 60 * 1e3;
@@ -7977,6 +8021,7 @@ var routeCatalog = [
               kind: stringSchema,
               trigger: stringSchema,
               providers: stringArraySchema,
+              queries: stringArraySchema,
               location: stringSchema,
               allLocations: booleanSchema,
               noLocation: booleanSchema
@@ -10145,8 +10190,8 @@ var routeCatalog = [
   {
     method: "post",
     path: "/api/v1/projects/{name}/traffic/sources/{id}/backfill",
-    summary: "Reclassify historical Cloud Run logs for a traffic source",
-    description: 'Async one-shot backfill: pulls the last `days` of request logs (clamped server-side to the upstream retention ceiling \u2014 30d for Cloud Logging `_Default`), classifies them with the current rules, and replaces the hourly rollup buckets + sample slice in the window inside one transaction. Returns immediately with `{ runId, status: "running" }`; poll `GET /runs/{id}` for completion. lastSyncedAt only advances forward, so a backfill never undoes incremental sync progress that ran ahead of it.',
+    summary: "Reclassify historical traffic-source logs",
+    description: 'Async one-shot backfill: pulls the last `days` of events (clamped server-side to the upstream retention ceiling \u2014 30d for Cloud Logging `_Default`; the WordPress plugin honours the same window via `since`/`until` query params), classifies them with the current rules, and replaces the hourly rollup buckets + sample slice in the window inside one transaction. Returns immediately with `{ runId, status: "running" }`; poll `GET /runs/{id}` for completion. lastSyncedAt only advances forward, so a backfill never undoes incremental sync progress that ran ahead of it. Supported source types: `cloud-run`, `wordpress`.',
     tags: ["traffic"],
     parameters: [
       nameParameter,
@@ -10227,6 +10272,79 @@ var routeCatalog = [
       400: { description: "Invalid query parameters." },
       404: { description: "Project not found." }
     }
+  },
+  {
+    method: "post",
+    path: "/api/v1/projects/{name}/discover/run",
+    summary: "Start a tracked-basket discovery session",
+    description: 'Kicks off a discovery session for the project. The pipeline: ICP description \u2192 Gemini grounded seed prompt \u2192 embed + cluster (cosine \u2265 0.85 by default) \u2192 pick canonical representatives \u2192 probe each canonical via Gemini grounding \u2192 classify into cited / aspirational / wasted-surface \u2192 aggregate competitor map. Returns immediately with `{ runId, sessionId, status: "running" }`; the actual work runs in the background. Poll `GET /projects/{name}/discover/sessions/{id}` until `status` is `completed` or `failed`.',
+    tags: ["discovery"],
+    parameters: [nameParameter],
+    requestBody: {
+      required: false,
+      content: {
+        "application/json": {
+          schema: {
+            type: "object",
+            properties: {
+              icpDescription: { type: "string", description: "Free-text ICP. Required if the project does not have spec.icpDescription stored." },
+              dedupThreshold: { type: "number", description: "Cosine similarity threshold for clustering. Defaults to 0.85." },
+              maxProbes: { type: "integer", description: "Max canonical queries to probe in this session. Default 100, hard cap 500." }
+            }
+          }
+        }
+      }
+    },
+    responses: {
+      201: { description: "Discovery session enqueued; returns { runId, sessionId, status }." },
+      400: { description: "Missing or invalid ICP / parameters." },
+      404: { description: "Project not found." }
+    }
+  },
+  {
+    method: "get",
+    path: "/api/v1/projects/{name}/discover/sessions",
+    summary: "List discovery sessions for a project",
+    description: "Returns sessions newest-first. Each row carries seed counts, bucket counts, the competitor map, and timing fields. Drill into `GET /projects/{name}/discover/sessions/{id}` for per-query probe rows.",
+    tags: ["discovery"],
+    parameters: [
+      nameParameter,
+      { name: "limit", in: "query", description: "Max sessions returned. Default 50.", schema: stringSchema }
+    ],
+    responses: {
+      200: { description: "Sessions returned." },
+      404: { description: "Project not found." }
+    }
+  },
+  {
+    method: "get",
+    path: "/api/v1/projects/{name}/discover/sessions/{id}",
+    summary: "Get a discovery session with its probe list",
+    description: 'Returns one discovery session plus the full list of per-canonical probes (query, bucket, cited domains, citation state). Use this to answer "what did discovery find for project X?" in a single call.',
+    tags: ["discovery"],
+    parameters: [
+      nameParameter,
+      { name: "id", in: "path", required: true, description: "Discovery session ID.", schema: stringSchema }
+    ],
+    responses: {
+      200: { description: "Session detail returned." },
+      404: { description: "Project or session not found." }
+    }
+  },
+  {
+    method: "get",
+    path: "/api/v1/projects/{name}/discover/sessions/{id}/promote",
+    summary: "Preview a discovery promotion plan (read-only)",
+    description: "Returns the payload `canonry discover promote` (PR 2) will persist: queries grouped by bucket, plus suggested new competitor domains. v1 is preview-only; the actual merge ships in PR 2.",
+    tags: ["discovery"],
+    parameters: [
+      nameParameter,
+      { name: "id", in: "path", required: true, description: "Discovery session ID.", schema: stringSchema }
+    ],
+    responses: {
+      200: { description: "Promote preview returned." },
+      404: { description: "Project or session not found." }
+    }
   }
 ];
 var canonryLocalRouteCatalog = [
@@ -17312,6 +17430,7 @@ async function listWordpressTrafficEvents(options) {
   let cursor = options.cursor;
   let rawEntryCount = 0;
   let skippedEntryCount = 0;
+  let hasMore = false;
   const events = [];
   for (let page = 0; page < maxPages; page += 1) {
     const url = new URL(endpoint);
@@ -17319,6 +17438,12 @@ async function listWordpressTrafficEvents(options) {
     if (cursor !== void 0 && cursor !== "") {
       url.searchParams.set("cursor", cursor);
     }
+    if (options.since !== void 0 && options.since !== "") {
+      url.searchParams.set("since", options.since);
+    }
+    if (options.until !== void 0 && options.until !== "") {
+      url.searchParams.set("until", options.until);
+    }
     const response = await fetch(url, {
       method: "GET",
       headers: {
@@ -17347,6 +17472,7 @@ async function listWordpressTrafficEvents(options) {
       }
     }
     cursor = body.next_cursor ?? void 0;
+    hasMore = Boolean(body.has_more) && Boolean(cursor);
     if (!body.has_more || !cursor) break;
   }
   return {
@@ -17354,6 +17480,7 @@ async function listWordpressTrafficEvents(options) {
     rawEntryCount,
     skippedEntryCount,
     nextCursor: cursor,
+    hasMore,
     endpoint
   };
 }
@@ -17363,6 +17490,8 @@ var DEFAULT_SYNC_WINDOW_MINUTES = 43200;
 var DEFAULT_PAGE_SIZE3 = 1e3;
 var DEFAULT_MAX_PAGES3 = 5;
 var DEFAULT_SAMPLE_LIMIT2 = 100;
+var DEFAULT_WP_PAGE_SIZE = 500;
+var DEFAULT_WP_MAX_PAGES = 20;
 var MAX_TRACKED_EVENT_IDS = 1e3;
 var DEFAULT_BACKFILL_DAYS = 30;
 var MAX_BACKFILL_DAYS = 30;
@@ -17404,14 +17533,10 @@ async function runBackfillTask(options) {
     runId,
     project,
     sourceRow,
-    gcpProjectId,
-    serviceName,
-    location,
-    credential,
     windowStart,
     windowEnd,
-    pullEvents,
-    resolveAccessToken: resolveAccessToken2
+    pullForBackfill,
+    pullErrorPrefix
   } = options;
   const markFailed = (msg) => {
     const failedAt = (/* @__PURE__ */ new Date()).toISOString();
@@ -17423,33 +17548,11 @@ async function runBackfillTask(options) {
     } catch {
     }
   };
-  let accessToken;
-  try {
-    accessToken = await resolveAccessToken2(credential);
-  } catch (e) {
-    markFailed(`Failed to resolve Cloud Run access token: ${e instanceof Error ? e.message : String(e)}`);
-    return;
-  }
-  const allEvents = [];
+  let allEvents;
   try {
-    const page = await pullEvents(accessToken, {
-      gcpProjectId,
-      serviceName,
-      location,
-      startTime: windowStart.toISOString(),
-      endTime: windowEnd.toISOString(),
-      pageSize: DEFAULT_PAGE_SIZE3,
-      maxPages: BACKFILL_MAX_PAGES,
-      // Backfill is intentionally `firstSync: false`. We don't want desc
-      // ordering — the in-memory rollup builder handles any order, and the
-      // ring-buffer reseed at the end takes the most-recent IDs from the
-      // dedupedEvents anyway.
-      firstSync: false,
-      orderBy: "timestamp asc"
-    });
-    allEvents.push(...page.events);
+    allEvents = await pullForBackfill();
   } catch (e) {
-    markFailed(`Cloud Run pull failed: ${e instanceof Error ? e.message : String(e)}`);
+    markFailed(`${pullErrorPrefix}: ${e instanceof Error ? e.message : String(e)}`);
     return;
   }
   if (allEvents.length === 0) {
@@ -17739,33 +17842,12 @@ async function trafficRoutes(app, opts) {
     if (!sourceRow || sourceRow.projectId !== project.id) {
       throw notFound("Traffic source", request.params.id);
     }
-    if (sourceRow.sourceType !== TrafficSourceTypes["cloud-run"]) {
+    if (sourceRow.sourceType !== TrafficSourceTypes["cloud-run"] && sourceRow.sourceType !== TrafficSourceTypes.wordpress) {
       throw validationError(
-        `Sync for source type "${sourceRow.sourceType}" is not implemented yet \u2014 only cloud-run is supported in v1.`
+        `Sync for source type "${sourceRow.sourceType}" is not implemented yet \u2014 only cloud-run and wordpress are supported in v1.`
       );
     }
-    const credentialStore = opts.cloudRunCredentialStore;
-    if (!credentialStore) {
-      throw validationError("Cloud Run credential storage is not configured for this deployment");
-    }
-    const credential = credentialStore.getConnection(project.name);
-    if (!credential) {
-      throw validationError(
-        `No Cloud Run credential found for project "${project.name}". Run "canonry traffic connect cloud-run" first.`
-      );
-    }
-    const config = parseSourceConfig(sourceRow);
-    const gcpProjectId = config.gcpProjectId ?? credential.gcpProjectId;
-    const serviceName = config.serviceName ?? credential.serviceName ?? void 0;
-    const location = config.location ?? credential.location ?? void 0;
-    const requestedMinutes = request.body?.sinceMinutes;
-    const windowMinutes = Number.isFinite(requestedMinutes) && requestedMinutes && requestedMinutes > 0 ? Math.floor(requestedMinutes) : syncWindowMinutes;
     const windowEnd = /* @__PURE__ */ new Date();
-    const requestedStartMs = windowEnd.getTime() - windowMinutes * 6e4;
-    const lastSyncedMs = sourceRow.lastSyncedAt ? new Date(sourceRow.lastSyncedAt).getTime() : Number.NEGATIVE_INFINITY;
-    const windowStart = new Date(
-      Math.min(windowEnd.getTime(), Math.max(requestedStartMs, lastSyncedMs))
-    );
     const startedAt = windowEnd.toISOString();
     const syncStartedAtMs = windowEnd.getTime();
     const runId = crypto20.randomUUID();
@@ -17799,32 +17881,100 @@ async function trafficRoutes(app, opts) {
       } catch {
       }
     };
-    let accessToken;
-    try {
-      accessToken = await resolveAccessToken2(credential);
-    } catch (e) {
-      const msg = e instanceof Error ? e.message : String(e);
-      markFailed(msg, "PROVIDER_AUTH");
-      throw providerError(`Failed to resolve Cloud Run access token: ${msg}`);
-    }
-    const isFirstSync = !sourceRow.lastSyncedAt;
-    let allEvents = [];
-    try {
-      const page = await pullEvents(accessToken, {
-        gcpProjectId,
-        serviceName,
-        location,
-        startTime: windowStart.toISOString(),
-        endTime: windowEnd.toISOString(),
-        pageSize,
-        maxPages,
-        firstSync: isFirstSync
-      });
-      allEvents = page.events;
-    } catch (e) {
-      const msg = e instanceof Error ? e.message : String(e);
-      markFailed(msg, "PROVIDER_PULL");
-      throw providerError(`Cloud Run pull failed: ${msg}`);
+    let windowStart;
+    let allEvents;
+    let nextCursor;
+    let auditAction;
+    if (sourceRow.sourceType === TrafficSourceTypes["cloud-run"]) {
+      auditAction = "traffic.cloud-run.synced";
+      const credentialStore = opts.cloudRunCredentialStore;
+      if (!credentialStore) {
+        throw validationError("Cloud Run credential storage is not configured for this deployment");
+      }
+      const credential = credentialStore.getConnection(project.name);
+      if (!credential) {
+        throw validationError(
+          `No Cloud Run credential found for project "${project.name}". Run "canonry traffic connect cloud-run" first.`
+        );
+      }
+      const config = parseSourceConfig(sourceRow);
+      const gcpProjectId = config.gcpProjectId ?? credential.gcpProjectId;
+      const serviceName = config.serviceName ?? credential.serviceName ?? void 0;
+      const location = config.location ?? credential.location ?? void 0;
+      const requestedMinutes = request.body?.sinceMinutes;
+      const windowMinutes = Number.isFinite(requestedMinutes) && requestedMinutes && requestedMinutes > 0 ? Math.floor(requestedMinutes) : syncWindowMinutes;
+      const requestedStartMs = windowEnd.getTime() - windowMinutes * 6e4;
+      const lastSyncedMs = sourceRow.lastSyncedAt ? new Date(sourceRow.lastSyncedAt).getTime() : Number.NEGATIVE_INFINITY;
+      windowStart = new Date(
+        Math.min(windowEnd.getTime(), Math.max(requestedStartMs, lastSyncedMs))
+      );
+      let accessToken;
+      try {
+        accessToken = await resolveAccessToken2(credential);
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        markFailed(msg, "PROVIDER_AUTH");
+        throw providerError(`Failed to resolve Cloud Run access token: ${msg}`);
+      }
+      const isFirstSync = !sourceRow.lastSyncedAt;
+      try {
+        const page = await pullEvents(accessToken, {
+          gcpProjectId,
+          serviceName,
+          location,
+          startTime: windowStart.toISOString(),
+          endTime: windowEnd.toISOString(),
+          pageSize,
+          maxPages,
+          firstSync: isFirstSync
+        });
+        allEvents = page.events;
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        markFailed(msg, "PROVIDER_PULL");
+        throw providerError(`Cloud Run pull failed: ${msg}`);
+      }
+    } else {
+      auditAction = "traffic.wordpress.synced";
+      const credentialStore = opts.wordpressTrafficCredentialStore;
+      if (!credentialStore) {
+        throw validationError("WordPress traffic credential storage is not configured for this deployment");
+      }
+      const credential = credentialStore.getConnection(project.name);
+      if (!credential) {
+        app.db.delete(runs).where(eq23(runs.id, runId)).run();
+        throw validationError(
+          `No WordPress credential found for project "${project.name}". Run "canonry traffic connect wordpress" first.`
+        );
+      }
+      windowStart = sourceRow.lastSyncedAt ? new Date(sourceRow.lastSyncedAt) : windowEnd;
+      const wpPageSize = opts.defaultWordpressPageSize ?? DEFAULT_WP_PAGE_SIZE;
+      const wpMaxPages = opts.defaultWordpressMaxPages ?? DEFAULT_WP_MAX_PAGES;
+      const collected = [];
+      let cursor = sourceRow.lastCursor ?? void 0;
+      try {
+        for (let page = 0; page < wpMaxPages; page += 1) {
+          const pageResult = await pullWordpressEvents({
+            baseUrl: credential.baseUrl,
+            username: credential.username,
+            applicationPassword: credential.applicationPassword,
+            cursor,
+            pageSize: wpPageSize,
+            maxPages: 1
+          });
+          collected.push(...pageResult.events);
+          const previousCursor = cursor;
+          cursor = pageResult.nextCursor;
+          if (!pageResult.hasMore) break;
+          if (!cursor || cursor === previousCursor) break;
+        }
+        allEvents = collected;
+        nextCursor = cursor;
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        markFailed(msg, "PROVIDER_PULL");
+        throw providerError(`WordPress pull failed: ${msg}`);
+      }
     }
     let crawlerBucketRows = 0;
     let aiReferralBucketRows = 0;
@@ -17951,7 +18101,7 @@ async function trafficRoutes(app, opts) {
         }).run();
         sampleRows += 1;
       }
-      tx.update(trafficSources).set({
+      const sourceUpdate = {
         status: TrafficSourceStatuses.connected,
         // Advance to windowEnd, not finishedAt — events arriving at the
         // source between windowEnd and finishedAt aren't in this pull's
@@ -17961,13 +18111,17 @@ async function trafficRoutes(app, opts) {
         lastError: null,
         lastEventIds: JSON.stringify(nextEventIds),
         updatedAt: finishedAt
-      }).where(eq23(trafficSources.id, sourceRow.id)).run();
+      };
+      if (sourceRow.sourceType === TrafficSourceTypes.wordpress) {
+        sourceUpdate.lastCursor = nextCursor ?? null;
+      }
+      tx.update(trafficSources).set(sourceUpdate).where(eq23(trafficSources.id, sourceRow.id)).run();
       tx.update(runs).set({ status: RunStatuses.completed, finishedAt }).where(eq23(runs.id, runId)).run();
     });
     writeAuditLog(app.db, {
       projectId: project.id,
       actor: "api",
-      action: "traffic.cloud-run.synced",
+      action: auditAction,
       entityType: "traffic_source",
       entityId: sourceRow.id
     });
@@ -18005,19 +18159,9 @@ async function trafficRoutes(app, opts) {
     if (!sourceRow || sourceRow.projectId !== project.id) {
       throw notFound("Traffic source", request.params.id);
     }
-    if (sourceRow.sourceType !== TrafficSourceTypes["cloud-run"]) {
+    if (sourceRow.sourceType !== TrafficSourceTypes["cloud-run"] && sourceRow.sourceType !== TrafficSourceTypes.wordpress) {
       throw validationError(
-        `Backfill for source type "${sourceRow.sourceType}" is not implemented yet \u2014 only cloud-run is supported in v1.`
-      );
-    }
-    const credentialStore = opts.cloudRunCredentialStore;
-    if (!credentialStore) {
-      throw validationError("Cloud Run credential storage is not configured for this deployment");
-    }
-    const credential = credentialStore.getConnection(project.name);
-    if (!credential) {
-      throw validationError(
-        `No Cloud Run credential found for project "${project.name}". Run "canonry traffic connect cloud-run" first.`
+        `Backfill for source type "${sourceRow.sourceType}" is not implemented yet \u2014 only cloud-run and wordpress are supported in v1.`
       );
     }
     const requestedDays = request.body?.days ?? DEFAULT_BACKFILL_DAYS;
@@ -18025,13 +18169,86 @@ async function trafficRoutes(app, opts) {
       throw validationError('"days" must be a positive integer');
     }
     const appliedDays = Math.min(requestedDays, MAX_BACKFILL_DAYS);
-    const config = parseSourceConfig(sourceRow);
-    const gcpProjectId = config.gcpProjectId ?? credential.gcpProjectId;
-    const serviceName = config.serviceName ?? credential.serviceName ?? void 0;
-    const location = config.location ?? credential.location ?? void 0;
     const windowEnd = /* @__PURE__ */ new Date();
     const windowStart = new Date(windowEnd.getTime() - appliedDays * 864e5);
     windowStart.setUTCMinutes(0, 0, 0);
+    let pullForBackfill;
+    let pullErrorPrefix;
+    if (sourceRow.sourceType === TrafficSourceTypes["cloud-run"]) {
+      const credentialStore = opts.cloudRunCredentialStore;
+      if (!credentialStore) {
+        throw validationError("Cloud Run credential storage is not configured for this deployment");
+      }
+      const credential = credentialStore.getConnection(project.name);
+      if (!credential) {
+        throw validationError(
+          `No Cloud Run credential found for project "${project.name}". Run "canonry traffic connect cloud-run" first.`
+        );
+      }
+      const config = parseSourceConfig(sourceRow);
+      const gcpProjectId = config.gcpProjectId ?? credential.gcpProjectId;
+      const serviceName = config.serviceName ?? credential.serviceName ?? void 0;
+      const location = config.location ?? credential.location ?? void 0;
+      pullErrorPrefix = "Cloud Run pull failed";
+      pullForBackfill = async () => {
+        const accessToken = await resolveAccessToken2(credential);
+        const page = await pullEvents(accessToken, {
+          gcpProjectId,
+          serviceName,
+          location,
+          startTime: windowStart.toISOString(),
+          endTime: windowEnd.toISOString(),
+          pageSize: DEFAULT_PAGE_SIZE3,
+          maxPages: BACKFILL_MAX_PAGES,
+          // Backfill is intentionally `firstSync: false`. We don't want desc
+          // ordering — the in-memory rollup builder handles any order, and the
+          // ring-buffer reseed at the end takes the most-recent IDs from the
+          // dedupedEvents anyway.
+          firstSync: false,
+          orderBy: "timestamp asc"
+        });
+        return page.events;
+      };
+    } else {
+      const credentialStore = opts.wordpressTrafficCredentialStore;
+      if (!credentialStore) {
+        throw validationError("WordPress traffic credential storage is not configured for this deployment");
+      }
+      const credential = credentialStore.getConnection(project.name);
+      if (!credential) {
+        throw validationError(
+          `No WordPress credential found for project "${project.name}". Run "canonry traffic connect wordpress" first.`
+        );
+      }
+      const wpPageSize = opts.defaultWordpressPageSize ?? DEFAULT_WP_PAGE_SIZE;
+      pullErrorPrefix = "WordPress pull failed";
+      pullForBackfill = async () => {
+        const collected = [];
+        const windowStartIso = windowStart.toISOString();
+        const windowEndIso = windowEnd.toISOString();
+        let cursor = void 0;
+        for (let page = 0; page < BACKFILL_MAX_PAGES; page += 1) {
+          const pageResult = await pullWordpressEvents({
+            baseUrl: credential.baseUrl,
+            username: credential.username,
+            applicationPassword: credential.applicationPassword,
+            cursor,
+            pageSize: wpPageSize,
+            // Each call fetches a single page; the for-loop drives
+            // continuation. Matches the WP sync path's pattern.
+            maxPages: 1,
+            since: windowStartIso,
+            until: windowEndIso
+          });
+          collected.push(...pageResult.events);
+          const previousCursor = cursor;
+          cursor = pageResult.nextCursor;
+          if (!pageResult.hasMore) break;
+          if (!cursor || cursor === previousCursor) break;
+        }
+        return collected;
+      };
+    }
     const startedAt = windowEnd.toISOString();
     const runId = crypto20.randomUUID();
     app.db.insert(runs).values({
@@ -18049,15 +18266,10 @@ async function trafficRoutes(app, opts) {
       runId,
       project,
       sourceRow,
-      gcpProjectId,
-      serviceName,
-      location,
-      credential,
       windowStart,
       windowEnd,
-      appliedDays,
-      pullEvents,
-      resolveAccessToken: resolveAccessToken2
+      pullForBackfill,
+      pullErrorPrefix
     }).catch(() => {
     });
     const response = {
@@ -19288,6 +19500,298 @@ async function doctorRoutes(app, opts) {
   });
 }
 
+// ../api-routes/src/discovery/routes.ts
+import crypto21 from "crypto";
+import { eq as eq25, desc as desc13 } from "drizzle-orm";
+async function discoveryRoutes(app, opts) {
+  app.post("/projects/:name/discover/run", async (request, reply) => {
+    const project = resolveProject(app.db, request.params.name);
+    const parsed = discoveryRunRequestSchema.safeParse(request.body ?? {});
+    if (!parsed.success) {
+      throw validationError("Invalid discovery run request", {
+        issues: parsed.error.issues.map((issue) => ({
+          path: issue.path.join("."),
+          message: issue.message
+        }))
+      });
+    }
+    const icpDescription = parsed.data.icpDescription?.trim() || (project.icpDescription ?? "").trim();
+    if (!icpDescription) {
+      throw validationError(
+        "icpDescription is required. Pass it in the request body or store it on the project (spec.icpDescription)."
+      );
+    }
+    if (!opts.onDiscoveryRunRequested) {
+      throw validationError("Discovery is not available on this deployment.", {
+        reason: "no-discovery-handler"
+      });
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const sessionId = crypto21.randomUUID();
+    const runId = crypto21.randomUUID();
+    app.db.transaction((tx) => {
+      tx.insert(discoverySessions).values({
+        id: sessionId,
+        projectId: project.id,
+        runId,
+        status: DiscoverySessionStatuses.queued,
+        icpDescription,
+        dedupThreshold: parsed.data.dedupThreshold,
+        competitorMap: "[]",
+        createdAt: now
+      }).run();
+      tx.insert(runs).values({
+        id: runId,
+        projectId: project.id,
+        kind: RunKinds["aeo-discover-probe"],
+        status: RunStatuses.queued,
+        trigger: RunTriggers.manual,
+        createdAt: now
+      }).run();
+      writeAuditLog(tx, {
+        projectId: project.id,
+        actor: "api",
+        action: "discovery.created",
+        entityType: "discovery_session",
+        entityId: sessionId
+      });
+    });
+    opts.onDiscoveryRunRequested({
+      runId,
+      sessionId,
+      projectId: project.id,
+      icpDescription,
+      dedupThreshold: parsed.data.dedupThreshold,
+      maxProbes: parsed.data.maxProbes
+    });
+    return reply.status(201).send({ runId, sessionId, status: "running" });
+  });
+  app.get(
+    "/projects/:name/discover/sessions",
+    async (request, reply) => {
+      const project = resolveProject(app.db, request.params.name);
+      const parsedLimit = parseInt(request.query.limit ?? "", 10);
+      const limit = Number.isNaN(parsedLimit) || parsedLimit <= 0 ? 50 : parsedLimit;
+      const rows = app.db.select().from(discoverySessions).where(eq25(discoverySessions.projectId, project.id)).orderBy(desc13(discoverySessions.createdAt)).limit(limit).all();
+      return reply.send(rows.map(serializeSession));
+    }
+  );
+  app.get(
+    "/projects/:name/discover/sessions/:id",
+    async (request, reply) => {
+      const project = resolveProject(app.db, request.params.name);
+      const session = app.db.select().from(discoverySessions).where(eq25(discoverySessions.id, request.params.id)).get();
+      if (!session || session.projectId !== project.id) {
+        throw notFound("Discovery session", request.params.id);
+      }
+      const probeRows = app.db.select().from(discoveryProbes).where(eq25(discoveryProbes.sessionId, session.id)).all();
+      const detail = {
+        ...serializeSession(session),
+        probes: probeRows.map(serializeProbe)
+      };
+      return reply.send(detail);
+    }
+  );
+  app.get(
+    "/projects/:name/discover/sessions/:id/promote",
+    async (request, reply) => {
+      const project = resolveProject(app.db, request.params.name);
+      const session = app.db.select().from(discoverySessions).where(eq25(discoverySessions.id, request.params.id)).get();
+      if (!session || session.projectId !== project.id) {
+        throw notFound("Discovery session", request.params.id);
+      }
+      const probeRows = app.db.select().from(discoveryProbes).where(eq25(discoveryProbes.sessionId, session.id)).all();
+      const existingCompetitors = app.db.select({ domain: competitors.domain }).from(competitors).where(eq25(competitors.projectId, project.id)).all().map((r) => r.domain.toLowerCase());
+      const seenCompetitors = new Set(existingCompetitors);
+      const cited = /* @__PURE__ */ new Set();
+      const aspirational = /* @__PURE__ */ new Set();
+      const wasted = /* @__PURE__ */ new Set();
+      for (const probe of probeRows) {
+        const bucket = probe.bucket;
+        if (!bucket) continue;
+        if (bucket === DiscoveryBuckets.cited) cited.add(probe.query);
+        else if (bucket === DiscoveryBuckets.aspirational) aspirational.add(probe.query);
+        else if (bucket === DiscoveryBuckets["wasted-surface"]) wasted.add(probe.query);
+      }
+      const competitorMap = parseJsonColumn(session.competitorMap, []);
+      const newCompetitors = competitorMap.filter((entry) => !seenCompetitors.has(entry.domain.toLowerCase())).slice(0, 20);
+      return reply.send({
+        sessionId: session.id,
+        projectId: project.id,
+        queriesByBucket: {
+          cited: Array.from(cited).sort(),
+          aspirational: Array.from(aspirational).sort(),
+          "wasted-surface": Array.from(wasted).sort()
+        },
+        suggestedCompetitors: newCompetitors,
+        status: session.status
+      });
+    }
+  );
+}
+function serializeSession(row) {
+  return {
+    id: row.id,
+    projectId: row.projectId,
+    status: row.status,
+    icpDescription: row.icpDescription ?? null,
+    seedProvider: row.seedProvider ?? null,
+    seedCountRaw: row.seedCountRaw ?? null,
+    seedCount: row.seedCount ?? null,
+    dedupThreshold: row.dedupThreshold ?? null,
+    probeCount: row.probeCount ?? null,
+    citedCount: row.citedCount ?? null,
+    aspirationalCount: row.aspirationalCount ?? null,
+    wastedCount: row.wastedCount ?? null,
+    competitorMap: parseJsonColumn(row.competitorMap, []),
+    error: row.error ?? null,
+    startedAt: row.startedAt ?? null,
+    finishedAt: row.finishedAt ?? null,
+    createdAt: row.createdAt
+  };
+}
+function serializeProbe(row) {
+  const bucketParsed = row.bucket ? discoveryBucketSchema.safeParse(row.bucket) : null;
+  const stateParsed = citationStateSchema.safeParse(row.citationState);
+  return {
+    id: row.id,
+    sessionId: row.sessionId,
+    projectId: row.projectId,
+    query: row.query,
+    bucket: bucketParsed?.success ? bucketParsed.data : null,
+    citationState: stateParsed.success ? stateParsed.data : "not-cited",
+    citedDomains: parseJsonColumn(row.citedDomains, []),
+    createdAt: row.createdAt
+  };
+}
+
+// ../api-routes/src/discovery/orchestrate.ts
+import crypto22 from "crypto";
+import { eq as eq26 } from "drizzle-orm";
+var DEFAULT_DEDUP_THRESHOLD = 0.85;
+var DEFAULT_MAX_PROBES = 100;
+var ABSOLUTE_MAX_PROBES = 500;
+function classifyProbeBucket(input) {
+  const cited = new Set(input.citedDomains.map((d) => d.toLowerCase()));
+  const canonicalHit = input.project.canonicalDomains.some((d) => cited.has(d.toLowerCase()));
+  if (canonicalHit) return DiscoveryBuckets.cited;
+  const competitorHit = input.project.competitorDomains.some((d) => cited.has(d.toLowerCase()));
+  if (competitorHit) return DiscoveryBuckets["wasted-surface"];
+  return DiscoveryBuckets.aspirational;
+}
+function buildCompetitorMap(probes, project) {
+  const canonical = new Set(project.canonicalDomains.map((d) => d.toLowerCase()));
+  const counts = /* @__PURE__ */ new Map();
+  for (const probe of probes) {
+    const seenInProbe = /* @__PURE__ */ new Set();
+    for (const raw of probe.citedDomains) {
+      const domain = raw.toLowerCase();
+      if (canonical.has(domain)) continue;
+      if (seenInProbe.has(domain)) continue;
+      seenInProbe.add(domain);
+      counts.set(domain, (counts.get(domain) ?? 0) + 1);
+    }
+  }
+  return Array.from(counts.entries()).map(([domain, hits]) => ({ domain, hits })).sort((a, b) => b.hits - a.hits || a.domain.localeCompare(b.domain));
+}
+async function pickCanonicals(candidates, deps, dedupThreshold) {
+  if (candidates.length === 0) return [];
+  if (candidates.length === 1) return candidates;
+  const vectors = await deps.embed(candidates);
+  const clusters = clusterByCosine(candidates, vectors, dedupThreshold);
+  return clusters.map(pickClusterRepresentative);
+}
+async function executeDiscovery(opts) {
+  const dedupThreshold = opts.dedupThreshold ?? DEFAULT_DEDUP_THRESHOLD;
+  const requestedMax = opts.maxProbes ?? DEFAULT_MAX_PROBES;
+  const maxProbes = Math.min(Math.max(1, requestedMax), ABSOLUTE_MAX_PROBES);
+  const startedAt = (/* @__PURE__ */ new Date()).toISOString();
+  opts.db.update(discoverySessions).set({
+    status: DiscoverySessionStatuses.seeding,
+    dedupThreshold,
+    startedAt
+  }).where(eq26(discoverySessions.id, opts.sessionId)).run();
+  const seedResult = await opts.deps.seed({
+    project: opts.project,
+    icpDescription: opts.icpDescription
+  });
+  const rawCandidates = dedupeStrings(seedResult.candidates);
+  const seedCountRaw = rawCandidates.length;
+  const canonicals = await pickCanonicals(
+    rawCandidates,
+    { embed: opts.deps.embed },
+    dedupThreshold
+  );
+  const probedCanonicals = canonicals.slice(0, maxProbes);
+  const seedCount = probedCanonicals.length;
+  opts.db.update(discoverySessions).set({
+    status: DiscoverySessionStatuses.probing,
+    seedProvider: seedResult.provider,
+    seedCountRaw,
+    seedCount
+  }).where(eq26(discoverySessions.id, opts.sessionId)).run();
+  const probeRows = [];
+  const buckets = { cited: 0, aspirational: 0, "wasted-surface": 0 };
+  for (const query of probedCanonicals) {
+    const probe = await opts.deps.probe({ project: opts.project, query });
+    const bucket = classifyProbeBucket({
+      citationState: probe.citationState,
+      citedDomains: probe.citedDomains,
+      project: opts.project
+    });
+    probeRows.push({ citedDomains: probe.citedDomains, bucket });
+    buckets[bucket]++;
+    opts.db.insert(discoveryProbes).values({
+      id: crypto22.randomUUID(),
+      sessionId: opts.sessionId,
+      projectId: opts.project.id,
+      query,
+      bucket,
+      citationState: probe.citationState,
+      citedDomains: JSON.stringify(probe.citedDomains),
+      rawResponse: JSON.stringify(probe.rawResponse),
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    }).run();
+  }
+  const competitorMap = buildCompetitorMap(probeRows, opts.project);
+  opts.db.update(discoverySessions).set({
+    status: DiscoverySessionStatuses.completed,
+    probeCount: probedCanonicals.length,
+    citedCount: buckets.cited,
+    aspirationalCount: buckets.aspirational,
+    wastedCount: buckets["wasted-surface"],
+    competitorMap: JSON.stringify(competitorMap),
+    finishedAt: (/* @__PURE__ */ new Date()).toISOString()
+  }).where(eq26(discoverySessions.id, opts.sessionId)).run();
+  return {
+    buckets,
+    competitorMap,
+    seedCountRaw,
+    seedCount,
+    seedProvider: seedResult.provider
+  };
+}
+function markSessionFailed(db, sessionId, error) {
+  db.update(discoverySessions).set({
+    status: DiscoverySessionStatuses.failed,
+    error,
+    finishedAt: (/* @__PURE__ */ new Date()).toISOString()
+  }).where(eq26(discoverySessions.id, sessionId)).run();
+}
+function dedupeStrings(input) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const raw of input) {
+    const trimmed = raw.trim();
+    if (!trimmed) continue;
+    const key = trimmed.toLowerCase();
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push(trimmed);
+  }
+  return out;
+}
+
 // ../api-routes/src/index.ts
 async function apiRoutes(app, opts) {
   app.decorate("db", opts.db);
@@ -19418,6 +19922,9 @@ async function apiRoutes(app, opts) {
       listCachedReleases: opts.listCachedReleases,
       discoverLatestRelease: opts.discoverLatestRelease
     });
+    await api.register(discoveryRoutes, {
+      onDiscoveryRunRequested: opts.onDiscoveryRunRequested
+    });
     await api.register(doctorRoutes, {
       googleConnectionStore: opts.googleConnectionStore,
       bingConnectionStore: opts.bingConnectionStore,
@@ -19834,6 +20341,54 @@ function responseToRecord(response) {
   }
 }
 
+// ../provider-gemini/src/embeddings.ts
+import { GoogleGenAI as GoogleGenAI2 } from "@google/genai";
+var DEFAULT_EMBED_MODEL = "gemini-embedding-001";
+var DEFAULT_OUTPUT_DIMENSIONALITY = 768;
+var CLUSTERING_TASK_TYPE = "CLUSTERING";
+async function embedQueries(queries2, options) {
+  if (queries2.length === 0) return [];
+  if (!options.apiKey && !options.client) {
+    throw new Error("embedQueries: missing apiKey");
+  }
+  const client = options.client ?? createGeminiEmbedClient(options.apiKey);
+  return client.embedBatch(queries2, {
+    model: options.model ?? DEFAULT_EMBED_MODEL,
+    taskType: CLUSTERING_TASK_TYPE,
+    outputDimensionality: options.outputDimensionality ?? DEFAULT_OUTPUT_DIMENSIONALITY
+  });
+}
+function extractEmbeddingVectors(response, expectedLength) {
+  const embeddings = response?.embeddings ?? [];
+  if (embeddings.length !== expectedLength) {
+    throw new Error(
+      `embedQueries: expected ${expectedLength} embeddings, got ${embeddings.length}`
+    );
+  }
+  return embeddings.map((e, i) => {
+    if (!e.values || e.values.length === 0) {
+      throw new Error(`embedQueries: missing values for query at index ${i}`);
+    }
+    return e.values;
+  });
+}
+function createGeminiEmbedClient(apiKey) {
+  const genai = new GoogleGenAI2({ apiKey });
+  return {
+    async embedBatch(queries2, opts) {
+      const response = await genai.models.embedContent({
+        model: opts.model,
+        contents: queries2,
+        config: {
+          taskType: opts.taskType,
+          outputDimensionality: opts.outputDimensionality
+        }
+      });
+      return extractEmbeddingVectors(response, queries2.length);
+    }
+  };
+}
+
 // ../provider-gemini/src/adapter.ts
 function toGeminiConfig(config) {
   return {
@@ -22038,14 +22593,14 @@ function removeWordpressConnection(config, projectName) {
 }
 
 // src/job-runner.ts
-import crypto22 from "crypto";
+import crypto24 from "crypto";
 import fs7 from "fs";
 import path9 from "path";
 import os5 from "os";
-import { and as and16, eq as eq25, inArray as inArray7, sql as sql10 } from "drizzle-orm";
+import { and as and16, eq as eq27, inArray as inArray7, sql as sql10 } from "drizzle-orm";
 
 // src/run-telemetry.ts
-import crypto21 from "crypto";
+import crypto23 from "crypto";
 function extractRegistrableHost(input) {
   if (!input) return null;
   const trimmed = input.trim();
@@ -22065,7 +22620,7 @@ function extractRegistrableHost(input) {
 function hashDomain(input) {
   const host = extractRegistrableHost(input);
   if (!host) return null;
-  return crypto21.createHash("sha256").update(host).digest("hex");
+  return crypto23.createHash("sha256").update(host).digest("hex");
 }
 function buildRunCompletedProps(input) {
   const totalMs = input.phases?.total_ms ?? Date.now() - input.startTime;
@@ -22387,7 +22942,7 @@ var JobRunner = class {
     if (stale.length === 0) return;
     const now = (/* @__PURE__ */ new Date()).toISOString();
     for (const run of stale) {
-      this.db.update(runs).set({ status: "failed", finishedAt: now, error: "Server restarted while run was in progress" }).where(eq25(runs.id, run.id)).run();
+      this.db.update(runs).set({ status: "failed", finishedAt: now, error: "Server restarted while run was in progress" }).where(eq27(runs.id, run.id)).run();
       log.warn("run.recovered-stale", { runId: run.id, previousStatus: run.status });
     }
   }
@@ -22421,10 +22976,10 @@ var JobRunner = class {
         throw new Error(`Run ${runId} is not executable from status '${existingRun.status}'`);
       }
       if (existingRun.status === "queued") {
-        this.db.update(runs).set({ status: "running", startedAt: now }).where(and16(eq25(runs.id, runId), eq25(runs.status, "queued"))).run();
+        this.db.update(runs).set({ status: "running", startedAt: now }).where(and16(eq27(runs.id, runId), eq27(runs.status, "queued"))).run();
       }
       this.throwIfRunCancelled(runId);
-      const project = this.db.select().from(projects).where(eq25(projects.id, projectId)).get();
+      const project = this.db.select().from(projects).where(eq27(projects.id, projectId)).get();
       if (!project) {
         throw new Error(`Project ${projectId} not found`);
       }
@@ -22445,8 +23000,9 @@ var JobRunner = class {
         throw new Error("No providers configured. Add at least one provider API key.");
       }
       log.info("run.dispatch", { runId, providerCount: activeProviders.length, providers: activeProviders.map((p) => p.adapter.name) });
-      projectQueries = this.db.select().from(queries).where(eq25(queries.projectId, projectId)).all();
-      const projectCompetitors = this.db.select().from(competitors).where(eq25(competitors.projectId, projectId)).all();
+      const scopedQueryNames = parseJsonColumn(existingRun.queries, null);
+      projectQueries = scopedQueryNames ? this.db.select().from(queries).where(and16(eq27(queries.projectId, projectId), inArray7(queries.query, scopedQueryNames))).all() : this.db.select().from(queries).where(eq27(queries.projectId, projectId)).all();
+      const projectCompetitors = this.db.select().from(competitors).where(eq27(competitors.projectId, projectId)).all();
       const competitorDomains = projectCompetitors.map((c) => c.domain);
       const allDomains = effectiveDomains({
         canonicalDomain: project.canonicalDomain,
@@ -22464,7 +23020,7 @@ var JobRunner = class {
       const todayPeriod = getCurrentUsageDay();
       for (const p of activeProviders) {
         const providerScope = `${projectId}:${p.adapter.name}`;
-        const providerUsage = this.db.select().from(usageCounters).where(eq25(usageCounters.scope, providerScope)).all().filter((r) => r.period === todayPeriod && r.metric === "queries").reduce((sum, r) => sum + r.count, 0);
+        const providerUsage = this.db.select().from(usageCounters).where(eq27(usageCounters.scope, providerScope)).all().filter((r) => r.period === todayPeriod && r.metric === "queries").reduce((sum, r) => sum + r.count, 0);
         const limit = p.config.quotaPolicy.maxRequestsPerDay;
         if (providerUsage + queriesPerProvider > limit) {
           throw new Error(
@@ -22524,7 +23080,7 @@ var JobRunner = class {
             );
             let screenshotRelPath = null;
             if (raw.screenshotPath && fs7.existsSync(raw.screenshotPath)) {
-              const snapshotId = crypto22.randomUUID();
+              const snapshotId = crypto24.randomUUID();
               const screenshotDir = path9.join(os5.homedir(), ".canonry", "screenshots", runId);
               if (!fs7.existsSync(screenshotDir)) fs7.mkdirSync(screenshotDir, { recursive: true });
               const destPath = path9.join(screenshotDir, `${snapshotId}.png`);
@@ -22554,7 +23110,7 @@ var JobRunner = class {
               }).run();
             } else {
               this.db.insert(querySnapshots).values({
-                id: crypto22.randomUUID(),
+                id: crypto24.randomUUID(),
                 runId,
                 queryId: q.id,
                 provider: providerName,
@@ -22607,12 +23163,12 @@ var JobRunner = class {
       const someFailed = providerErrors.size > 0;
       if (allFailed) {
         const errorDetail = serializeRunError(buildRunErrorFromMessages(providerErrors));
-        this.db.update(runs).set({ status: "failed", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq25(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "failed", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq27(runs.id, runId)).run();
       } else if (someFailed) {
         const errorDetail = serializeRunError(buildRunErrorFromMessages(providerErrors));
-        this.db.update(runs).set({ status: "partial", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq25(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "partial", finishedAt: (/* @__PURE__ */ new Date()).toISOString(), error: errorDetail }).where(eq27(runs.id, runId)).run();
       } else {
-        this.db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq25(runs.id, runId)).run();
+        this.db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq27(runs.id, runId)).run();
       }
       this.flushProviderUsage(projectId, providerDispatchCounts);
       const finalStatus = allFailed ? "failed" : someFailed ? "partial" : "completed";
@@ -22658,7 +23214,7 @@ var JobRunner = class {
         status: "failed",
         finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
         error: errorMessage
-      }).where(eq25(runs.id, runId)).run();
+      }).where(eq27(runs.id, runId)).run();
       this.flushProviderUsage(projectId, providerDispatchCounts);
       const abortReason = classifyRunAbortReason(errorMessage);
       const phases = buildPhases({ startTime, providerCallStart, providerCallEnd });
@@ -22703,7 +23259,7 @@ var JobRunner = class {
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const period = now.slice(0, 10);
     this.db.insert(usageCounters).values({
-      id: crypto22.randomUUID(),
+      id: crypto24.randomUUID(),
       scope,
       period,
       metric,
@@ -22725,8 +23281,9 @@ var JobRunner = class {
       status: runs.status,
       finishedAt: runs.finishedAt,
       error: runs.error,
-      trigger: runs.trigger
-    }).from(runs).where(eq25(runs.id, runId)).get();
+      trigger: runs.trigger,
+      queries: runs.queries
+    }).from(runs).where(eq27(runs.id, runId)).get();
   }
   isRunCancelled(runId) {
     return this.getRunState(runId)?.status === "cancelled";
@@ -22742,7 +23299,7 @@ var JobRunner = class {
       this.db.update(runs).set({
         finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
         error: currentRun.error ?? "Cancelled by user"
-      }).where(eq25(runs.id, runId)).run();
+      }).where(eq27(runs.id, runId)).run();
     }
     trackEvent(
       "run.completed",
@@ -22779,8 +23336,8 @@ function buildPhases(input) {
 }
 
 // src/gsc-sync.ts
-import crypto23 from "crypto";
-import { eq as eq26, and as and17, sql as sql11 } from "drizzle-orm";
+import crypto25 from "crypto";
+import { eq as eq28, and as and17, sql as sql11 } from "drizzle-orm";
 var log2 = createLogger("GscSync");
 function formatDate3(d) {
   return d.toISOString().split("T")[0];
@@ -22792,13 +23349,13 @@ function daysAgo(n) {
 }
 async function executeGscSync(db, runId, projectId, opts) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: "running", startedAt: now }).where(eq26(runs.id, runId)).run();
+  db.update(runs).set({ status: "running", startedAt: now }).where(eq28(runs.id, runId)).run();
   try {
     const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
     if (!googleClientId || !googleClientSecret) {
       throw new Error("Google OAuth is not configured in the local Canonry config");
     }
-    const project = db.select().from(projects).where(eq26(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq28(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -22833,7 +23390,7 @@ async function executeGscSync(db, runId, projectId, opts) {
     log2.info("fetch.complete", { runId, projectId, rowCount: rows.length });
     db.delete(gscSearchData).where(
       and17(
-        eq26(gscSearchData.projectId, projectId),
+        eq28(gscSearchData.projectId, projectId),
         sql11`${gscSearchData.date} >= ${startDate}`,
         sql11`${gscSearchData.date} <= ${endDate}`
       )
@@ -22845,7 +23402,7 @@ async function executeGscSync(db, runId, projectId, opts) {
       for (const row of batch) {
         const [query, page, country, device, date] = row.keys;
         db.insert(gscSearchData).values({
-          id: crypto23.randomUUID(),
+          id: crypto25.randomUUID(),
           projectId,
           syncRunId: runId,
           date: date ?? "",
@@ -22879,7 +23436,7 @@ async function executeGscSync(db, runId, projectId, opts) {
         const rich = ir.richResultsResult;
         const inspectedAt = (/* @__PURE__ */ new Date()).toISOString();
         db.insert(gscUrlInspections).values({
-          id: crypto23.randomUUID(),
+          id: crypto25.randomUUID(),
           projectId,
           syncRunId: runId,
           url: pageUrl,
@@ -22900,7 +23457,7 @@ async function executeGscSync(db, runId, projectId, opts) {
         log2.error("inspect.url-failed", { runId, projectId, url: pageUrl, error: err instanceof Error ? err.message : String(err) });
       }
     }
-    const allInspections = db.select().from(gscUrlInspections).where(eq26(gscUrlInspections.projectId, projectId)).all();
+    const allInspections = db.select().from(gscUrlInspections).where(eq28(gscUrlInspections.projectId, projectId)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
       const existing = latestByUrl.get(row.url);
@@ -22921,9 +23478,9 @@ async function executeGscSync(db, runId, projectId, opts) {
       }
     }
     const snapshotDate = formatDate3(/* @__PURE__ */ new Date());
-    db.delete(gscCoverageSnapshots).where(and17(eq26(gscCoverageSnapshots.projectId, projectId), eq26(gscCoverageSnapshots.date, snapshotDate))).run();
+    db.delete(gscCoverageSnapshots).where(and17(eq28(gscCoverageSnapshots.projectId, projectId), eq28(gscCoverageSnapshots.date, snapshotDate))).run();
     db.insert(gscCoverageSnapshots).values({
-      id: crypto23.randomUUID(),
+      id: crypto25.randomUUID(),
       projectId,
       syncRunId: runId,
       date: snapshotDate,
@@ -22932,19 +23489,19 @@ async function executeGscSync(db, runId, projectId, opts) {
       reasonBreakdown: JSON.stringify(reasonCounts),
       createdAt: (/* @__PURE__ */ new Date()).toISOString()
     }).run();
-    db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq26(runs.id, runId)).run();
+    db.update(runs).set({ status: "completed", finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq28(runs.id, runId)).run();
     log2.info("sync.completed", { runId, projectId, searchDataRows: rows.length, urlInspections: topPages.length, indexed: snapIndexed, notIndexed: snapNotIndexed });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq26(runs.id, runId)).run();
+    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq28(runs.id, runId)).run();
     log2.error("sync.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
 }
 
 // src/gsc-inspect-sitemap.ts
-import crypto24 from "crypto";
-import { eq as eq27, and as and18 } from "drizzle-orm";
+import crypto26 from "crypto";
+import { eq as eq29, and as and18 } from "drizzle-orm";
 
 // src/sitemap-parser.ts
 var log3 = createLogger("SitemapParser");
@@ -23065,13 +23622,13 @@ async function parseSitemapRecursive(url, urls, visited, depth, isChild) {
 var log4 = createLogger("InspectSitemap");
 async function executeInspectSitemap(db, runId, projectId, opts) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: "running", startedAt: now }).where(eq27(runs.id, runId)).run();
+  db.update(runs).set({ status: "running", startedAt: now }).where(eq29(runs.id, runId)).run();
   try {
     const { clientId: googleClientId, clientSecret: googleClientSecret } = getGoogleAuthConfig(opts.config);
     if (!googleClientId || !googleClientSecret) {
       throw new Error("Google OAuth is not configured in the local Canonry config");
     }
-    const project = db.select().from(projects).where(eq27(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq29(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -23112,7 +23669,7 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
         const rich = ir.richResultsResult;
         const inspectedAt = (/* @__PURE__ */ new Date()).toISOString();
         db.insert(gscUrlInspections).values({
-          id: crypto24.randomUUID(),
+          id: crypto26.randomUUID(),
           projectId,
           syncRunId: runId,
           url: pageUrl,
@@ -23139,7 +23696,7 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
         await new Promise((r) => setTimeout(r, 1e3));
       }
     }
-    const allInspections = db.select().from(gscUrlInspections).where(eq27(gscUrlInspections.projectId, projectId)).all();
+    const allInspections = db.select().from(gscUrlInspections).where(eq29(gscUrlInspections.projectId, projectId)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
       const existing = latestByUrl.get(row.url);
@@ -23160,9 +23717,9 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
       }
     }
     const snapshotDate = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-    db.delete(gscCoverageSnapshots).where(and18(eq27(gscCoverageSnapshots.projectId, projectId), eq27(gscCoverageSnapshots.date, snapshotDate))).run();
+    db.delete(gscCoverageSnapshots).where(and18(eq29(gscCoverageSnapshots.projectId, projectId), eq29(gscCoverageSnapshots.date, snapshotDate))).run();
     db.insert(gscCoverageSnapshots).values({
-      id: crypto24.randomUUID(),
+      id: crypto26.randomUUID(),
       projectId,
       syncRunId: runId,
       date: snapshotDate,
@@ -23172,19 +23729,19 @@ async function executeInspectSitemap(db, runId, projectId, opts) {
       createdAt: (/* @__PURE__ */ new Date()).toISOString()
     }).run();
     const status = errors > 0 && inspected > 0 ? "partial" : errors === urls.length ? "failed" : "completed";
-    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq27(runs.id, runId)).run();
+    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq29(runs.id, runId)).run();
     log4.info("inspect.completed", { runId, projectId, inspected, errors, total: urls.length, indexed: snapIndexed, notIndexed: snapNotIndexed });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq27(runs.id, runId)).run();
+    db.update(runs).set({ status: "failed", error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq29(runs.id, runId)).run();
     log4.error("inspect.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
 }
 
 // src/bing-inspect-sitemap.ts
-import crypto25 from "crypto";
-import { eq as eq28, desc as desc13 } from "drizzle-orm";
+import crypto27 from "crypto";
+import { eq as eq30, desc as desc14 } from "drizzle-orm";
 var log5 = createLogger("BingInspectSitemap");
 function parseBingDate2(value) {
   if (!value) return null;
@@ -23202,9 +23759,9 @@ function isBlockingIssueType2(issueType) {
 }
 async function executeBingInspectSitemap(db, runId, projectId, opts) {
   const startedAt = (/* @__PURE__ */ new Date()).toISOString();
-  db.update(runs).set({ status: RunStatuses.running, startedAt }).where(eq28(runs.id, runId)).run();
+  db.update(runs).set({ status: RunStatuses.running, startedAt }).where(eq30(runs.id, runId)).run();
   try {
-    const project = db.select().from(projects).where(eq28(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq30(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
@@ -23222,7 +23779,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
     if (sitemapUrls.length === 0) {
       throw new Error("No URLs found in sitemap");
     }
-    const trackedRows = db.select({ url: bingUrlInspections.url }).from(bingUrlInspections).where(eq28(bingUrlInspections.projectId, projectId)).all();
+    const trackedRows = db.select({ url: bingUrlInspections.url }).from(bingUrlInspections).where(eq30(bingUrlInspections.projectId, projectId)).all();
     const trackedUrls = new Set(trackedRows.map((r) => r.url));
     const discovered = sitemapUrls.filter((u) => !trackedUrls.has(u));
     log5.info("sitemap.diff", {
@@ -23271,7 +23828,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
           derivedInIndex = false;
         }
         db.insert(bingUrlInspections).values({
-          id: crypto25.randomUUID(),
+          id: crypto27.randomUUID(),
           projectId,
           url: pageUrl,
           httpCode,
@@ -23305,7 +23862,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
         await new Promise((r) => setTimeout(r, 1e3));
       }
     }
-    const allInspections = db.select().from(bingUrlInspections).where(eq28(bingUrlInspections.projectId, projectId)).orderBy(desc13(bingUrlInspections.inspectedAt)).all();
+    const allInspections = db.select().from(bingUrlInspections).where(eq30(bingUrlInspections.projectId, projectId)).orderBy(desc14(bingUrlInspections.inspectedAt)).all();
     const latestByUrl = /* @__PURE__ */ new Map();
     const definitiveByUrl = /* @__PURE__ */ new Map();
     for (const row of allInspections) {
@@ -23329,7 +23886,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
     const snapshotDate = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
     const snapNow = (/* @__PURE__ */ new Date()).toISOString();
     db.insert(bingCoverageSnapshots).values({
-      id: crypto25.randomUUID(),
+      id: crypto27.randomUUID(),
       projectId,
       syncRunId: runId,
       date: snapshotDate,
@@ -23348,7 +23905,7 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
       }
     }).run();
     const status = errors === sitemapUrls.length ? RunStatuses.failed : errors > 0 ? RunStatuses.partial : RunStatuses.completed;
-    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq28(runs.id, runId)).run();
+    db.update(runs).set({ status, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq30(runs.id, runId)).run();
     log5.info("inspect.completed", {
       runId,
       projectId,
@@ -23362,16 +23919,16 @@ async function executeBingInspectSitemap(db, runId, projectId, opts) {
     });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
-    db.update(runs).set({ status: RunStatuses.failed, error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq28(runs.id, runId)).run();
+    db.update(runs).set({ status: RunStatuses.failed, error: errorMsg, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq30(runs.id, runId)).run();
     log5.error("inspect.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
 }
 
 // src/commoncrawl-sync.ts
-import crypto26 from "crypto";
+import crypto28 from "crypto";
 import path10 from "path";
-import { and as and19, eq as eq29, sql as sql12 } from "drizzle-orm";
+import { and as and19, eq as eq31, sql as sql12 } from "drizzle-orm";
 var log6 = createLogger("CommonCrawlSync");
 var INSERT_CHUNK_SIZE = 1e4;
 function defaultDeps() {
@@ -23397,7 +23954,7 @@ async function executeReleaseSync(db, syncId, opts) {
       phaseDetail: "downloading vertices + edges",
       updatedAt: downloadStartedAt,
       error: null
-    }).where(eq29(ccReleaseSyncs.id, syncId)).run();
+    }).where(eq31(ccReleaseSyncs.id, syncId)).run();
     const paths = ccReleasePaths(release);
     const releaseCacheDir = path10.join(deps.cacheDir, release);
     const vertexPath = path10.join(releaseCacheDir, paths.vertexFilename);
@@ -23420,7 +23977,7 @@ async function executeReleaseSync(db, syncId, opts) {
       vertexSha256: vertex.sha256,
       edgesSha256: edges.sha256,
       updatedAt: downloadFinishedAt
-    }).where(eq29(ccReleaseSyncs.id, syncId)).run();
+    }).where(eq31(ccReleaseSyncs.id, syncId)).run();
     const allProjects = db.select().from(projects).all();
     const targets = Array.from(new Set(allProjects.map((p) => p.canonicalDomain)));
     let rows = [];
@@ -23436,15 +23993,15 @@ async function executeReleaseSync(db, syncId, opts) {
     }
     const queriedAt = deps.now().toISOString();
     db.transaction((tx) => {
-      tx.delete(backlinkDomains).where(eq29(backlinkDomains.releaseSyncId, syncId)).run();
-      tx.delete(backlinkSummaries).where(eq29(backlinkSummaries.releaseSyncId, syncId)).run();
+      tx.delete(backlinkDomains).where(eq31(backlinkDomains.releaseSyncId, syncId)).run();
+      tx.delete(backlinkSummaries).where(eq31(backlinkSummaries.releaseSyncId, syncId)).run();
       const expanded = [];
       for (const r of rows) {
         const projectIds = projectsByDomain.get(r.targetDomain);
         if (!projectIds) continue;
         for (const projectId of projectIds) {
           expanded.push({
-            id: crypto26.randomUUID(),
+            id: crypto28.randomUUID(),
             projectId,
             releaseSyncId: syncId,
             release,
@@ -23464,7 +24021,7 @@ async function executeReleaseSync(db, syncId, opts) {
         const projectRows = rowsByProject.get(p.id) ?? [];
         const summary = computeSummary(projectRows);
         tx.insert(backlinkSummaries).values({
-          id: crypto26.randomUUID(),
+          id: crypto28.randomUUID(),
           projectId: p.id,
           releaseSyncId: syncId,
           release,
@@ -23496,7 +24053,7 @@ async function executeReleaseSync(db, syncId, opts) {
       domainsDiscovered: rows.length,
       updatedAt: finishedAt,
       error: null
-    }).where(eq29(ccReleaseSyncs.id, syncId)).run();
+    }).where(eq31(ccReleaseSyncs.id, syncId)).run();
     log6.info("sync.completed", {
       syncId,
       release,
@@ -23526,7 +24083,7 @@ async function executeReleaseSync(db, syncId, opts) {
       error: errorMsg,
       phaseDetail: null,
       updatedAt: finishedAt
-    }).where(eq29(ccReleaseSyncs.id, syncId)).run();
+    }).where(eq31(ccReleaseSyncs.id, syncId)).run();
     log6.error("sync.failed", { syncId, release, error: errorMsg });
     throw err;
   }
@@ -23560,9 +24117,9 @@ function computeSummary(rows) {
 }
 
 // src/backlink-extract.ts
-import crypto27 from "crypto";
+import crypto29 from "crypto";
 import fs8 from "fs";
-import { and as and20, desc as desc14, eq as eq30 } from "drizzle-orm";
+import { and as and20, desc as desc15, eq as eq32 } from "drizzle-orm";
 var log7 = createLogger("BacklinkExtract");
 function defaultDeps2() {
   return {
@@ -23574,13 +24131,13 @@ function defaultDeps2() {
 async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
   const deps = { ...defaultDeps2(), ...opts.deps };
   const startedAt = deps.now().toISOString();
-  db.update(runs).set({ status: RunStatuses.running, startedAt }).where(eq30(runs.id, runId)).run();
+  db.update(runs).set({ status: RunStatuses.running, startedAt }).where(eq32(runs.id, runId)).run();
   try {
-    const project = db.select().from(projects).where(eq30(projects.id, projectId)).get();
+    const project = db.select().from(projects).where(eq32(projects.id, projectId)).get();
     if (!project) {
       throw new Error(`Project not found: ${projectId}`);
     }
-    const sync = opts.release ? db.select().from(ccReleaseSyncs).where(eq30(ccReleaseSyncs.release, opts.release)).get() : db.select().from(ccReleaseSyncs).where(eq30(ccReleaseSyncs.status, CcReleaseSyncStatuses.ready)).orderBy(desc14(ccReleaseSyncs.createdAt)).limit(1).get();
+    const sync = opts.release ? db.select().from(ccReleaseSyncs).where(eq32(ccReleaseSyncs.release, opts.release)).get() : db.select().from(ccReleaseSyncs).where(eq32(ccReleaseSyncs.status, CcReleaseSyncStatuses.ready)).orderBy(desc15(ccReleaseSyncs.createdAt)).limit(1).get();
     if (!sync) {
       throw new Error("No ready release sync available \u2014 run `canonry backlinks sync` first");
     }
@@ -23608,11 +24165,11 @@ async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
     const targetDomain = project.canonicalDomain;
     db.transaction((tx) => {
       tx.delete(backlinkDomains).where(
-        and20(eq30(backlinkDomains.projectId, projectId), eq30(backlinkDomains.release, release))
+        and20(eq32(backlinkDomains.projectId, projectId), eq32(backlinkDomains.release, release))
       ).run();
       if (rows.length > 0) {
         const values = rows.map((r) => ({
-          id: crypto27.randomUUID(),
+          id: crypto29.randomUUID(),
           projectId,
           releaseSyncId: syncId,
           release,
@@ -23625,7 +24182,7 @@ async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
       }
       const summary = computeSummary2(rows);
       tx.insert(backlinkSummaries).values({
-        id: crypto27.randomUUID(),
+        id: crypto29.randomUUID(),
         projectId,
         releaseSyncId: syncId,
         release,
@@ -23648,7 +24205,7 @@ async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
       }).run();
     });
     const finishedAt = deps.now().toISOString();
-    db.update(runs).set({ status: RunStatuses.completed, finishedAt }).where(eq30(runs.id, runId)).run();
+    db.update(runs).set({ status: RunStatuses.completed, finishedAt }).where(eq32(runs.id, runId)).run();
     log7.info("extract.completed", { runId, projectId, release, rows: rows.length });
   } catch (err) {
     const errorMsg = err instanceof Error ? err.message : String(err);
@@ -23657,7 +24214,7 @@ async function executeBacklinkExtract(db, runId, projectId, opts = {}) {
       status: RunStatuses.failed,
       error: errorMsg,
       finishedAt
-    }).where(eq30(runs.id, runId)).run();
+    }).where(eq32(runs.id, runId)).run();
     log7.error("extract.failed", { runId, projectId, error: errorMsg });
     throw err;
   }
@@ -23677,6 +24234,205 @@ function computeSummary2(rows) {
   };
 }
 
+// src/discovery-run.ts
+import crypto30 from "crypto";
+import { eq as eq33 } from "drizzle-orm";
+var log8 = createLogger("DiscoveryRun");
+var DEFAULT_SEED_COUNT = 30;
+async function executeDiscoveryRun(opts) {
+  const startedAt = (/* @__PURE__ */ new Date()).toISOString();
+  opts.db.update(runs).set({ status: RunStatuses.running, startedAt }).where(eq33(runs.id, opts.runId)).run();
+  try {
+    const projectRow = opts.db.select().from(projects).where(eq33(projects.id, opts.projectId)).get();
+    if (!projectRow) throw new Error(`Project ${opts.projectId} not found`);
+    const projectCompetitors = opts.db.select({ domain: competitors.domain }).from(competitors).where(eq33(competitors.projectId, opts.projectId)).all().map((r) => r.domain.toLowerCase());
+    const canonicalDomains = effectiveDomains({
+      canonicalDomain: projectRow.canonicalDomain,
+      ownedDomains: parseJsonColumn(projectRow.ownedDomains, [])
+    });
+    const project = {
+      id: projectRow.id,
+      name: projectRow.name,
+      canonicalDomains,
+      competitorDomains: projectCompetitors
+    };
+    const deps = opts.deps ?? buildDefaultDeps(opts.registry);
+    const result = await executeDiscovery({
+      db: opts.db,
+      runId: opts.runId,
+      sessionId: opts.sessionId,
+      project,
+      icpDescription: opts.icpDescription,
+      dedupThreshold: opts.dedupThreshold,
+      maxProbes: opts.maxProbes,
+      deps
+    });
+    writeDiscoveryInsight(opts.db, {
+      projectId: opts.projectId,
+      runId: opts.runId,
+      sessionId: opts.sessionId,
+      seedProvider: result.seedProvider,
+      result
+    });
+    opts.db.update(runs).set({ status: RunStatuses.completed, finishedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq33(runs.id, opts.runId)).run();
+    log8.info("discovery.completed", {
+      runId: opts.runId,
+      sessionId: opts.sessionId,
+      buckets: result.buckets,
+      competitorCount: result.competitorMap.length
+    });
+  } catch (err) {
+    const errorMsg = err instanceof Error ? err.message : String(err);
+    log8.error("discovery.failed", { runId: opts.runId, sessionId: opts.sessionId, error: errorMsg });
+    markSessionFailed(opts.db, opts.sessionId, errorMsg);
+    opts.db.update(runs).set({
+      status: RunStatuses.failed,
+      finishedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      error: errorMsg
+    }).where(eq33(runs.id, opts.runId)).run();
+  }
+}
+function buildDefaultDeps(registry) {
+  const gemini = registry.get("gemini");
+  if (!gemini) {
+    throw new Error("Gemini provider is not configured. Add a Gemini API key (or Vertex project) before running discovery.");
+  }
+  const cfg = gemini.config;
+  if (!cfg.apiKey && !cfg.vertexProject) {
+    throw new Error("Gemini provider is missing both apiKey and vertexProject \u2014 cannot run discovery.");
+  }
+  const adapter = gemini.adapter;
+  return {
+    async seed(input) {
+      const prompt = buildSeedPrompt(input);
+      const raw = await adapter.executeTrackedQuery(
+        {
+          query: prompt,
+          canonicalDomains: input.project.canonicalDomains,
+          competitorDomains: input.project.competitorDomains
+        },
+        cfg
+      );
+      const normalized = adapter.normalizeResult(raw);
+      const fromAnswer = parseQueryLines(normalized.answerText, DEFAULT_SEED_COUNT * 2);
+      const fromGrounding = normalized.searchQueries ?? [];
+      return {
+        candidates: [...fromAnswer, ...fromGrounding],
+        provider: "gemini"
+      };
+    },
+    async embed(queries2) {
+      if (cfg.apiKey) {
+        return embedQueries(queries2, { apiKey: cfg.apiKey });
+      }
+      throw new Error("Discovery currently requires a Gemini API key. Vertex-mode embeddings are not yet implemented.");
+    },
+    async probe(input) {
+      const raw = await adapter.executeTrackedQuery(
+        {
+          query: input.query,
+          canonicalDomains: input.project.canonicalDomains,
+          competitorDomains: input.project.competitorDomains
+        },
+        cfg
+      );
+      const normalized = adapter.normalizeResult(raw);
+      const canonical = new Set(input.project.canonicalDomains.map((d) => d.toLowerCase()));
+      const isCited = normalized.citedDomains.some((d) => canonical.has(d.toLowerCase()));
+      return {
+        citationState: isCited ? "cited" : "not-cited",
+        citedDomains: normalized.citedDomains,
+        rawResponse: raw.rawResponse
+      };
+    }
+  };
+}
+function buildSeedPrompt(input) {
+  return [
+    "You are an AEO (Answer Engine Optimization) analyst expanding a tracked-query basket for a customer.",
+    "",
+    `Customer: ${input.project.name} (domains: ${input.project.canonicalDomains.join(", ")})`,
+    `ICP: ${input.icpDescription}`,
+    "",
+    "Brainstorm a wide set of queries a member of this ICP would type into an AI answer engine (Gemini, ChatGPT, Perplexity) when they are about to make a decision in this space. Aim for 30+ candidates covering:",
+    ' - Comparison queries ("best X for Y")',
+    " - Specific feature / capability queries",
+    " - Pricing / vendor-shortlist queries",
+    " - Workflow / how-to queries",
+    " - Adjacent jobs-to-be-done queries",
+    "",
+    "Return ONE query per line. Plain text only \u2014 no numbering, bullets, quotes, or commentary."
+  ].join("\n");
+}
+function parseQueryLines(text, max) {
+  const lines = text.split("\n");
+  const out = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const raw of lines) {
+    let line = raw.trim();
+    if (!line) continue;
+    line = line.replace(/^\s*(?:\d+[.)]\s*|[-*•]\s*)/, "").replace(/^["']|["']$/g, "").trim();
+    if (!line) continue;
+    if (/^(here are|sure|certainly|of course|i['']ve|these are|below are)/i.test(line)) continue;
+    const key = line.toLowerCase();
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push(line);
+    if (out.length >= max) break;
+  }
+  return out;
+}
+function writeDiscoveryInsight(db, input) {
+  const { buckets, competitorMap } = input.result;
+  const totalProbes = buckets.cited + buckets.aspirational + buckets["wasted-surface"];
+  if (totalProbes === 0) return;
+  const wastedRatio = buckets["wasted-surface"] / totalProbes;
+  const citedRatio = buckets.cited / totalProbes;
+  const severity = wastedRatio >= 0.4 || buckets["wasted-surface"] > buckets.cited && wastedRatio >= 0.2 ? "high" : citedRatio >= 0.6 ? "low" : "medium";
+  const topCompetitors = competitorMap.slice(0, 5);
+  const title = buildDiscoveryInsightTitle({
+    cited: buckets.cited,
+    wasted: buckets["wasted-surface"],
+    aspirational: buckets.aspirational,
+    totalProbes
+  });
+  db.insert(insights).values({
+    id: crypto30.randomUUID(),
+    projectId: input.projectId,
+    runId: input.runId,
+    type: "discovery.basket-divergence",
+    severity,
+    title,
+    // query/provider fields don't fit the visibility-snapshot model for a
+    // session-level insight. Use the session marker so the
+    // (query, provider) index stays distinct across sessions; PR 5 will
+    // formalize a session-scoped insight subtype.
+    query: `discovery:${input.sessionId}`,
+    provider: input.seedProvider,
+    recommendation: JSON.stringify({
+      action: "review-discovered-basket",
+      summary: `Run \`canonry discover show ${input.sessionId} --format json\` to inspect the per-query breakdown. PR 2 will add \`canonry discover promote\` to merge the basket into the project.`,
+      bucketCounts: buckets,
+      topCompetitors
+    }),
+    cause: JSON.stringify({
+      sessionId: input.sessionId,
+      totalProbes,
+      seedProvider: input.seedProvider
+    }),
+    dismissed: false,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  }).run();
+}
+function buildDiscoveryInsightTitle(input) {
+  const parts = [];
+  parts.push(`Discovery probed ${input.totalProbes} representative queries`);
+  if (input.wasted > 0) parts.push(`${input.wasted} where competitors are cited but you are not`);
+  if (input.cited > 0) parts.push(`${input.cited} where you are cited`);
+  if (input.aspirational > 0) parts.push(`${input.aspirational} aspirational greenfield queries`);
+  return parts.join(" \u2022 ");
+}
+
 // src/provider-registry.ts
 var ProviderRegistry = class {
   providers = /* @__PURE__ */ new Map();
@@ -23730,8 +24486,8 @@ var ProviderRegistry = class {
 
 // src/scheduler.ts
 import cron from "node-cron";
-import { and as and21, eq as eq31 } from "drizzle-orm";
-var log8 = createLogger("Scheduler");
+import { and as and21, eq as eq34 } from "drizzle-orm";
+var log9 = createLogger("Scheduler");
 function taskKey(projectId, kind) {
   return `${projectId}::${kind}`;
 }
@@ -23745,16 +24501,16 @@ var Scheduler = class {
   }
   /** Load all enabled schedules from DB and register cron jobs. */
   start() {
-    const allSchedules = this.db.select().from(schedules).where(eq31(schedules.enabled, 1)).all();
+    const allSchedules = this.db.select().from(schedules).where(eq34(schedules.enabled, 1)).all();
     for (const schedule of allSchedules) {
       const missedRunAt = schedule.nextRunAt;
       this.registerCronTask(schedule);
       if (missedRunAt && new Date(missedRunAt) < /* @__PURE__ */ new Date()) {
-        log8.info("run.catch-up", { projectId: schedule.projectId, kind: schedule.kind, missedRunAt });
+        log9.info("run.catch-up", { projectId: schedule.projectId, kind: schedule.kind, missedRunAt });
         this.triggerRun(schedule.id, schedule.projectId, schedule.kind);
       }
     }
-    log8.info("started", { scheduleCount: allSchedules.length });
+    log9.info("started", { scheduleCount: allSchedules.length });
   }
   /** Stop all cron tasks for graceful shutdown. */
   stop() {
@@ -23775,7 +24531,7 @@ var Scheduler = class {
       this.stopTask(key, existing, "Stopped");
       this.tasks.delete(key);
     }
-    const schedule = this.db.select().from(schedules).where(and21(eq31(schedules.projectId, projectId), eq31(schedules.kind, kind))).get();
+    const schedule = this.db.select().from(schedules).where(and21(eq34(schedules.projectId, projectId), eq34(schedules.kind, kind))).get();
     if (schedule && schedule.enabled === 1) {
       this.registerCronTask(schedule);
     }
@@ -23798,13 +24554,13 @@ var Scheduler = class {
   stopTask(key, task, verb) {
     task.stop();
     task.destroy();
-    log8.info(`task.${verb.toLowerCase()}`, { key });
+    log9.info(`task.${verb.toLowerCase()}`, { key });
   }
   registerCronTask(schedule) {
     const { id: scheduleId, projectId, cronExpr, timezone } = schedule;
     const kind = schedule.kind;
     if (!cron.validate(cronExpr)) {
-      log8.error("cron.invalid", { projectId, kind, cronExpr });
+      log9.error("cron.invalid", { projectId, kind, cronExpr });
       return;
     }
     const task = cron.schedule(cronExpr, () => {
@@ -23816,43 +24572,43 @@ var Scheduler = class {
     this.db.update(schedules).set({
       nextRunAt: task.getNextRun()?.toISOString() ?? null,
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    }).where(eq31(schedules.id, scheduleId)).run();
+    }).where(eq34(schedules.id, scheduleId)).run();
     const label = schedule.preset ?? cronExpr;
-    log8.info("cron.registered", { projectId, kind, schedule: label, timezone });
+    log9.info("cron.registered", { projectId, kind, schedule: label, timezone });
   }
   triggerRun(scheduleId, projectId, kind) {
     try {
       const now = (/* @__PURE__ */ new Date()).toISOString();
-      const currentSchedule = this.db.select().from(schedules).where(eq31(schedules.id, scheduleId)).get();
+      const currentSchedule = this.db.select().from(schedules).where(eq34(schedules.id, scheduleId)).get();
       if (!currentSchedule || currentSchedule.enabled !== 1) {
-        log8.warn("schedule.stale", { scheduleId, projectId, kind, msg: "schedule no longer exists or is disabled" });
+        log9.warn("schedule.stale", { scheduleId, projectId, kind, msg: "schedule no longer exists or is disabled" });
         this.remove(projectId, kind);
         return;
       }
       const task = this.tasks.get(taskKey(projectId, kind));
       const nextRunAt = task?.getNextRun()?.toISOString() ?? null;
-      const project = this.db.select().from(projects).where(eq31(projects.id, projectId)).get();
+      const project = this.db.select().from(projects).where(eq34(projects.id, projectId)).get();
       if (!project) {
-        log8.error("project.not-found", { projectId, kind, msg: "skipping scheduled run" });
+        log9.error("project.not-found", { projectId, kind, msg: "skipping scheduled run" });
         this.remove(projectId, kind);
         return;
       }
       if (kind === SchedulableRunKinds["traffic-sync"]) {
         const sourceId = currentSchedule.sourceId;
         if (!sourceId) {
-          log8.warn("traffic-sync.missing-source", { scheduleId, projectId });
+          log9.warn("traffic-sync.missing-source", { scheduleId, projectId });
           return;
         }
         if (!this.callbacks.onTrafficSyncRequested) {
-          log8.warn("traffic-sync.no-callback", { scheduleId, projectId, msg: "host did not register onTrafficSyncRequested" });
+          log9.warn("traffic-sync.no-callback", { scheduleId, projectId, msg: "host did not register onTrafficSyncRequested" });
           return;
         }
         this.db.update(schedules).set({
           lastRunAt: now,
           nextRunAt,
           updatedAt: now
-        }).where(eq31(schedules.id, currentSchedule.id)).run();
-        log8.info("traffic-sync.triggered", { projectName: project.name, sourceId });
+        }).where(eq34(schedules.id, currentSchedule.id)).run();
+        log9.info("traffic-sync.triggered", { projectName: project.name, sourceId });
         this.callbacks.onTrafficSyncRequested(project.name, sourceId);
         return;
       }
@@ -23861,7 +24617,7 @@ var Scheduler = class {
       if (project.defaultLocation) {
         const loc = projectLocations.find((l) => l.label === project.defaultLocation);
         if (!loc) {
-          log8.warn("default-location.stale", { scheduleId, projectId, label: project.defaultLocation });
+          log9.warn("default-location.stale", { scheduleId, projectId, label: project.defaultLocation });
           return;
         }
         resolvedLocation = loc;
@@ -23875,11 +24631,11 @@ var Scheduler = class {
         location: locationLabel
       });
       if (queueResult.conflict) {
-        log8.info("run.skipped-active", { projectName: project.name, activeRunId: queueResult.activeRunId });
+        log9.info("run.skipped-active", { projectName: project.name, activeRunId: queueResult.activeRunId });
         this.db.update(schedules).set({
           nextRunAt,
           updatedAt: now
-        }).where(eq31(schedules.id, currentSchedule.id)).run();
+        }).where(eq34(schedules.id, currentSchedule.id)).run();
         return;
       }
       const runId = queueResult.runId;
@@ -23887,21 +24643,21 @@ var Scheduler = class {
         lastRunAt: now,
         nextRunAt,
         updatedAt: now
-      }).where(eq31(schedules.id, currentSchedule.id)).run();
+      }).where(eq34(schedules.id, currentSchedule.id)).run();
       const scheduleProviders = parseJsonColumn(currentSchedule.providers, []);
       const providers = scheduleProviders.length > 0 ? scheduleProviders : void 0;
-      log8.info("run.triggered", { runId, projectName: project.name, providers: providers ?? "all" });
+      log9.info("run.triggered", { runId, projectName: project.name, providers: providers ?? "all" });
       this.callbacks.onRunCreated(runId, projectId, providers, resolvedLocation);
     } catch (err) {
-      log8.error("trigger.error", { scheduleId, projectId, kind, error: err instanceof Error ? err.message : String(err) });
+      log9.error("trigger.error", { scheduleId, projectId, kind, error: err instanceof Error ? err.message : String(err) });
     }
   }
 };
 
 // src/notifier.ts
-import { eq as eq32, desc as desc15, and as and22, or as or4 } from "drizzle-orm";
-import crypto28 from "crypto";
-var log9 = createLogger("Notifier");
+import { eq as eq35, desc as desc16, and as and22, or as or4 } from "drizzle-orm";
+import crypto31 from "crypto";
+var log10 = createLogger("Notifier");
 var Notifier = class {
   db;
   serverUrl;
@@ -23911,26 +24667,26 @@ var Notifier = class {
   }
   /** Called after a run completes (success, partial, or failed). */
   async onRunCompleted(runId, projectId) {
-    log9.info("run.completed", { runId, projectId });
-    const notifs = this.db.select().from(notifications).where(eq32(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
+    log10.info("run.completed", { runId, projectId });
+    const notifs = this.db.select().from(notifications).where(eq35(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
     if (notifs.length === 0) {
-      log9.info("notifications.none-enabled", { projectId });
+      log10.info("notifications.none-enabled", { projectId });
       return;
     }
-    log9.info("notifications.found", { projectId, count: notifs.length });
-    const run = this.db.select().from(runs).where(eq32(runs.id, runId)).get();
+    log10.info("notifications.found", { projectId, count: notifs.length });
+    const run = this.db.select().from(runs).where(eq35(runs.id, runId)).get();
     if (!run) {
-      log9.error("run.not-found", { runId, msg: "skipping notification dispatch" });
+      log10.error("run.not-found", { runId, msg: "skipping notification dispatch" });
       return;
     }
-    const project = this.db.select().from(projects).where(eq32(projects.id, projectId)).get();
+    const project = this.db.select().from(projects).where(eq35(projects.id, projectId)).get();
     if (!project) {
-      log9.error("project.not-found", { projectId, msg: "skipping notification dispatch" });
+      log10.error("project.not-found", { projectId, msg: "skipping notification dispatch" });
       return;
     }
     const transitions = this.computeTransitions(runId, projectId);
     const events = [];
-    log9.info("run.status", { runId: run.id, status: run.status, projectId });
+    log10.info("run.status", { runId: run.id, status: run.status, projectId });
     if (run.status === "completed" || run.status === "partial") {
       events.push("run.completed");
     }
@@ -23946,7 +24702,7 @@ var Notifier = class {
       if (!config.url) continue;
       const subscribedEvents = config.events;
       const matchingEvents = events.filter((e) => subscribedEvents.includes(e));
-      log9.info("notification.match", { notificationId: notif.id, subscribedEvents, matchedEvents: matchingEvents });
+      log10.info("notification.match", { notificationId: notif.id, subscribedEvents, matchedEvents: matchingEvents });
       if (matchingEvents.length === 0) continue;
       for (const event of matchingEvents) {
         const relevantTransitions = event === "citation.lost" ? lostTransitions : event === "citation.gained" ? gainedTransitions : transitions;
@@ -23970,11 +24726,11 @@ var Notifier = class {
     if (criticalInsights.length > 0) insightEvents.push("insight.critical");
     if (highInsights.length > 0) insightEvents.push("insight.high");
     if (insightEvents.length === 0) return;
-    const notifs = this.db.select().from(notifications).where(eq32(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
+    const notifs = this.db.select().from(notifications).where(eq35(notifications.projectId, projectId)).all().filter((n) => n.enabled === 1);
     if (notifs.length === 0) return;
-    const run = this.db.select().from(runs).where(eq32(runs.id, runId)).get();
+    const run = this.db.select().from(runs).where(eq35(runs.id, runId)).get();
     if (!run) return;
-    const project = this.db.select().from(projects).where(eq32(projects.id, projectId)).get();
+    const project = this.db.select().from(projects).where(eq35(projects.id, projectId)).get();
     if (!project) return;
     for (const notif of notifs) {
       const config = parseJsonColumn(notif.config, { url: "", events: [] });
@@ -24006,10 +24762,10 @@ var Notifier = class {
   computeTransitions(runId, projectId) {
     const recentRuns = this.db.select().from(runs).where(
       and22(
-        eq32(runs.projectId, projectId),
-        or4(eq32(runs.status, "completed"), eq32(runs.status, "partial"))
+        eq35(runs.projectId, projectId),
+        or4(eq35(runs.status, "completed"), eq35(runs.status, "partial"))
       )
-    ).orderBy(desc15(runs.createdAt)).limit(2).all();
+    ).orderBy(desc16(runs.createdAt)).limit(2).all();
     if (recentRuns.length < 2) return [];
     const currentRunId = recentRuns[0].id;
     const previousRunId = recentRuns[1].id;
@@ -24019,12 +24775,12 @@ var Notifier = class {
       query: queries.query,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).leftJoin(queries, eq32(querySnapshots.queryId, queries.id)).where(eq32(querySnapshots.runId, currentRunId)).all();
+    }).from(querySnapshots).leftJoin(queries, eq35(querySnapshots.queryId, queries.id)).where(eq35(querySnapshots.runId, currentRunId)).all();
     const previousSnapshots = this.db.select({
       queryId: querySnapshots.queryId,
       provider: querySnapshots.provider,
       citationState: querySnapshots.citationState
-    }).from(querySnapshots).where(eq32(querySnapshots.runId, previousRunId)).all();
+    }).from(querySnapshots).where(eq35(querySnapshots.runId, previousRunId)).all();
     const prevMap = /* @__PURE__ */ new Map();
     for (const s of previousSnapshots) {
       prevMap.set(`${s.queryId}:${s.provider}`, s.citationState);
@@ -24048,23 +24804,23 @@ var Notifier = class {
     const targetLabel = redactNotificationUrl(url).urlDisplay;
     const targetCheck = await resolveWebhookTarget(url);
     if (!targetCheck.ok) {
-      log9.error("webhook.ssrf-blocked", { url: targetLabel, reason: targetCheck.message });
+      log10.error("webhook.ssrf-blocked", { url: targetLabel, reason: targetCheck.message });
       this.logDelivery(projectId, notificationId, payload.event, "failed", `SSRF: ${targetCheck.message}`);
       return;
     }
-    log9.info("webhook.send", { event: payload.event, url: targetLabel });
+    log10.info("webhook.send", { event: payload.event, url: targetLabel });
     const maxRetries = 3;
     const delays = [1e3, 4e3, 16e3];
     for (let attempt = 0; attempt < maxRetries; attempt++) {
       try {
         const response = await deliverWebhook(targetCheck.target, payload, webhookSecret);
         if (response.status >= 200 && response.status < 300) {
-          log9.info("webhook.delivered", { event: payload.event, url: targetLabel, httpStatus: response.status });
+          log10.info("webhook.delivered", { event: payload.event, url: targetLabel, httpStatus: response.status });
           this.logDelivery(projectId, notificationId, payload.event, "sent", null);
           return;
         }
         const errorDetail = response.error ?? `HTTP ${response.status}`;
-        log9.warn("webhook.attempt-failed", { event: payload.event, url: targetLabel, attempt: attempt + 1, maxRetries, httpStatus: response.status, error: errorDetail });
+        log10.warn("webhook.attempt-failed", { event: payload.event, url: targetLabel, attempt: attempt + 1, maxRetries, httpStatus: response.status, error: errorDetail });
         if (attempt === maxRetries - 1) {
           this.logDelivery(projectId, notificationId, payload.event, "failed", errorDetail);
         }
@@ -24072,7 +24828,7 @@ var Notifier = class {
         const errorDetail = err instanceof Error ? err.message : String(err);
         if (attempt === maxRetries - 1) {
           this.logDelivery(projectId, notificationId, payload.event, "failed", errorDetail);
-          log9.error("webhook.exhausted", { event: payload.event, url: targetLabel, maxRetries, error: errorDetail });
+          log10.error("webhook.exhausted", { event: payload.event, url: targetLabel, maxRetries, error: errorDetail });
         }
       }
       if (attempt < maxRetries - 1) {
@@ -24082,7 +24838,7 @@ var Notifier = class {
   }
   logDelivery(projectId, notificationId, event, status, error) {
     this.db.insert(auditLog).values({
-      id: crypto28.randomUUID(),
+      id: crypto31.randomUUID(),
       projectId,
       actor: "scheduler",
       action: `notification.${status}`,
@@ -24095,53 +24851,96 @@ var Notifier = class {
 };
 
 // src/run-coordinator.ts
-var log10 = createLogger("RunCoordinator");
+import { eq as eq36 } from "drizzle-orm";
+var log11 = createLogger("RunCoordinator");
 var RunCoordinator = class {
-  constructor(notifier, intelligenceService, onInsightsGenerated, onAeroEvent) {
+  constructor(db, notifier, intelligenceService, onInsightsGenerated, onAeroEvent) {
+    this.db = db;
     this.notifier = notifier;
     this.intelligenceService = intelligenceService;
     this.onInsightsGenerated = onInsightsGenerated;
     this.onAeroEvent = onAeroEvent;
   }
   async onRunCompleted(runId, projectId) {
+    const runRow = this.db.select().from(runs).where(eq36(runs.id, runId)).get();
+    const kind = runRow?.kind ?? RunKinds["answer-visibility"];
     let insightCount = 0;
     let criticalOrHigh = 0;
-    try {
-      const result = this.intelligenceService.analyzeAndPersist(runId, projectId);
-      if (result) {
-        insightCount = result.insights.length;
-        criticalOrHigh = result.insights.filter(
-          (i) => i.severity === "critical" || i.severity === "high"
-        ).length;
-        if (this.onInsightsGenerated && criticalOrHigh > 0) {
-          try {
-            await this.onInsightsGenerated(runId, projectId, result);
-          } catch (err) {
-            log10.error("insight-webhook.failed", { runId, error: err instanceof Error ? err.message : String(err) });
+    if (kind === RunKinds["answer-visibility"]) {
+      try {
+        const result = this.intelligenceService.analyzeAndPersist(runId, projectId);
+        if (result) {
+          insightCount = result.insights.length;
+          criticalOrHigh = result.insights.filter(
+            (i) => i.severity === "critical" || i.severity === "high"
+          ).length;
+          if (this.onInsightsGenerated && criticalOrHigh > 0) {
+            try {
+              await this.onInsightsGenerated(runId, projectId, result);
+            } catch (err) {
+              log11.error("insight-webhook.failed", { runId, error: err instanceof Error ? err.message : String(err) });
+            }
           }
         }
+      } catch (err) {
+        log11.error("intelligence.failed", { runId, error: err instanceof Error ? err.message : String(err) });
       }
-    } catch (err) {
-      log10.error("intelligence.failed", { runId, error: err instanceof Error ? err.message : String(err) });
     }
     try {
       await this.notifier.onRunCompleted(runId, projectId);
     } catch (err) {
-      log10.error("notifier.failed", { runId, error: err instanceof Error ? err.message : String(err) });
+      log11.error("notifier.failed", { runId, error: err instanceof Error ? err.message : String(err) });
     }
     if (this.onAeroEvent) {
       try {
-        await this.onAeroEvent({ runId, projectId, insightCount, criticalOrHigh });
+        const ctx = kind === RunKinds["aeo-discover-probe"] ? this.buildDiscoveryAeroContext(runId, projectId, runRow?.status === "failed" ? "failed" : "completed", runRow?.error ?? null) : {
+          kind,
+          runId,
+          projectId,
+          insightCount,
+          criticalOrHigh
+        };
+        await this.onAeroEvent(ctx);
       } catch (err) {
-        log10.error("aero.failed", { runId, error: err instanceof Error ? err.message : String(err) });
+        log11.error("aero.failed", { runId, error: err instanceof Error ? err.message : String(err) });
       }
     }
   }
+  /**
+   * Pull the discovery session that owns this run and project a payload Aero
+   * can act on: bucket counts, top competitors, the seed provider, and the
+   * session ID it can pass to `canonry_discover_session_get` for the per-query
+   * breakdown. Looked up by `runId` (the POST handler populates
+   * `discovery_sessions.runId` in the same transaction that creates the run)
+   * so two concurrent discovery sessions on the same project don't get
+   * cross-wired. Falls back to a zero payload when the session row is missing
+   * so the Aero queue is never starved of a follow-up.
+   */
+  buildDiscoveryAeroContext(runId, projectId, status, error) {
+    const session = this.db.select().from(discoverySessions).where(eq36(discoverySessions.runId, runId)).get();
+    const competitorMap = session ? parseJsonColumn(session.competitorMap, []) : [];
+    return {
+      kind: RunKinds["aeo-discover-probe"],
+      runId,
+      projectId,
+      sessionId: session?.id ?? "",
+      seedProvider: session?.seedProvider ?? null,
+      buckets: {
+        cited: session?.citedCount ?? 0,
+        aspirational: session?.aspirationalCount ?? 0,
+        "wasted-surface": session?.wastedCount ?? 0
+      },
+      probeCount: session?.probeCount ?? 0,
+      topCompetitors: competitorMap.slice(0, 5),
+      status,
+      error
+    };
+  }
 };
 
 // src/agent/session-registry.ts
-import crypto30 from "crypto";
-import { eq as eq34 } from "drizzle-orm";
+import crypto33 from "crypto";
+import { eq as eq38 } from "drizzle-orm";
 
 // src/agent/session.ts
 import fs11 from "fs";
@@ -24490,8 +25289,8 @@ function resolveSessionProviderAndModel(config, opts) {
 }
 
 // src/agent/memory-store.ts
-import crypto29 from "crypto";
-import { and as and23, desc as desc16, eq as eq33, like as like2, sql as sql13 } from "drizzle-orm";
+import crypto32 from "crypto";
+import { and as and23, desc as desc17, eq as eq37, like as like2, sql as sql13 } from "drizzle-orm";
 var COMPACTION_KEY_PREFIX = "compaction:";
 var COMPACTION_NOTES_PER_SESSION = 3;
 function rowToDto2(row) {
@@ -24505,7 +25304,7 @@ function rowToDto2(row) {
   };
 }
 function listMemoryEntries(db, projectId, opts = {}) {
-  const query = db.select().from(agentMemory).where(eq33(agentMemory.projectId, projectId)).orderBy(desc16(agentMemory.updatedAt));
+  const query = db.select().from(agentMemory).where(eq37(agentMemory.projectId, projectId)).orderBy(desc17(agentMemory.updatedAt));
   const rows = opts.limit === void 0 ? query.all() : query.limit(opts.limit).all();
   return rows.map(rowToDto2);
 }
@@ -24519,7 +25318,7 @@ function upsertMemoryEntry(db, args) {
     throw new Error(`memory key prefix "${COMPACTION_KEY_PREFIX}" is reserved for compaction notes`);
   }
   const now = (/* @__PURE__ */ new Date()).toISOString();
-  const id = crypto29.randomUUID();
+  const id = crypto32.randomUUID();
   db.insert(agentMemory).values({
     id,
     projectId: args.projectId,
@@ -24536,12 +25335,12 @@ function upsertMemoryEntry(db, args) {
       updatedAt: now
     }
   }).run();
-  const row = db.select().from(agentMemory).where(and23(eq33(agentMemory.projectId, args.projectId), eq33(agentMemory.key, args.key))).get();
+  const row = db.select().from(agentMemory).where(and23(eq37(agentMemory.projectId, args.projectId), eq37(agentMemory.key, args.key))).get();
   if (!row) throw new Error("memory upsert produced no row");
   return rowToDto2(row);
 }
 function deleteMemoryEntry(db, projectId, key) {
-  const result = db.delete(agentMemory).where(and23(eq33(agentMemory.projectId, projectId), eq33(agentMemory.key, key))).run();
+  const result = db.delete(agentMemory).where(and23(eq37(agentMemory.projectId, projectId), eq37(agentMemory.key, key))).run();
   const changes = result.changes ?? 0;
   return changes > 0;
 }
@@ -24556,7 +25355,7 @@ function writeCompactionNote(db, args) {
   }
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const key = `${COMPACTION_KEY_PREFIX}${args.sessionId}:${now}`;
-  const id = crypto29.randomUUID();
+  const id = crypto32.randomUUID();
   let inserted;
   db.transaction((tx) => {
     tx.insert(agentMemory).values({
@@ -24571,15 +25370,15 @@ function writeCompactionNote(db, args) {
     const sessionPrefix = `${COMPACTION_KEY_PREFIX}${args.sessionId}:`;
     const existing = tx.select({ id: agentMemory.id, updatedAt: agentMemory.updatedAt }).from(agentMemory).where(
       and23(
-        eq33(agentMemory.projectId, args.projectId),
+        eq37(agentMemory.projectId, args.projectId),
         like2(agentMemory.key, `${sessionPrefix}%`)
       )
-    ).orderBy(desc16(agentMemory.updatedAt)).all();
+    ).orderBy(desc17(agentMemory.updatedAt)).all();
     const stale = existing.slice(COMPACTION_NOTES_PER_SESSION).map((r) => r.id);
     if (stale.length > 0) {
       tx.delete(agentMemory).where(sql13`${agentMemory.id} IN (${sql13.join(stale.map((s) => sql13`${s}`), sql13`, `)})`).run();
     }
-    const row = tx.select().from(agentMemory).where(and23(eq33(agentMemory.projectId, args.projectId), eq33(agentMemory.key, key))).get();
+    const row = tx.select().from(agentMemory).where(and23(eq37(agentMemory.projectId, args.projectId), eq37(agentMemory.key, key))).get();
     if (row) inserted = rowToDto2(row);
   });
   if (!inserted) throw new Error("compaction note write produced no row");
@@ -24712,7 +25511,7 @@ async function compactMessages(args) {
 }
 
 // src/agent/session-registry.ts
-var log11 = createLogger("SessionRegistry");
+var log12 = createLogger("SessionRegistry");
 var MAX_HYDRATE_NOTES = 20;
 var MAX_HYDRATE_BYTES = 32 * 1024;
 function escapeMemoryFragment(value) {
@@ -24761,7 +25560,7 @@ var SessionRegistry = class {
           modelProvider: effectiveProvider,
           modelId: effectiveModelId,
           updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-        }).where(eq34(agentSessions.projectId, projectId)).run();
+        }).where(eq38(agentSessions.projectId, projectId)).run();
       }
       const agent2 = createAeroSession({
         projectName,
@@ -24939,13 +25738,13 @@ ${lines.join("\n")}
       agent.state.messages = result.messages;
       agent.state.systemPrompt = this.buildHydratedSystemPrompt(projectId, row.systemPrompt);
       this.save(projectName);
-      log11.info("compaction.completed", {
+      log12.info("compaction.completed", {
         projectName,
         removedCount: result.removedCount,
         summaryBytes: Buffer.byteLength(result.summary, "utf8")
       });
     } catch (err) {
-      log11.error("compaction.failed", {
+      log12.error("compaction.failed", {
         projectName,
         error: err instanceof Error ? err.message : String(err)
       });
@@ -24975,7 +25774,7 @@ ${lines.join("\n")}
       modelProvider: nextProvider,
       modelId: nextModelId,
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    }).where(eq34(agentSessions.projectId, projectId)).run();
+    }).where(eq38(agentSessions.projectId, projectId)).run();
   }
   /** Persist a session's transcript back to the DB. Call after any run settles. */
   save(projectName) {
@@ -25042,7 +25841,7 @@ ${lines.join("\n")}
       await agent.prompt(msgs);
       this.save(projectName);
     } catch (err) {
-      log11.error("drain.failed", {
+      log12.error("drain.failed", {
         projectName,
         error: err instanceof Error ? err.message : String(err)
       });
@@ -25137,17 +25936,17 @@ ${lines.join("\n")}
     return id;
   }
   tryResolveProjectId(projectName) {
-    const row = this.opts.db.select({ id: projects.id }).from(projects).where(eq34(projects.name, projectName)).get();
+    const row = this.opts.db.select({ id: projects.id }).from(projects).where(eq38(projects.name, projectName)).get();
     return row?.id;
   }
   loadRow(projectId) {
-    const row = this.opts.db.select().from(agentSessions).where(eq34(agentSessions.projectId, projectId)).get();
+    const row = this.opts.db.select().from(agentSessions).where(eq38(agentSessions.projectId, projectId)).get();
     return row ?? null;
   }
   insertRow(params) {
     const now = (/* @__PURE__ */ new Date()).toISOString();
     this.opts.db.insert(agentSessions).values({
-      id: crypto30.randomUUID(),
+      id: crypto33.randomUUID(),
       projectId: params.projectId,
       systemPrompt: params.systemPrompt,
       modelProvider: params.provider ?? params.modelProvider ?? AgentProviderIds.claude,
@@ -25160,14 +25959,14 @@ ${lines.join("\n")}
   }
   updateRow(projectId, patch) {
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    this.opts.db.update(agentSessions).set({ ...patch, updatedAt: now }).where(eq34(agentSessions.projectId, projectId)).run();
+    this.opts.db.update(agentSessions).set({ ...patch, updatedAt: now }).where(eq38(agentSessions.projectId, projectId)).run();
   }
 };
 
 // src/agent/agent-routes.ts
-import { eq as eq35 } from "drizzle-orm";
+import { eq as eq39 } from "drizzle-orm";
 function resolveProject2(db, name) {
-  const row = db.select({ id: projects.id, name: projects.name }).from(projects).where(eq35(projects.name, name)).get();
+  const row = db.select({ id: projects.id, name: projects.name }).from(projects).where(eq39(projects.name, name)).get();
   if (!row) throw notFound("project", name);
   return row;
 }
@@ -25176,7 +25975,7 @@ function registerAgentRoutes(app, opts) {
     "/projects/:name/agent/transcript",
     async (request) => {
       const project = resolveProject2(opts.db, request.params.name);
-      const row = opts.db.select().from(agentSessions).where(eq35(agentSessions.projectId, project.id)).get();
+      const row = opts.db.select().from(agentSessions).where(eq39(agentSessions.projectId, project.id)).get();
       if (!row) {
         return { messages: [], modelProvider: null, modelId: null, updatedAt: null };
       }
@@ -25200,7 +25999,7 @@ function registerAgentRoutes(app, opts) {
     async (request) => {
       const project = resolveProject2(opts.db, request.params.name);
       opts.sessionRegistry.reset(project.name);
-      opts.db.update(agentSessions).set({ messages: "[]", followUpQueue: "[]", updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq35(agentSessions.projectId, project.id)).run();
+      opts.db.update(agentSessions).set({ messages: "[]", followUpQueue: "[]", updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq39(agentSessions.projectId, project.id)).run();
       return { status: "reset" };
     }
   );
@@ -25433,7 +26232,7 @@ function formatAuditFactorScore(factor) {
 }
 
 // src/snapshot-service.ts
-var log12 = createLogger("Snapshot");
+var log13 = createLogger("Snapshot");
 var ANALYSIS_PROVIDER_PRIORITY = ["openai", "claude", "gemini", "perplexity", "local"];
 var SNAPSHOT_QUERY_COUNT = 6;
 var ProviderExecutionGate2 = class {
@@ -25576,7 +26375,7 @@ var SnapshotService = class {
       return mapAuditReport(report);
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
-      log12.warn("audit.failed", { homepageUrl, error: message });
+      log13.warn("audit.failed", { homepageUrl, error: message });
       return {
         url: homepageUrl,
         finalUrl: homepageUrl,
@@ -25606,7 +26405,7 @@ var SnapshotService = class {
           queries: parsedQueries
         };
       } catch (err) {
-        log12.warn("profile.generation-failed", {
+        log13.warn("profile.generation-failed", {
           domain: ctx.domain,
           provider: ctx.analysisProvider.adapter.name,
           error: err instanceof Error ? err.message : String(err)
@@ -25748,7 +26547,7 @@ var SnapshotService = class {
         recommendedActions: uniqueStrings(parsed.recommendedActions ?? []).slice(0, 4)
       };
     } catch (err) {
-      log12.warn("response.analysis-failed", {
+      log13.warn("response.analysis-failed", {
         provider: ctx.analysisProvider.adapter.name,
         error: err instanceof Error ? err.message : String(err)
       });
@@ -26033,7 +26832,7 @@ function clipText(value, length) {
 // src/server.ts
 var _require2 = createRequire3(import.meta.url);
 var { version: PKG_VERSION } = _require2("../package.json");
-var log13 = createLogger("Server");
+var log14 = createLogger("Server");
 var DEFAULT_QUOTA = {
   maxConcurrency: 2,
   maxRequestsPerMinute: 10,
@@ -26064,7 +26863,7 @@ function summarizeProviderConfig(provider, config) {
   };
 }
 function hashApiKey(key) {
-  return crypto31.createHash("sha256").update(key).digest("hex");
+  return crypto34.createHash("sha256").update(key).digest("hex");
 }
 function parseCookies2(header) {
   if (!header) return {};
@@ -26120,7 +26919,7 @@ function applyLegacyCredentials(rows, config) {
   }
   if (migratedGoogle > 0) {
     saveConfigPatch({ google: config.google });
-    log13.info("credentials.migrated", { type: "google", count: migratedGoogle });
+    log14.info("credentials.migrated", { type: "google", count: migratedGoogle });
   }
   let migratedGa4 = 0;
   for (const row of rows.ga4) {
@@ -26138,7 +26937,7 @@ function applyLegacyCredentials(rows, config) {
   }
   if (migratedGa4 > 0) {
     saveConfigPatch({ ga4: config.ga4 });
-    log13.info("credentials.migrated", { type: "ga4", count: migratedGa4 });
+    log14.info("credentials.migrated", { type: "ga4", count: migratedGa4 });
   }
 }
 async function createServer(opts) {
@@ -26170,11 +26969,11 @@ async function createServer(opts) {
     applyLegacyCredentials(legacyRows, opts.config);
     dropLegacyCredentialColumns(opts.db);
   } catch (err) {
-    log13.warn("credentials.migration.failed", {
+    log14.warn("credentials.migration.failed", {
       error: err instanceof Error ? err.message : String(err)
     });
   }
-  log13.info("providers.configured", { providers: Object.keys(providers).filter((k) => {
+  log14.info("providers.configured", { providers: Object.keys(providers).filter((k) => {
     const p = providers[k];
     return p?.apiKey || p?.baseUrl || p?.vertexProject;
   }) });
@@ -26218,15 +27017,27 @@ async function createServer(opts) {
     config: opts.config
   });
   const runCoordinator = new RunCoordinator(
+    opts.db,
     notifier,
     intelligenceService,
     (runId, projectId, result) => notifier.dispatchInsightWebhooks(runId, projectId, result),
-    async ({ runId, projectId, insightCount, criticalOrHigh }) => {
-      const project = opts.db.select({ name: projects.name }).from(projects).where(eq36(projects.id, projectId)).get();
+    async (ctx) => {
+      const project = opts.db.select({ name: projects.name }).from(projects).where(eq40(projects.id, ctx.projectId)).get();
       if (!project) return;
+      let content;
+      if (ctx.kind === RunKinds["aeo-discover-probe"]) {
+        if (ctx.status === "failed") {
+          content = `[system] Discovery run ${ctx.runId} failed for project ${project.name}: ${ctx.error ?? "unknown error"}. Surface a one-line diagnosis and a suggested next step.`;
+        } else {
+          const top = ctx.topCompetitors.map((c) => `${c.domain}(${c.hits})`).join(", ") || "none";
+          content = `[system] Discovery run ${ctx.runId} completed for project ${project.name} (session ${ctx.sessionId}). Buckets \u2014 cited:${ctx.buckets.cited}, wasted-surface:${ctx.buckets["wasted-surface"]}, aspirational:${ctx.buckets.aspirational} (${ctx.probeCount} probes; seed provider: ${ctx.seedProvider ?? "unknown"}). Top recurring competitor domains: ${top}. Use canonry_discover_session_get to pull per-query buckets and call out anything worth promoting to the tracked basket. Keep it tight.`;
+        }
+      } else {
+        content = `[system] Run ${ctx.runId} completed for project ${project.name}. ${ctx.insightCount} insights generated (${ctx.criticalOrHigh} critical/high). Use canonry_run_get to inspect the run and canonry_insights_list to review new findings. Surface anything notable briefly \u2014 skip chit-chat.`;
+      }
       sessionRegistry.queueFollowUp(project.name, {
         role: "user",
-        content: `[system] Run ${runId} completed for project ${project.name}. ${insightCount} insights generated (${criticalOrHigh} critical/high). Use canonry_run_get to inspect the run and canonry_insights_list to review new findings. Surface anything notable briefly \u2014 skip chit-chat.`,
+        content,
         timestamp: Date.now()
       });
       void sessionRegistry.drainNow(project.name);
@@ -26351,7 +27162,7 @@ async function createServer(opts) {
       return removed;
     }
   };
-  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto31.randomBytes(32).toString("hex");
+  const googleStateSecret = process.env.GOOGLE_STATE_SECRET ?? crypto34.randomBytes(32).toString("hex");
   const googleConnectionStore = {
     listConnections: (domain) => listGoogleConnections(opts.config, domain),
     getConnection: (domain, connectionType) => getGoogleConnection(opts.config, domain, connectionType),
@@ -26397,11 +27208,11 @@ async function createServer(opts) {
   const apiPrefix = basePath ? `${basePath}api/v1` : "/api/v1";
   if (opts.config.apiKey) {
     const keyHash = hashApiKey(opts.config.apiKey);
-    const existing = opts.db.select().from(apiKeys).where(eq36(apiKeys.keyHash, keyHash)).get();
+    const existing = opts.db.select().from(apiKeys).where(eq40(apiKeys.keyHash, keyHash)).get();
     if (!existing) {
       const prefix = opts.config.apiKey.slice(0, 12);
       opts.db.insert(apiKeys).values({
-        id: `key_${crypto31.randomBytes(8).toString("hex")}`,
+        id: `key_${crypto34.randomBytes(8).toString("hex")}`,
         name: "default",
         keyHash,
         keyPrefix: prefix,
@@ -26425,7 +27236,7 @@ async function createServer(opts) {
   };
   const createSession = (apiKeyId) => {
     pruneExpiredSessions();
-    const sessionId = crypto31.randomBytes(32).toString("hex");
+    const sessionId = crypto34.randomBytes(32).toString("hex");
     sessions.set(sessionId, {
       apiKeyId,
       expiresAt: Date.now() + SESSION_TTL_MS
@@ -26449,7 +27260,7 @@ async function createServer(opts) {
   };
   const getDefaultApiKey = () => {
     if (!opts.config.apiKey) return void 0;
-    return opts.db.select().from(apiKeys).where(eq36(apiKeys.keyHash, hashApiKey(opts.config.apiKey))).get();
+    return opts.db.select().from(apiKeys).where(eq40(apiKeys.keyHash, hashApiKey(opts.config.apiKey))).get();
   };
   const createPasswordSession = (reply) => {
     const key = getDefaultApiKey();
@@ -26506,12 +27317,12 @@ async function createServer(opts) {
       return reply.send({ authenticated: true });
     }
     if (apiKey) {
-      const key = opts.db.select().from(apiKeys).where(eq36(apiKeys.keyHash, hashApiKey(apiKey))).get();
+      const key = opts.db.select().from(apiKeys).where(eq40(apiKeys.keyHash, hashApiKey(apiKey))).get();
       if (!key || key.revokedAt) {
         const err2 = authInvalid();
         return reply.status(err2.statusCode).send(err2.toJSON());
       }
-      opts.db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq36(apiKeys.id, key.id)).run();
+      opts.db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq40(apiKeys.id, key.id)).run();
       const sessionId = createSession(key.id);
       reply.header("set-cookie", serializeSessionCookie({
         name: SESSION_COOKIE_NAME,
@@ -26621,7 +27432,7 @@ async function createServer(opts) {
         deps: {
           enqueueAutoExtract: ({ projectId, release: r }) => {
             const now = (/* @__PURE__ */ new Date()).toISOString();
-            const runId = crypto31.randomUUID();
+            const runId = crypto34.randomUUID();
             opts.db.insert(runs).values({
               id: runId,
               projectId,
@@ -26644,6 +27455,20 @@ async function createServer(opts) {
         app.log.error({ runId, err }, "Backlink extract failed");
       });
     },
+    onDiscoveryRunRequested: (input) => {
+      executeDiscoveryRun({
+        db: opts.db,
+        registry,
+        runId: input.runId,
+        sessionId: input.sessionId,
+        projectId: input.projectId,
+        icpDescription: input.icpDescription,
+        dedupThreshold: input.dedupThreshold,
+        maxProbes: input.maxProbes
+      }).then(() => runCoordinator.onRunCompleted(input.runId, input.projectId)).catch((err) => {
+        app.log.error({ runId: input.runId, err }, "Discovery run failed");
+      });
+    },
     onBacklinksPruneCache: (release) => {
       try {
         pruneCachedRelease(release);
@@ -26769,7 +27594,7 @@ async function createServer(opts) {
         const targetProjectIds = affectedProjectIds.length > 0 ? affectedProjectIds : [null];
         const createdAt = (/* @__PURE__ */ new Date()).toISOString();
         opts.db.insert(auditLog).values(targetProjectIds.map((projectId) => ({
-          id: crypto31.randomUUID(),
+          id: crypto34.randomUUID(),
           projectId,
           actor: "api",
           action: existing ? "provider.updated" : "provider.created",