@squadbase/vite-server 0.1.12-dev.a9ac647 → 0.1.17-dev.3b633bb

package/dist/connectors/google-analytics.js

@@ -1,51 +1,63 @@
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+
 // ../connectors/src/parameter-definition.ts
-var ParameterDefinition = class {
-  slug;
-  name;
-  description;
-  envVarBaseKey;
-  type;
-  secret;
-  required;
-  constructor(config) {
-    this.slug = config.slug;
-    this.name = config.name;
-    this.description = config.description;
-    this.envVarBaseKey = config.envVarBaseKey;
-    this.type = config.type;
-    this.secret = config.secret;
-    this.required = config.required;
-  }
-  /**
-   * Get the parameter value from a ConnectorConnectionObject.
-   */
-  getValue(connection2) {
-    const param = connection2.parameters.find(
-      (p) => p.parameterSlug === this.slug
-    );
-    if (!param || param.value == null) {
-      throw new Error(
-        `Parameter "${this.slug}" not found or has no value in connection "${connection2.id}"`
-      );
-    }
-    return param.value;
-  }
-  /**
-   * Try to get the parameter value. Returns undefined if not found (for optional params).
-   */
-  tryGetValue(connection2) {
-    const param = connection2.parameters.find(
-      (p) => p.parameterSlug === this.slug
-    );
-    if (!param || param.value == null) return void 0;
-    return param.value;
+var ParameterDefinition;
+var init_parameter_definition = __esm({
+  "../connectors/src/parameter-definition.ts"() {
+    "use strict";
+    ParameterDefinition = class {
+      slug;
+      name;
+      description;
+      envVarBaseKey;
+      type;
+      secret;
+      required;
+      constructor(config) {
+        this.slug = config.slug;
+        this.name = config.name;
+        this.description = config.description;
+        this.envVarBaseKey = config.envVarBaseKey;
+        this.type = config.type;
+        this.secret = config.secret;
+        this.required = config.required;
+      }
+      /**
+       * Get the parameter value from a ConnectorConnectionObject.
+       */
+      getValue(connection2) {
+        const param = connection2.parameters.find(
+          (p) => p.parameterSlug === this.slug
+        );
+        if (!param || param.value == null) {
+          throw new Error(
+            `Parameter "${this.slug}" not found or has no value in connection "${connection2.id}"`
+          );
+        }
+        return param.value;
+      }
+      /**
+       * Try to get the parameter value. Returns undefined if not found (for optional params).
+       */
+      tryGetValue(connection2) {
+        const param = connection2.parameters.find(
+          (p) => p.parameterSlug === this.slug
+        );
+        if (!param || param.value == null) return void 0;
+        return param.value;
+      }
+    };
   }
-};
+});
 
 // ../connectors/src/connectors/google-analytics/sdk/index.ts
 import * as crypto from "crypto";
 
 // ../connectors/src/connectors/google-analytics/parameters.ts
+init_parameter_definition();
 var parameters = {
   serviceAccountKeyJsonBase64: new ParameterDefinition({
     slug: "service-account-key-json-base64",
@@ -55,15 +67,6 @@ var parameters = {
     type: "base64EncodedJson",
     secret: true,
     required: true
-  }),
-  propertyId: new ParameterDefinition({
-    slug: "property-id",
-    name: "Google Analytics Property ID",
-    description: "The Google Analytics 4 property ID (e.g., 123456789).",
-    envVarBaseKey: "GA_PROPERTY_ID",
-    type: "text",
-    secret: false,
-    required: true
   })
 };
 
@@ -95,15 +98,9 @@ function buildJwt(clientEmail, privateKey, nowSec) {
 }
 function createClient(params) {
   const serviceAccountKeyJsonBase64 = params[parameters.serviceAccountKeyJsonBase64.slug];
-  const propertyId = params[parameters.propertyId.slug];
-  if (!serviceAccountKeyJsonBase64 || !propertyId) {
-    const required = [
-      parameters.serviceAccountKeyJsonBase64.slug,
-      parameters.propertyId.slug
-    ];
-    const missing = required.filter((s) => !params[s]);
+  if (!serviceAccountKeyJsonBase64) {
     throw new Error(
-      `google-analytics: missing required parameters: ${missing.join(", ")}`
+      `google-analytics: missing required parameters: ${parameters.serviceAccountKeyJsonBase64.slug}`
     );
   }
   let serviceAccountKey;
@@ -125,7 +122,7 @@ function createClient(params) {
   }
   let cachedToken = null;
   let tokenExpiresAt = 0;
-  async function getAccessToken() {
+  async function getAccessToken2() {
     const nowSec = Math.floor(Date.now() / 1e3);
     if (cachedToken && nowSec < tokenExpiresAt - 60) {
       return cachedToken;
@@ -156,14 +153,13 @@ function createClient(params) {
   }
   return {
     async request(path2, init) {
-      const accessToken = await getAccessToken();
-      const resolvedPath = path2.replace(/\{propertyId\}/g, propertyId);
-      const url = `${BASE_URL.replace(/\/+$/, "")}/${resolvedPath.replace(/^\/+/, "")}`;
+      const accessToken = await getAccessToken2();
+      const url = `${BASE_URL.replace(/\/+$/, "")}/${path2.replace(/^\/+/, "")}`;
       const headers = new Headers(init?.headers);
       headers.set("Authorization", `Bearer ${accessToken}`);
       return fetch(url, { ...init, headers });
     },
-    async runReport(request) {
+    async runReport(propertyId, request) {
       const response = await this.request(
         `properties/${propertyId}:runReport`,
         {
@@ -184,7 +180,7 @@ function createClient(params) {
         rowCount: data.rowCount ?? 0
       };
     },
-    async getMetadata() {
+    async getMetadata(propertyId) {
       const response = await this.request(
         `properties/${propertyId}/metadata`,
         { method: "GET" }
@@ -197,7 +193,7 @@ function createClient(params) {
       }
       return await response.json();
     },
-    async runRealtimeReport(request) {
+    async runRealtimeReport(propertyId, request) {
       const response = await this.request(
         `properties/${propertyId}:runRealtimeReport`,
         {
@@ -280,6 +276,28 @@ var ConnectorPlugin = class _ConnectorPlugin {
   tools;
   query;
   checkConnection;
+  /**
+   * SQPD-1212: Logic-based, rule-driven connection setup. Connectors that
+   * implement this expose a step-by-step exploration flow (database/schema/
+   * table/etc. discovery) that the dashboard backend drives via the
+   * `/connections/:connectionId/setup` endpoint. Implement by delegating to
+   * `runSetupFlow` from `setup-flow.ts`.
+   */
+  setup;
+  /**
+   * Opt-out of the default "verify before save" behavior on connection
+   * creation. The backend invokes `checkConnection` synchronously while
+   * creating the connection and aborts (no row inserted) if it fails — this
+   * flag disables that for connectors where the check cannot succeed pre-save:
+   *
+   *   - `squadbase-db` populates `connection-url` only after Neon provisioning
+   *   - OAuth connectors require an OAuth-aware proxyFetch keyed by the
+   *     connectionId, which doesn't exist until the row is saved
+   *
+   * Exceptions are the explicit position; new credential-input connectors get
+   * the default verify-on-create behavior without opt-in.
+   */
+  skipConnectionCheckOnCreate;
   constructor(config) {
     this.slug = config.slug;
     this.authType = config.authType;
@@ -296,6 +314,8 @@ var ConnectorPlugin = class _ConnectorPlugin {
     this.tools = config.tools;
     this.query = config.query;
     this.checkConnection = config.checkConnection;
+    this.setup = config.setup;
+    this.skipConnectionCheckOnCreate = config.skipConnectionCheckOnCreate;
   }
   get connectorKey() {
     return _ConnectorPlugin.deriveKey(this.slug, this.authType);
@@ -360,6 +380,76 @@ var ConnectorPlugin = class _ConnectorPlugin {
   }
 };
 
+// ../connectors/src/setup-flow.ts
+async function runSetupFlow(flow, params, ctx, config) {
+  const runtime = {
+    params,
+    language: ctx.language,
+    config
+  };
+  let state = flow.initialState();
+  let answerIdx = 0;
+  const pendingParameterUpdates = [];
+  for (const step of flow.steps) {
+    const ans = ctx.answers[answerIdx];
+    if (ans && ans.questionSlug === step.slug) {
+      state = step.applyAnswer(state, ans.answer);
+      if (step.toParameterUpdates) {
+        pendingParameterUpdates.push(...step.toParameterUpdates(state));
+      }
+      answerIdx += 1;
+      continue;
+    }
+    const resolvedAllowFreeText = step.allowFreeText !== void 0 ? step.allowFreeText : true;
+    if (step.type === "text") {
+      if (step.fetchOptions) {
+        const options2 = await step.fetchOptions(state, runtime);
+        if (options2.length === 0) {
+          continue;
+        }
+      }
+      return {
+        type: "nextQuestion",
+        questionSlug: step.slug,
+        question: step.question[ctx.language],
+        questionType: "text",
+        allowFreeText: resolvedAllowFreeText,
+        ...pendingParameterUpdates.length > 0 && {
+          parameterUpdates: pendingParameterUpdates
+        }
+      };
+    }
+    const options = step.fetchOptions ? await step.fetchOptions(state, runtime) : [];
+    if (options.length === 0) {
+      continue;
+    }
+    return {
+      type: "nextQuestion",
+      questionSlug: step.slug,
+      question: step.question[ctx.language],
+      questionType: step.type,
+      options,
+      allowFreeText: resolvedAllowFreeText,
+      ...pendingParameterUpdates.length > 0 && {
+        parameterUpdates: pendingParameterUpdates
+      }
+    };
+  }
+  const dataInvestigationResult = await flow.finalize(state, runtime);
+  return {
+    type: "fulfilled",
+    dataInvestigationResult,
+    ...pendingParameterUpdates.length > 0 && {
+      parameterUpdates: pendingParameterUpdates
+    }
+  };
+}
+async function resolveSetupSelection(params) {
+  const { selected, allSentinel, fetchAll, limit } = params;
+  const resolved = selected.includes(allSentinel) ? await fetchAll() : selected.filter((v) => v !== allSentinel);
+  return resolved.slice(0, limit);
+}
+
 // ../connectors/src/auth-types.ts
 var AUTH_TYPES = {
   OAUTH: "oauth",
@@ -380,6 +470,330 @@ var googleAnalyticsOnboarding = new ConnectorOnboarding({
   }
 });
 
+// ../connectors/src/connectors/google-analytics/utils.ts
+import * as crypto2 from "crypto";
+var TOKEN_URL2 = "https://oauth2.googleapis.com/token";
+var ADMIN_BASE_URL = "https://analyticsadmin.googleapis.com/v1beta";
+var DATA_BASE_URL = "https://analyticsdata.googleapis.com/v1beta";
+var SCOPE2 = "https://www.googleapis.com/auth/analytics.readonly";
+function base64url2(input) {
+  const buf = typeof input === "string" ? Buffer.from(input) : input;
+  return buf.toString("base64url");
+}
+function buildJwt2(clientEmail, privateKey, nowSec) {
+  const header = base64url2(JSON.stringify({ alg: "RS256", typ: "JWT" }));
+  const payload = base64url2(
+    JSON.stringify({
+      iss: clientEmail,
+      scope: SCOPE2,
+      aud: TOKEN_URL2,
+      iat: nowSec,
+      exp: nowSec + 3600
+    })
+  );
+  const signingInput = `${header}.${payload}`;
+  const sign = crypto2.createSign("RSA-SHA256");
+  sign.update(signingInput);
+  sign.end();
+  const signature = base64url2(sign.sign(privateKey));
+  return `${signingInput}.${signature}`;
+}
+function decodeServiceAccount(serviceAccountKeyJsonBase64) {
+  let serviceAccountKey;
+  try {
+    const decoded = Buffer.from(
+      serviceAccountKeyJsonBase64,
+      "base64"
+    ).toString("utf-8");
+    serviceAccountKey = JSON.parse(decoded);
+  } catch {
+    throw new Error(
+      "google-analytics: failed to decode service account key JSON from base64"
+    );
+  }
+  if (!serviceAccountKey.client_email || !serviceAccountKey.private_key) {
+    throw new Error(
+      "google-analytics: service account key JSON must contain client_email and private_key"
+    );
+  }
+  return serviceAccountKey;
+}
+async function getAccessToken(serviceAccountKey) {
+  const nowSec = Math.floor(Date.now() / 1e3);
+  const jwt = buildJwt2(
+    serviceAccountKey.client_email,
+    serviceAccountKey.private_key,
+    nowSec
+  );
+  const response = await fetch(TOKEN_URL2, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+      assertion: jwt
+    })
+  });
+  if (!response.ok) {
+    const text = await response.text();
+    throw new Error(
+      `google-analytics: token exchange failed (${response.status}): ${text}`
+    );
+  }
+  const data = await response.json();
+  return data.access_token;
+}
+async function adminFetch(params, path2, init) {
+  const keyJsonBase64 = params[parameters.serviceAccountKeyJsonBase64.slug];
+  if (!keyJsonBase64) {
+    throw new Error(
+      "google-analytics: missing required parameter: service-account-key-json-base64"
+    );
+  }
+  const serviceAccountKey = decodeServiceAccount(keyJsonBase64);
+  const accessToken = await getAccessToken(serviceAccountKey);
+  const url = `${ADMIN_BASE_URL}${path2.startsWith("/") ? "" : "/"}${path2}`;
+  const headers = new Headers(init?.headers);
+  headers.set("Authorization", `Bearer ${accessToken}`);
+  return fetch(url, { ...init, headers });
+}
+async function dataFetch(params, path2, init) {
+  const keyJsonBase64 = params[parameters.serviceAccountKeyJsonBase64.slug];
+  if (!keyJsonBase64) {
+    throw new Error(
+      "google-analytics: missing required parameter: service-account-key-json-base64"
+    );
+  }
+  const serviceAccountKey = decodeServiceAccount(keyJsonBase64);
+  const accessToken = await getAccessToken(serviceAccountKey);
+  const url = `${DATA_BASE_URL}${path2.startsWith("/") ? "" : "/"}${path2}`;
+  const headers = new Headers(init?.headers);
+  headers.set("Authorization", `Bearer ${accessToken}`);
+  return fetch(url, { ...init, headers });
+}
+
+// ../connectors/src/connectors/google-analytics/setup-flow.ts
+var ALL_PROPERTIES = "__ALL_PROPERTIES__";
+var GOOGLE_ANALYTICS_SETUP_MAX_PROPERTIES = 20;
+var METADATA_DISPLAY_LIMIT = 30;
+async function listAccountSummaries(params) {
+  const summaries = [];
+  let pageToken;
+  do {
+    const path2 = pageToken ? `/accountSummaries?pageToken=${encodeURIComponent(pageToken)}` : `/accountSummaries`;
+    const res = await adminFetch(params, path2);
+    if (!res.ok) {
+      const body = await res.text().catch(() => res.statusText);
+      throw new Error(
+        `google-analytics: accountSummaries failed (${res.status}): ${body}`
+      );
+    }
+    const data = await res.json();
+    summaries.push(...data.accountSummaries ?? []);
+    pageToken = data.nextPageToken;
+  } while (pageToken);
+  return summaries;
+}
+function propertyIdFromResource(resource) {
+  return (resource ?? "").replace(/^properties\//, "");
+}
+async function getProperty(params, propertyId) {
+  const res = await adminFetch(params, `/properties/${propertyId}`);
+  if (!res.ok) return null;
+  return await res.json();
+}
+async function getMetadata(params, propertyId) {
+  try {
+    const res = await dataFetch(
+      params,
+      `/properties/${propertyId}/metadata`
+    );
+    if (!res.ok) return { dimensions: [], metrics: [] };
+    const data = await res.json();
+    return {
+      dimensions: data.dimensions ?? [],
+      metrics: data.metrics ?? []
+    };
+  } catch {
+    return { dimensions: [], metrics: [] };
+  }
+}
+function appendMetadataSection(sections, dimensions, metrics) {
+  if (dimensions.length > 0) {
+    sections.push(`#### Dimensions (${dimensions.length})`, "");
+    for (const d of dimensions.slice(0, METADATA_DISPLAY_LIMIT)) {
+      sections.push(`- ${d.apiName ?? d.uiName ?? "(unknown)"}`);
+    }
+    if (dimensions.length > METADATA_DISPLAY_LIMIT) {
+      sections.push(
+        `- \u2026and ${dimensions.length - METADATA_DISPLAY_LIMIT} more`
+      );
+    }
+    sections.push("");
+  }
+  if (metrics.length > 0) {
+    sections.push(`#### Metrics (${metrics.length})`, "");
+    for (const m of metrics.slice(0, METADATA_DISPLAY_LIMIT)) {
+      sections.push(`- ${m.apiName ?? m.uiName ?? "(unknown)"}`);
+    }
+    if (metrics.length > METADATA_DISPLAY_LIMIT) {
+      sections.push(
+        `- \u2026and ${metrics.length - METADATA_DISPLAY_LIMIT} more`
+      );
+    }
+    sections.push("");
+  }
+}
+var googleAnalyticsSetupFlow = {
+  initialState: () => ({}),
+  steps: [
+    {
+      slug: "account",
+      type: "select",
+      question: {
+        ja: "Google Analytics \u30A2\u30AB\u30A6\u30F3\u30C8\u3092\u9078\u3093\u3067\u304F\u3060\u3055\u3044",
+        en: "Select a Google Analytics account"
+      },
+      async fetchOptions(_state, rt) {
+        try {
+          const summaries = await listAccountSummaries(rt.params);
+          return summaries.map((s) => {
+            const accountResource = s.account ?? s.name ?? "";
+            if (!accountResource) return null;
+            return {
+              value: accountResource,
+              label: s.displayName ?? accountResource
+            };
+          }).filter((v) => v != null);
+        } catch {
+          return [];
+        }
+      },
+      applyAnswer: (state, answer) => ({ ...state, account: answer[0] })
+    },
+    {
+      slug: "properties",
+      type: "multiSelect",
+      question: {
+        ja: "\u5BFE\u8C61\u306E GA4 \u30D7\u30ED\u30D1\u30C6\u30A3\u3092\u9078\u3093\u3067\u304F\u3060\u3055\u3044\uFF08\u8907\u6570\u9078\u629E\u53EF\uFF09",
+        en: "Select target GA4 properties (multi-select allowed)"
+      },
+      async fetchOptions(state, rt) {
+        if (!state.account) return [];
+        try {
+          const summaries = await listAccountSummaries(rt.params);
+          const account = summaries.find(
+            (s) => (s.account ?? s.name) === state.account
+          );
+          const props = (account?.propertySummaries ?? []).map((p) => {
+            const id = propertyIdFromResource(p.property);
+            if (!id) return null;
+            return {
+              value: id,
+              label: p.displayName ? `${p.displayName} (${id})` : id
+            };
+          }).filter((v) => v != null);
+          if (props.length === 0) return [];
+          return [
+            {
+              value: ALL_PROPERTIES,
+              label: rt.language === "ja" ? "\u3059\u3079\u3066\u306E\u30D7\u30ED\u30D1\u30C6\u30A3" : "All properties"
+            },
+            ...props
+          ];
+        } catch {
+          return [];
+        }
+      },
+      applyAnswer: (state, answer) => ({ ...state, properties: answer })
+    },
+    {
+      slug: "manualPropertyId",
+      type: "text",
+      question: {
+        ja: "GA4 \u30D7\u30ED\u30D1\u30C6\u30A3 ID \u3092\u5165\u529B\u3057\u3066\u304F\u3060\u3055\u3044\uFF08\u4F8B: 123456789\uFF09\u3002GA4 \u7BA1\u7406\u753B\u9762 > \u30D7\u30ED\u30D1\u30C6\u30A3\u8A2D\u5B9A\u3067\u78BA\u8A8D\u3067\u304D\u307E\u3059\u3002",
+        en: "Enter your GA4 Property ID (e.g., 123456789). Found in GA4 Admin > Property Settings."
+      },
+      async fetchOptions(state) {
+        if (state.properties?.length) return [];
+        return [{ value: "_show", label: "" }];
+      },
+      applyAnswer: (state, answer) => ({
+        ...state,
+        manualPropertyId: answer[0]
+      })
+    }
+  ],
+  async finalize(state, rt) {
+    const sections = ["## Google Analytics", ""];
+    if (state.account && state.properties) {
+      let summaries = [];
+      try {
+        summaries = await listAccountSummaries(rt.params);
+      } catch {
+      }
+      const account = summaries.find(
+        (s) => (s.account ?? s.name) === state.account
+      );
+      const accountLabel = account?.displayName ?? state.account.replace(/^accounts\//, "");
+      const targetPropertyIds = await resolveSetupSelection({
+        selected: state.properties,
+        allSentinel: ALL_PROPERTIES,
+        fetchAll: async () => (account?.propertySummaries ?? []).map((p) => propertyIdFromResource(p.property)).filter((v) => v),
+        limit: GOOGLE_ANALYTICS_SETUP_MAX_PROPERTIES
+      });
+      sections.push(`### Account: ${accountLabel}`, "");
+      if (targetPropertyIds.length === 0) {
+        sections.push("_No properties selected._", "");
+        return sections.join("\n");
+      }
+      sections.push(
+        "| Property ID | Display Name | Time Zone | Currency | Industry |"
+      );
+      sections.push(
+        "|-------------|--------------|-----------|----------|----------|"
+      );
+      for (const pid of targetPropertyIds) {
+        const prop = await getProperty(rt.params, pid).catch(() => null);
+        const displayName = (prop?.displayName ?? "-").replace(/\|/g, "\\|");
+        const timeZone = prop?.timeZone ?? "-";
+        const currency = prop?.currencyCode ?? "-";
+        const industry = (prop?.industryCategory ?? "-").replace(
+          /\|/g,
+          "\\|"
+        );
+        sections.push(
+          `| ${pid} | ${displayName} | ${timeZone} | ${currency} | ${industry} |`
+        );
+      }
+      sections.push("");
+      const firstPropertyId = targetPropertyIds[0];
+      if (firstPropertyId) {
+        const { dimensions, metrics } = await getMetadata(
+          rt.params,
+          firstPropertyId
+        );
+        appendMetadataSection(sections, dimensions, metrics);
+      }
+      return sections.join("\n");
+    }
+    const propertyId = state.manualPropertyId;
+    if (propertyId) {
+      sections.push(`### Property: ${propertyId}`, "");
+      const { dimensions, metrics } = await getMetadata(
+        rt.params,
+        propertyId
+      );
+      appendMetadataSection(sections, dimensions, metrics);
+      return sections.join("\n");
+    }
+    sections.push(
+      "_Could not list GA4 accounts. Please enable the Google Analytics Admin API in your GCP project. Property ID can be specified per request at runtime._",
+      ""
+    );
+    return sections.join("\n");
+  }
+};
+
 // ../connectors/src/connectors/google-analytics/tools/request.ts
 import { z } from "zod";
 var BASE_URL2 = "https://analyticsdata.googleapis.com/v1beta/";
@@ -387,8 +801,9 @@ var REQUEST_TIMEOUT_MS = 6e4;
 var inputSchema = z.object({
   toolUseIntent: z.string().optional().describe("Brief description of what you intend to accomplish with this tool call"),
   connectionId: z.string().describe("ID of the Google Analytics connection to use"),
+  propertyId: z.string().describe("GA4 property ID (e.g., '123456789')"),
   method: z.enum(["GET", "POST"]).describe("HTTP method"),
-  path: z.string().describe("API path (e.g., 'properties/{propertyId}:runReport'). {propertyId} is automatically replaced."),
+  path: z.string().describe("API path (e.g., 'properties/{propertyId}:runReport'). {propertyId} is replaced with the propertyId parameter."),
   body: z.record(z.string(), z.unknown()).optional().describe("POST request body (JSON)")
 });
 var outputSchema = z.discriminatedUnion("success", [
@@ -406,10 +821,10 @@ var requestTool = new ConnectorTool({
   name: "request",
   description: `Send authenticated requests to the Google Analytics Data API.
 Authentication is handled automatically using a service account.
-{propertyId} in the path is automatically replaced with the connection's property-id.`,
+{propertyId} in the path is automatically replaced with the propertyId parameter.`,
   inputSchema,
   outputSchema,
-  async execute({ connectionId, method, path: path2, body }, connections) {
+  async execute({ connectionId, propertyId, method, path: path2, body }, connections) {
     const connection2 = connections.find((c) => c.id === connectionId);
     if (!connection2) {
       return { success: false, error: `Connection ${connectionId} not found` };
@@ -418,7 +833,6 @@ Authentication is handled automatically using a service account.
     try {
       const { GoogleAuth } = await import("google-auth-library");
       const keyJsonBase64 = parameters.serviceAccountKeyJsonBase64.getValue(connection2);
-      const propertyId = parameters.propertyId.getValue(connection2);
       const credentials = JSON.parse(
         Buffer.from(keyJsonBase64, "base64").toString("utf-8")
       );
@@ -478,16 +892,16 @@ var googleAnalyticsConnector = new ConnectorPlugin({
   systemPrompt: {
     en: `### Tools
 
-- \`google-analytics-service-account_request\`: The only way to call the GA4 Data API. Use it to fetch metadata, run reports, or run realtime reports. See the GA4 Data API Reference below for available endpoints and request bodies.
+- \`google-analytics-service-account_request\`: The only way to call the GA4 Data API. Use it to fetch metadata, run reports, or run realtime reports. Requires a \`propertyId\` parameter. See the GA4 Data API Reference below for available endpoints and request bodies.
 
 ### Business Logic
 
 The business logic type for this connector is "typescript". Use the connector SDK in your handler. Do NOT read credentials from environment variables.
 
 SDK methods (client created via \`connection(connectionId)\`):
-- \`client.runReport(request)\` \u2014 run a GA4 report
-- \`client.runRealtimeReport(request)\` \u2014 run a realtime report
-- \`client.getMetadata()\` \u2014 fetch available dimensions/metrics
+- \`client.runReport(propertyId, request)\` \u2014 run a GA4 report
+- \`client.runRealtimeReport(propertyId, request)\` \u2014 run a realtime report
+- \`client.getMetadata(propertyId)\` \u2014 fetch available dimensions/metrics
 - \`client.request(path, init?)\` \u2014 low-level authenticated fetch
 
 \`\`\`ts
@@ -497,12 +911,13 @@ import { connection } from "@squadbase/vite-server/connectors/google-analytics";
 const ga = connection("<connectionId>");
 
 export default async function handler(c: Context) {
-  const { startDate = "7daysAgo", endDate = "today" } = await c.req.json<{
+  const { propertyId, startDate = "7daysAgo", endDate = "today" } = await c.req.json<{
+    propertyId: string;
     startDate?: string;
     endDate?: string;
   }>();
 
-  const { rows } = await ga.runReport({
+  const { rows } = await ga.runReport(propertyId, {
     dateRanges: [{ startDate, endDate }],
     dimensions: [{ name: "date" }],
     metrics: [{ name: "activeUsers" }, { name: "sessions" }],
@@ -546,16 +961,16 @@ activeUsers, sessions, screenPageViews, bounceRate, averageSessionDuration, conv
 - Relative: \`"today"\`, \`"yesterday"\`, \`"7daysAgo"\`, \`"30daysAgo"\``,
     ja: `### \u30C4\u30FC\u30EB
 
-- \`google-analytics-service-account_request\`: GA4 Data API\u3092\u547C\u3073\u51FA\u3059\u552F\u4E00\u306E\u624B\u6BB5\u3067\u3059\u3002\u30E1\u30BF\u30C7\u30FC\u30BF\u306E\u53D6\u5F97\u3001\u30EC\u30DD\u30FC\u30C8\u306E\u5B9F\u884C\u3001\u30EA\u30A2\u30EB\u30BF\u30A4\u30E0\u30EC\u30DD\u30FC\u30C8\u306E\u5B9F\u884C\u306B\u4F7F\u7528\u3057\u307E\u3059\u3002\u5229\u7528\u53EF\u80FD\u306A\u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8\u3068\u30EA\u30AF\u30A8\u30B9\u30C8\u30DC\u30C7\u30A3\u306F\u4E0B\u90E8\u306E\u300CGA4 Data API \u30EA\u30D5\u30A1\u30EC\u30F3\u30B9\u300D\u3092\u53C2\u7167\u3057\u3066\u304F\u3060\u3055\u3044\u3002
+- \`google-analytics-service-account_request\`: GA4 Data API\u3092\u547C\u3073\u51FA\u3059\u552F\u4E00\u306E\u624B\u6BB5\u3067\u3059\u3002\u30E1\u30BF\u30C7\u30FC\u30BF\u306E\u53D6\u5F97\u3001\u30EC\u30DD\u30FC\u30C8\u306E\u5B9F\u884C\u3001\u30EA\u30A2\u30EB\u30BF\u30A4\u30E0\u30EC\u30DD\u30FC\u30C8\u306E\u5B9F\u884C\u306B\u4F7F\u7528\u3057\u307E\u3059\u3002\`propertyId\` \u30D1\u30E9\u30E1\u30FC\u30BF\u30FC\u304C\u5FC5\u8981\u3067\u3059\u3002\u5229\u7528\u53EF\u80FD\u306A\u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8\u3068\u30EA\u30AF\u30A8\u30B9\u30C8\u30DC\u30C7\u30A3\u306F\u4E0B\u90E8\u306E\u300CGA4 Data API \u30EA\u30D5\u30A1\u30EC\u30F3\u30B9\u300D\u3092\u53C2\u7167\u3057\u3066\u304F\u3060\u3055\u3044\u3002
 
 ### Business Logic
 
 \u3053\u306E\u30B3\u30CD\u30AF\u30BF\u306E\u30D3\u30B8\u30CD\u30B9\u30ED\u30B8\u30C3\u30AF\u30BF\u30A4\u30D7\u306F "typescript" \u3067\u3059\u3002\u30CF\u30F3\u30C9\u30E9\u5185\u3067\u306F\u30B3\u30CD\u30AF\u30BFSDK\u3092\u4F7F\u7528\u3057\u3066\u304F\u3060\u3055\u3044\u3002\u74B0\u5883\u5909\u6570\u304B\u3089\u8A8D\u8A3C\u60C5\u5831\u3092\u8AAD\u307F\u53D6\u3089\u306A\u3044\u3067\u304F\u3060\u3055\u3044\u3002
 
 SDK\u30E1\u30BD\u30C3\u30C9 (\`connection(connectionId)\` \u3067\u4F5C\u6210\u3057\u305F\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8):
-- \`client.runReport(request)\` \u2014 GA4\u30EC\u30DD\u30FC\u30C8\u3092\u5B9F\u884C
-- \`client.runRealtimeReport(request)\` \u2014 \u30EA\u30A2\u30EB\u30BF\u30A4\u30E0\u30EC\u30DD\u30FC\u30C8\u3092\u5B9F\u884C
-- \`client.getMetadata()\` \u2014 \u5229\u7528\u53EF\u80FD\u306A\u30C7\u30A3\u30E1\u30F3\u30B7\u30E7\u30F3/\u30E1\u30C8\u30EA\u30AF\u30B9\u3092\u53D6\u5F97
+- \`client.runReport(propertyId, request)\` \u2014 GA4\u30EC\u30DD\u30FC\u30C8\u3092\u5B9F\u884C
+- \`client.runRealtimeReport(propertyId, request)\` \u2014 \u30EA\u30A2\u30EB\u30BF\u30A4\u30E0\u30EC\u30DD\u30FC\u30C8\u3092\u5B9F\u884C
+- \`client.getMetadata(propertyId)\` \u2014 \u5229\u7528\u53EF\u80FD\u306A\u30C7\u30A3\u30E1\u30F3\u30B7\u30E7\u30F3/\u30E1\u30C8\u30EA\u30AF\u30B9\u3092\u53D6\u5F97
 - \`client.request(path, init?)\` \u2014 \u4F4E\u30EC\u30D9\u30EB\u306E\u8A8D\u8A3C\u4ED8\u304Dfetch
 
 \`\`\`ts
@@ -565,12 +980,13 @@ import { connection } from "@squadbase/vite-server/connectors/google-analytics";
 const ga = connection("<connectionId>");
 
 export default async function handler(c: Context) {
-  const { startDate = "7daysAgo", endDate = "today" } = await c.req.json<{
+  const { propertyId, startDate = "7daysAgo", endDate = "today" } = await c.req.json<{
+    propertyId: string;
     startDate?: string;
     endDate?: string;
   }>();
 
-  const { rows } = await ga.runReport({
+  const { rows } = await ga.runReport(propertyId, {
     dateRanges: [{ startDate, endDate }],
     dimensions: [{ name: "date" }],
     metrics: [{ name: "activeUsers" }, { name: "sessions" }],
@@ -613,7 +1029,31 @@ activeUsers, sessions, screenPageViews, bounceRate, averageSessionDuration, conv
 - \u7D76\u5BFE\u5024: \`"2024-01-01"\`
 - \u76F8\u5BFE\u5024: \`"today"\`, \`"yesterday"\`, \`"7daysAgo"\`, \`"30daysAgo"\``
   },
-  tools
+  tools,
+  setup: (params, ctx, config) => runSetupFlow(googleAnalyticsSetupFlow, params, ctx, config),
+  async checkConnection(params, _config) {
+    const keyJsonBase64 = params[parameters.serviceAccountKeyJsonBase64.slug];
+    if (!keyJsonBase64) {
+      return {
+        success: false,
+        error: "google-analytics: missing service account key"
+      };
+    }
+    try {
+      const res = await dataFetch(params, `/metadata`);
+      if (!res.ok) {
+        const body = await res.text().catch(() => res.statusText);
+        return {
+          success: false,
+          error: `Google Analytics API failed: HTTP ${res.status} ${body}`
+        };
+      }
+      return { success: true };
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      return { success: false, error: msg };
+    }
+  }
 });
 
 // src/connectors/create-connector-sdk.ts
@@ -642,6 +1082,7 @@ function resolveEnvVarOptional(entry, key) {
 import { getContext } from "hono/context-storage";
 import { getCookie } from "hono/cookie";
 var APP_SESSION_COOKIE_NAME = "__Host-squadbase-session";
+var TABLEAU_SESSION_SENTINEL_URL = "squadbase://tableau-session/";
 function normalizeHeaders(input) {
   const out = {};
   if (!input) return out;
@@ -650,6 +1091,11 @@ function normalizeHeaders(input) {
   });
   return out;
 }
+function extractInputUrl(input) {
+  if (typeof input === "string") return input;
+  if (input instanceof URL) return input.href;
+  return input.url;
+}
 function createSandboxProxyFetch(connectionId) {
   return async (input, init) => {
     const token = process.env.INTERNAL_SQUADBASE_OAUTH_MACHINE_CREDENTIAL;
@@ -659,10 +1105,17 @@ function createSandboxProxyFetch(connectionId) {
         "Connection proxy is not configured. Please check your deployment settings."
       );
     }
-    const originalUrl = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
+    const originalUrl = extractInputUrl(input);
+    const baseDomain = process.env["SQUADBASE_PREVIEW_BASE_DOMAIN"] ?? "preview.app.squadbase.dev";
+    if (originalUrl === TABLEAU_SESSION_SENTINEL_URL) {
+      const sessionUrl = `https://${sandboxId}.${baseDomain}/_sqcore/connections/${connectionId}/tableau-session`;
+      return fetch(sessionUrl, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${token}` }
+      });
+    }
     const originalMethod = init?.method ?? "GET";
     const originalBody = init?.body ? JSON.parse(init.body) : void 0;
-    const baseDomain = process.env["SQUADBASE_PREVIEW_BASE_DOMAIN"] ?? "preview.app.squadbase.dev";
     const proxyUrl = `https://${sandboxId}.${baseDomain}/_sqcore/connections/${connectionId}/request`;
     return fetch(proxyUrl, {
       method: "POST",
@@ -688,10 +1141,9 @@ function createDeployedAppProxyFetch(connectionId) {
   }
   const baseDomain = process.env["SQUADBASE_APP_BASE_DOMAIN"] ?? "squadbase.app";
   const proxyUrl = `https://${projectId}.${baseDomain}/_sqcore/connections/${connectionId}/request`;
+  const sessionUrl = `https://${projectId}.${baseDomain}/_sqcore/connections/${connectionId}/tableau-session`;
   return async (input, init) => {
-    const originalUrl = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
-    const originalMethod = init?.method ?? "GET";
-    const originalBody = init?.body ? JSON.parse(init.body) : void 0;
+    const originalUrl = extractInputUrl(input);
     const c = getContext();
     const appSession = getCookie(c, APP_SESSION_COOKIE_NAME);
     if (!appSession) {
@@ -699,6 +1151,14 @@ function createDeployedAppProxyFetch(connectionId) {
         "No authentication method available for connection proxy."
       );
     }
+    if (originalUrl === TABLEAU_SESSION_SENTINEL_URL) {
+      return fetch(sessionUrl, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${appSession}` }
+      });
+    }
+    const originalMethod = init?.method ?? "GET";
+    const originalBody = init?.body ? JSON.parse(init.body) : void 0;
     return fetch(proxyUrl, {
       method: "POST",
       headers: {