We Found the Leak in Google Ads

Each of the 6 phases is a specific checkpoint with a specific question to answer. You can't shortcut around them. Here is what each phase looks like in plain English, the real-world thing it's modeled on, what it would have caught last night if we'd had it in place on day 1, and when Robert reaches for it.

The 6 phases tell you WHAT to do in what order. The 7 hard rules tell you what you're NEVER allowed to do, no matter how tempting. Each rule was written in blood last night. Every one of them comes from a specific moment in the debug where we almost missed a bug because we didn't have the rule yet. Here is each rule, the pain that taught us, and the analogy that makes it stick.

1. Open Slack desktop or web app, log in as Robert
2. Click on the channel that BSP currently uses for notifications (likely #nexus-alerts, #general, or whichever channel the SLACK_WEBHOOK_URL was originally bound to)
3. Look for two messages timestamped around 22:35 and 22:38 UTC on Apr 11, 2026:
   • First ping: "🔧 Nexus webhook smoke test at 22:35 UTC..."
   • Second: "🔥 BIG SALE $7,500.00 · Sewer Main Replacement · gclid_source=phone_fallback:9135550000:@now"
4. If both messages are visible: alerts are firing correctly. Skip to STEP 1.3 (optional dedicated webhooks) or stop here.
5. If you can't find them anywhere: the existing webhook URL may have been revoked. Follow STEP 1.2 to mint fresh webhooks.

1. In Slack, click the BSP workspace name (top left) → Tools & settings → Manage apps
2. New browser tab opens to https://[workspace].slack.com/apps. In the search bar, type "Incoming Webhooks" and click the first result
3. Click the green "Add to Slack" button
4. Dropdown appears: Post to Channel. Select #big-sale-alert. Click "Add Incoming WebHooks integration"
5. Next page shows a Webhook URL like https://hooks.slack.com/services/T.../B.../.../. Copy it to clipboard
6. Scroll down, optionally change the display name to Nexus Big Sale Bot and the icon to 🔥. Click Save Settings
7. Repeat steps 3-6 for #lost-sales, naming that one Nexus Lost Sale Bot with icon ❄️
8. You now have 2 dedicated URLs. Proceed to STEP 1.3

1. SSH to the VM: ssh -i ~/.ssh/google_compute_engine dovew@34.55.179.122
2. Edit the env file: sudo nano /opt/nexus/nexus/config/.env
3. Find the two lines that currently read:

   SLACK_BIG_SALE_WEBHOOK=https://hooks.slack.com/services/T05NXFBH0PR/...
   SLACK_LOST_SALES_WEBHOOK=https://hooks.slack.com/services/T05NXFBH0PR/...

4. Replace each URL with the dedicated one you copied in STEP 1.2
5. Ctrl+O to save, Enter to confirm, Ctrl+X to exit nano
6. Restart the listener: sudo systemctl restart nexus-st-webhook.service
7. Verify it's active: systemctl is-active nexus-st-webhook.service (should print active)
8. Fire a test: curl -s http://localhost:8511/health (should return JSON with "status":"ok")
9. Check that both channels get the next real invoice alert from Ashton's next invoice post

1. Log into ServiceTitan at app.servicetitan.io as Robert (admin role required)
2. Click the ⚙ gear icon in the top-right corner — that opens Settings
3. In the left sidebar, navigate to Operations → Custom Fields
   Full path: Settings > Operations > Custom Fields
4. You'll see a list of existing custom fields grouped by object type (Customer, Location, Job, Invoice, etc.)
5. Click the "+ Add New" button (usually top right of the Custom Fields list)

1. Scroll down to the "Visibility" or "Permissions" section of the custom field editor
2. Set the following role-based permissions:
   • Office / Admin roles (Ashton, Kalen, Stephanie, Robert, CSR): Read + Write
   • Technician / Field roles (all plumbers, install techs): HIDDEN — not just read-only, fully hidden from ST Mobile
   • API access: Read + Write (this is what lets our webhook listener + bridge populate it)
3. Why hidden-from-techs: techs don't need to see it, and hiding it from ST Mobile keeps the field form clean
4. Click Save at the bottom of the editor

1. Open any recent ST job (Dispatch → Today → click any job row)
2. Scroll to the Custom Fields section of the job detail view
3. Confirm the new GCLID field appears, empty, with an input box
4. Paste a test value like TEST_GCLID_apr11 and click Save
5. Within 30 seconds, the Nexus webhook listener should log a job.updated event with the GCLID. Verify via SSH:

   ssh -i ~/.ssh/google_compute_engine dovew@34.55.179.122 \
     "grep TEST_GCLID_apr11 /opt/nexus/nexus/scripts/output/st_webhook.log | tail -5"

6. If the grep finds the value, the field-to-listener path is working end-to-end. Clear the test value from the job before closing.

1. SSH to the VM: ssh -i ~/.ssh/google_compute_engine dovew@34.55.179.122
2. Edit the nginx config for morpheus: sudo nano /etc/nginx/sites-available/morpheus.callbrightside.com
3. Inside the server { ... } block that handles HTTPS on port 443, add this new location block BEFORE the closing brace:

   # GCLID bridge — Snippet #55 capture receiver (Task #16)
   location /gclid/ {
       proxy_pass http://127.0.0.1:8512/gclid/;
       proxy_http_version 1.1;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header Origin $http_origin;
       proxy_read_timeout 10s;
       proxy_connect_timeout 5s;
   
       # CORS preflight — the bridge handles CORS in-code but we pass through
       if ($request_method = 'OPTIONS') {
           add_header Access-Control-Allow-Origin "$http_origin";
           add_header Access-Control-Allow-Methods "POST, OPTIONS";
           add_header Access-Control-Allow-Headers "Content-Type";
           add_header Access-Control-Max-Age 86400;
           return 204;
       }
   }
   
   # ST webhook listener — ServiceTitan → Nexus (invoice events)
   location /st/webhook {
       proxy_pass http://127.0.0.1:8511/st/webhook;
       proxy_http_version 1.1;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Titan-Signature $http_x_titan_signature;
       proxy_read_timeout 10s;
   }

4. Ctrl+O, Enter, Ctrl+X to save and exit
5. Test the nginx config for syntax: sudo nginx -t (must print syntax is ok and test is successful)
6. Reload nginx without downtime: sudo systemctl reload nginx
7. Verify the bridge is reachable from outside:

   curl -s https://morpheus.callbrightside.com/gclid/health

   Should return JSON with "status":"ok". If it 404s, nginx didn't pick up the new block — re-check the file location and run the reload again.

1. Log into WordPress admin at callbrightside.com/wp-admin as Robert
2. In the left sidebar, click Snippets (Code Snippets plugin)
3. Find Snippet #55 — "CRO form v4.0" (or whatever name it has). Click Edit
4. At the BOTTOM of the existing JavaScript in the snippet (before any closing script tags), paste this new capture-and-POST block:

   // ============================================
   // Nexus GCLID Bridge capture (Task #16)
   // Fires on form submit — POSTs capture to VM
   // ============================================
   (function() {
     const BRIDGE_URL = 'https://morpheus.callbrightside.com/gclid/capture';
   
     function getParam(name) {
       const m = new RegExp('[?&]' + name + '=([^&]*)').exec(window.location.search);
       return m ? decodeURIComponent(m[1]) : null;
     }
   
     // Capture GCLID from URL on page load and stash in sessionStorage
     const urlGclid = getParam('gclid');
     if (urlGclid) sessionStorage.setItem('bsp_gclid', urlGclid);
     const urlWbraid = getParam('wbraid');
     if (urlWbraid) sessionStorage.setItem('bsp_wbraid', urlWbraid);
     const urlGbraid = getParam('gbraid');
     if (urlGbraid) sessionStorage.setItem('bsp_gbraid', urlGbraid);
   
     // Hook the CRO form submit — send capture to bridge
     document.addEventListener('submit', function(e) {
       const form = e.target;
       if (!form || !form.matches('form')) return;
   
       // Only fire for forms on landing/service pages with phone inputs
       const phoneInput = form.querySelector('input[name*="phone" i], input[type="tel"]');
       if (!phoneInput) return;
   
       const payload = {
         gclid: sessionStorage.getItem('bsp_gclid') || null,
         wbraid: sessionStorage.getItem('bsp_wbraid') || null,
         gbraid: sessionStorage.getItem('bsp_gbraid') || null,
         phone: phoneInput.value,
         email: (form.querySelector('input[type="email"]') || {}).value || null,
         name: (form.querySelector('input[name*="name" i]') || {}).value || null,
         landing_page: window.location.pathname,
         referrer: document.referrer || null,
         utm_source: getParam('utm_source'),
         utm_medium: getParam('utm_medium'),
         utm_campaign: getParam('utm_campaign'),
         session_id: sessionStorage.getItem('bsp_session') || null,
         form_submitted_at: new Date().toISOString()
       };
   
       // Only post if we have at least a gclid or phone
       if (!payload.gclid && !payload.wbraid && !payload.gbraid && !payload.phone) return;
   
       // Fire-and-forget POST (don't block the form submit)
       try {
         navigator.sendBeacon(BRIDGE_URL, new Blob([JSON.stringify(payload)], { type: 'application/json' }));
       } catch (err) {
         // Fallback for browsers without sendBeacon
         fetch(BRIDGE_URL, {
           method: 'POST',
           headers: { 'Content-Type': 'application/json' },
           body: JSON.stringify(payload),
           keepalive: true
         }).catch(function() {});
       }
     }, true);
   })();

5. Click Update at the top of the snippet editor
6. Make sure the snippet's Run everywhere or Run on landing pages toggle is ON
7. Purge WordPress cache (WP Rocket → Clear Cache), Cloudflare cache (dashboard → Caching → Purge Everything), and LiteSpeed cache if present

1. Open an incognito/private browser window
2. Navigate to https://callbrightside.com/sewer-camera-inspection/?gclid=TEST_MANUAL_12345&utm_source=google&utm_medium=cpc&utm_campaign=manual_test
3. Fill in the form: Name: Test Robert, Phone: (913) 000-1111, Email: test@example.com
4. Submit the form (pick any service type)
5. The form will behave normally. In the background, Snippet #55 fires a beacon POST to the bridge
6. SSH to VM and verify the capture arrived:

   ssh ... "tail -5 /opt/nexus/nexus/scripts/output/gclid_bridge.log"
   ssh ... "psql -h localhost -U robert -d bsp_analytics -c \"SELECT * FROM titan.gclid_captures WHERE gclid='TEST_MANUAL_12345'\""

7. You should see a new row with the test phone and the TEST_MANUAL_12345 GCLID. If yes, Snippet #55 is wired end-to-end

1. Click an active BSP Google Ad in an incognito browser → lands on callbrightside.com/sewer-camera-inspection/ with a real GCLID in the URL
2. Fill out the form with your real phone and submit → Snippet #55 beacons the capture to the bridge → row appears in titan.gclid_captures
3. Call the office, Ashton books a mock job in ST for the same phone number → ST fires job.created webhook → listener logs it
4. Mark the mock job Complete, add a test invoice for $1 to a fake customer, post and mark Paid → ST fires invoice.paid webhook with terminal status
5. Listener phone-matches the capture from step 2 → fires uploadClickConversions to Google Ads with the $1 value → logs success in titan.google_ads_conversion_log
6. 24 hours later, check Google Ads → Tools → Conversions → "ST Call Completed (API)" → you'll see 1 conversion credited to the real GCLID