Queen of San Diego — Tech Blog

Under the hood at queenofsandiego.com

```html

Orchestrating Multi-Site GA4 Audits and Blast Campaign Management at Scale

Over the past development session, we tackled a critical operational challenge: ensuring complete Google Analytics 4 instrumentation across our multi-site platform ecosystem, while simultaneously managing time-sensitive email blast campaigns and establishing programmatic access to GA4 data. This post covers the technical architecture, decision-making process, and specific implementations that made this possible.

The Problem: Fragmented Observability and Operational Bottlenecks

Our platform spans multiple domains (sailjada.com, salejada.com, burialsatsea.com, dangerouscentaur.com) with different deployment patterns. We had no unified visibility into:

  • Which pages were actually instrumented with GA4 tracking codes
  • Last 30 days of traffic patterns across all properties
  • Status of scheduled email campaigns (Mother's Day blast, Paul Simon outreach)
  • Current operational excellence gaps in our email/web stack

Additionally, we had zero programmatic access to GA4 data — everything was manual reporting. And two major email campaigns were either unapproved or missing proof verification with tight deadlines.

Technical Solution: Distributed Audit Agent with Dashboard Feedback Loop

We designed a multi-stage approach using an orchestrator agent pattern with real-time dashboard integration:

Stage 1: GA Code Audit Sweep

The orchestrator performed a distributed scan across all HTML files in our repos to identify GA4 measurement IDs and verify tracking code presence:

Repository scan pattern:
- /Users/cb/Documents/repos/*/src/**/*.html
- /Users/cb/Documents/repos/*/templates/**/*.html
- /Users/cb/Documents/repos/*/public/**/*.html

Extracted metrics:
- GA4 property ID mapping by site (numeric IDs: 463558899, 463515957, etc.)
- gtag() initialization patterns
- Event tracking coverage per page
- Missing instrumentation flags

Why this approach: Rather than manually spot-checking, we needed an automated audit that could scale as we add new pages. The orchestrator crawls the actual source files (not live sites) to catch pre-deployment issues.

Stage 2: Programmatic GA4 Data Access

The biggest gap was API access. We created two new tools to establish OAuth 2.0 flows for Google APIs:

File: /Users/cb/Documents/repos/tools/reauth_ga.py
Purpose: Authenticate service account for GA4 Data API (read-only scope)
Pattern: OAuth 2.0 with client credentials flow
Scopes: https://www.googleapis.com/auth/analytics.readonly

File: /Users/cb/Documents/repos/tools/reauth_gbp.py
Purpose: Authenticate for Google Business Profile API access
Pattern: Same OAuth pattern for GBP Account Management API

The token generation follows a three-step pattern: (1) load existing credentials from `~/.config/google/` if valid, (2) refresh if expired, (3) request new auth flow if missing. This prevents repeated authentication while maintaining security.

Key decision: We chose service account credentials (not user OAuth) because dashboard automation requires unattended access. The service account is granted analytics.readonly permissions at the GA Admin console level — a 3-minute manual setup that unblocks all programmatic reporting.

Stage 3: Cross-Site Traffic Data Aggregation

Once API access was established, we pulled last 30 days of GA4 data for each property:

GA4 Properties audited:
- sailjada.com (ID: 463515957)
- salejada.com (ID: 463558899)
- burialsatsea.com (ID: [audited])
- dangerouscentaur.com (ID: [newly added to GSC])

API calls:
POST https://analyticsdata.googleapis.com/v1beta/properties/{propertyID}:runReport
Metrics: screenPageViews, activeUsers, engagementRate, bounceRate
Dimensions: pagePath, country, deviceCategory
Date range: last 30 days

Email Campaign Management Integration

We discovered two critical campaign states during the audit:

Mother's Day Blast (Urgent — 4 days to event)

Template located at Constant Contact with subject: "Mother's Day Gift Guide"

Status: Scheduled for April 29, unapproved
Contact list: Pulled from /repos/tools/blast_contacts.csv (Constant Contact export)
Template refs: href patterns for booking URLs verified
Campaign log: S3 tracking at s3://qos-campaigns/logs/mothers_day_emergency.json

Action taken:
- Card created (needs-you status) on progress dashboard
- Deduplication check against previous sends
- Contacts marked "sent" count verified in campaign log

Paul Simon Blast (6 days to proof deadline)

Proof email prepared and sent to CB for approval. Campaign template verified against existing blast structure.

Dashboard-First Reporting: The Feedback Loop

All findings land on a kanban-style progress dashboard at `https://progress.queenofsandiego.com` rather than console output. The dashboard supports deep linking:

Card format: https://progress.queenofsandiego.com/#card-{id}

Example: https://progress.queenofsandiego.com/#card-t-31aa2593

Dashboard features:
- Hash-based navigation (no server-side routing required)
- Card status: needs-you, in-progress, todo, done
- Real-time orchestrator callbacks update card state
- Each card contains: title, description, actionable tasks, related resources

Why this design: Instead of having findings scattered across Slack, email, and console logs, everything surfaces on a single board. Engineers can deep-link cards in documentation, and the orchestrator can programmatically update status as tasks complete.

Infrastructure Changes: Domain Verification and CloudFront

We added dangerouscentaur.com to our managed portfolio, requiring Search Console verification:

Process:
1. Generate HTML verification token from Google Search Console
2. Upload to S3 origin bucket: s3://dangerouscentaur-www/
3. CloudFront distribution ID: [production ID] configured with S3 origin
4. DNS: Route53 hosted zone updated with dangerouscentaur.com CNAME to CloudFront
5. Submit sitemap.xml via Search Console
6. Verify property in Analytics (property ID provisioned)

Result: Domain now appears in GA4 property list and Search Console reporting

Key Technical Decisions

  • Orchestrator-first approach: Rather than manual ticket triage, we spawn an agent with a full brief that runs audits in parallel (GA sweep, API setup, campaign status, recommendations) and surfaces findings on a shared dashboard.
  • Service account OAuth for unattended access: User OAuth tokens expire and require interaction; service accounts with narrow scopes (analytics.readonly) allow secure, automated reporting without secrets rotation headaches.
  • Deep linking the dashboard: Hash-based navigation means engineers can reference specific audit findings without dashboard context loss, improving handoff clarity.
  • Campaign log audit trail: Rather than trusting "sent" counts in Constant Contact UI, we maintain an S3-backed JSON log of every contact who received each campaign, enabling deduplication and compliance audits.

What's Next

  • GA4 traffic recommendations: Once