@elitedcs/ghl-mcp 3.23.0 → 3.25.0

package/CHANGELOG.md

@@ -1,5 +1,48 @@
 # Changelog
 
+## 3.25.0 — One-paste Firebase capture
+
+**New bootstrap-and-normal-mode tool. Tool count goes from 212 to 213 (the new tool counts whether you're set up or not).**
+
+The worst-pain step of GHL Command setup has been the three separate IndexedDB lookups buyers had to do for Firebase credentials. v3.0.x tried bookmarklets; per memory that failed because buyers couldn't drag them onto their bookmarks bar. v3.25.0 ships the working version: a tool that hands the buyer a 25-line Chrome console script. One copy, one paste in DevTools, one Enter — the script extracts all three Firebase fields from IndexedDB and copies the result to the clipboard as a JSON object. The buyer pastes the JSON back into `setup_ghl_mcp` (or `enable_workflow_builder`) via a new `firebase_paste` parameter. Three separate captures → one paste.
+
+**New tool: `auto_capture_firebase_script`**. Available in bootstrap mode AND normal mode (the latter so existing buyers can re-grab a fresh token when their refresh rotates). Takes no arguments; returns the script plus a numbered walkthrough.
+
+**Updated tools:**
+
+- `setup_ghl_mcp` accepts a new optional `firebase_paste` parameter. When provided, it parses the three Firebase fields out of the JSON and treats them as if you'd filled `ghl_user_id`, `ghl_firebase_api_key`, `ghl_firebase_refresh_token` manually. The three separate fields still work (manual fallback for locked-down browsers).
+- `enable_workflow_builder` accepts the same `firebase_paste` parameter, again with the three separate fields as fallback.
+
+**Parser is forgiving.** Strips markdown code fences (chat-copy artifact), normalizes curly quotes (email-client artifact), trims whitespace, and demands the API key actually start with `AIza` (catches misdirected pastes — e.g. pasting the PIT key here by mistake).
+
+**Website + email also updated.** `elitedcs.com/ghl-mcp-firebase` now leads with a copy-button that grabs the script, falls back to manual capture in a collapsed details element. The Stripe-webhook welcome email points buyers at `auto_capture_firebase_script` instead of the old four-step DevTools dive.
+
+Locked in by 19 new tests covering parse paths (clean JSON, fence-wrapped, curly-quoted, whitespace, malformed, missing fields, wrong API-key prefix) plus the script contract (self-contained IIFE, IndexedDB + clipboard usage, expected field names, not-logged-in branch).
+
+## 3.24.0 — Signed-attestation gate closes the credentials.json bypass
+
+**Security fix. Tool count unchanged (212 across 43 modules).**
+
+Through v3.23.0 the license gate trusted any `credentials.json` whose `verified_at` and `license_key` fields were non-empty strings. A technical user could hand-write the file with their own GHL API key and load all 163 core tools without paying. v3.24.0 replaces that trust with an Ed25519-signed attestation issued by `elitedcs.com/api/validate-license`. The MCP bundles only the public key, so it can verify but can't forge — hand-crafted credentials now fail on the next startup and the MCP falls into bootstrap mode.
+
+**How it works.** Every successful online license validation now returns a `signed_attestation` token binding `{email, license_key, device_fingerprint, installs_max, expires_at}` together. The MCP stores this in `credentials.json` and verifies it on startup:
+
+- **Valid + fresh** → boot normally.
+- **Valid + nearing expiry (<7d)** → boot normally, refresh in the background.
+- **Expired but within 14-day grace window** → boot normally for this session, attempt re-renew (covers transient license-server outages).
+- **Past grace OR bad signature OR wrong device OR wrong email/license** → force online re-validate. If the server confirms the buyer, mint a new attestation. If not, drop into bootstrap mode and require `setup_ghl_mcp`.
+
+**Migration is automatic.** Existing v3.20.0–v3.23.0 buyers have a `credentials.json` without `signed_attestation`. On first startup under v3.24.0 the MCP detects the missing field, calls `validate-license`, and writes the new signed token. Buyers see a one-time `[ghl-mcp] License gate: renewed-from-legacy` log line and nothing else changes. The transitional path also tolerates a license server that hasn't been upgraded yet — `setup_ghl_mcp` still works against an older server, the attestation just gets backfilled on the next restart after the server deploys.
+
+**Funnel telemetry shipped on the server side (no MCP impact).** `validate-license`, `capture-lead`, and `stripe-webhook` now emit `[telemetry] {event, success, reason, email_hash, ...}` log lines that Cloudflare captures. Lets us measure the npm-install → setup → purchase funnel without storing PII.
+
+**Pipeline automation shipped on the server side (no MCP impact).** A successful `validate-license` call now advances the buyer's GHL Command opportunity:
+
+- Purchased → Onboarding on first install (installs_used 0 → 1).
+- Onboarding → Active on second+ install or any reinstall.
+
+Existing buyers backfilled manually based on their current `installs_used` count.
+
 ## 3.23.0 — `update_calendar` can assign team members again (Henry fix, part 2)
 
 **Critical fix. Tool count unchanged (212 across 43 modules). The `teamMembers` parameter is back on `update_calendar` — and actually persists this time — with a typed schema that surfaces GHL's strict validation up front.**

package/dist/index.js

@@ -31,7 +31,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@elitedcs/ghl-mcp",
-      version: "3.23.0",
+      version: "3.25.0",
       mcpName: "io.github.drjerryrelth/ghl-command",
       description: "GoHighLevel MCP Server for Claude. 212 tools \u2014 full CRM, automation, marketing control, and the only programmatic GHL workflow builder, now multi-tenant across client accounts.",
       main: "dist/index.js",
@@ -290,7 +290,14 @@ var CredentialsSchema = import_zod.z.object({
   ghl_company_id: import_zod.z.string().optional(),
   ghl_user_id: import_zod.z.string().optional(),
   ghl_firebase_api_key: import_zod.z.string().optional(),
-  ghl_firebase_refresh_token: import_zod.z.string().optional()
+  ghl_firebase_refresh_token: import_zod.z.string().optional(),
+  // Ed25519-signed attestation from elitedcs.com/api/validate-license.
+  // v3.24.0+ writes this on every successful online validation; index.ts
+  // verifies on startup and refuses to load tools without it (closing the
+  // hand-crafted-credentials.json bypass that existed through v3.23.0).
+  // Optional in the schema only so files written by earlier versions still
+  // parse — index.ts's gate forces a re-validate when the field is missing.
+  signed_attestation: import_zod.z.string().optional()
 });
 function appDataDir() {
   const home = os.homedir();
@@ -5821,6 +5828,83 @@ var import_zod38 = require("zod");
 var os2 = __toESM(require("os"));
 var crypto2 = __toESM(require("crypto"));
 var import_zod37 = require("zod");
+
+// src/firebase-capture-script.ts
+var FIREBASE_CAPTURE_SCRIPT = `(async () => {
+  try {
+    const db = await new Promise((res, rej) => {
+      const r = indexedDB.open('firebaseLocalStorageDb');
+      r.onsuccess = () => res(r.result);
+      r.onerror = () => rej(r.error);
+    });
+    const tx = db.transaction('firebaseLocalStorage', 'readonly');
+    const store = tx.objectStore('firebaseLocalStorage');
+    const rows = await new Promise((res, rej) => {
+      const r = store.getAll();
+      r.onsuccess = () => res(r.result);
+      r.onerror = () => rej(r.error);
+    });
+    const row = rows.find(r => typeof r?.fbase_key === 'string' && r.fbase_key.startsWith('firebase:authUser:AIza'));
+    if (!row) {
+      console.log('%cGHL Command: no Firebase login found.', 'color:red;font-weight:bold');
+      console.log('Open a tab logged into your GHL account, then run this again in that tab.');
+      return;
+    }
+    const v = row.value || {};
+    const out = {
+      ghl_firebase_api_key: v.apiKey,
+      ghl_user_id: v.uid,
+      ghl_firebase_refresh_token: v.stsTokenManager?.refreshToken,
+    };
+    if (!out.ghl_firebase_api_key || !out.ghl_user_id || !out.ghl_firebase_refresh_token) {
+      console.log('%cGHL Command: found Firebase login but a field was missing.', 'color:red;font-weight:bold');
+      console.log('Try logging out of GHL and back in, then run this again.');
+      return;
+    }
+    const json = JSON.stringify(out, null, 2);
+    console.log('%cGHL Command: paste this into setup_ghl_mcp (firebase_paste field):', 'color:green;font-weight:bold');
+    console.log(json);
+    try {
+      await navigator.clipboard.writeText(json);
+      console.log('%cAlready copied to your clipboard \u2014 Cmd+V / Ctrl+V to paste.', 'color:green');
+    } catch (e) {
+      console.log('%cCopy it manually from above (clipboard access not granted).', 'color:orange');
+    }
+  } catch (err) {
+    console.log('%cGHL Command: script error.', 'color:red;font-weight:bold');
+    console.log(err);
+  }
+})();`;
+function parseFirebasePaste(input) {
+  if (typeof input !== "string") return null;
+  let cleaned = input.trim();
+  cleaned = cleaned.replace(/^```(?:json)?\s*/i, "").replace(/```$/i, "").trim();
+  cleaned = cleaned.replace(/[“”]/g, '"').replace(/[‘’]/g, "'");
+  let parsed;
+  try {
+    parsed = JSON.parse(cleaned);
+  } catch {
+    return null;
+  }
+  if (!parsed || typeof parsed !== "object") return null;
+  const obj = parsed;
+  const api = obj.ghl_firebase_api_key;
+  const uid = obj.ghl_user_id;
+  const refresh = obj.ghl_firebase_refresh_token;
+  if (typeof api !== "string" || typeof uid !== "string" || typeof refresh !== "string") return null;
+  const trimmedApi = api.trim();
+  const trimmedUid = uid.trim();
+  const trimmedRefresh = refresh.trim();
+  if (!trimmedApi.startsWith("AIza")) return null;
+  if (!trimmedUid || !trimmedRefresh) return null;
+  return {
+    ghl_firebase_api_key: trimmedApi,
+    ghl_user_id: trimmedUid,
+    ghl_firebase_refresh_token: trimmedRefresh
+  };
+}
+
+// src/setup-tool.ts
 var LICENSE_API = "https://elitedcs.com/api/validate-license";
 var CAPTURE_API = "https://elitedcs.com/api/capture-lead";
 var GHL_API = "https://services.leadconnectorhq.com";
@@ -5843,7 +5927,11 @@ async function validateLicense(email, licenseKey) {
     });
     const data = await res.json().catch(() => ({}));
     if (res.ok && data.valid) {
-      return { ok: true, installs: `${data.installs_used}/${data.installs_max}` };
+      return {
+        ok: true,
+        installs: `${data.installs_used}/${data.installs_max}`,
+        signedAttestation: typeof data.signed_attestation === "string" ? data.signed_attestation : void 0
+      };
     }
     return { ok: false, error: data.error || data.message || `License validation failed (HTTP ${res.status})` };
   } catch (err) {
@@ -5897,9 +5985,14 @@ function registerSetupTool(server2) {
       ghl_api_key: import_zod37.z.string().min(10).describe("GHL Private Integration key (starts with 'pit-'). Created INSIDE the sub-account at Settings > Integrations > Private Integrations."),
       ghl_location_id: import_zod37.z.string().min(10).describe("GHL Location ID (sub-account ID). Found in your GHL URL: /location/THIS_PART/dashboard."),
       ghl_company_id: import_zod37.z.string().optional().describe("(Agency only) Company ID for multi-location access."),
-      ghl_user_id: import_zod37.z.string().optional().describe("(Workflow Builder, optional) Firebase User ID. See README for browser capture instructions."),
-      ghl_firebase_api_key: import_zod37.z.string().optional().describe("(Workflow Builder, optional) Firebase API Key starting with 'AIza'."),
-      ghl_firebase_refresh_token: import_zod37.z.string().optional().describe("(Workflow Builder, optional) Firebase refresh token starting with 'AMf-'.")
+      // v3.25.0: one-paste shortcut. Run `auto_capture_firebase_script` first;
+      // it returns a console script that fills the clipboard with this exact
+      // JSON payload. Pasting it here removes the need to fill ghl_user_id,
+      // ghl_firebase_api_key, and ghl_firebase_refresh_token individually.
+      firebase_paste: import_zod37.z.string().optional().describe("(Workflow Builder, one-paste path) Paste the JSON output from auto_capture_firebase_script here. Replaces the three separate Firebase fields below."),
+      ghl_user_id: import_zod37.z.string().optional().describe("(Workflow Builder, manual path) Firebase User ID. Prefer firebase_paste instead."),
+      ghl_firebase_api_key: import_zod37.z.string().optional().describe("(Workflow Builder, manual path) Firebase API Key starting with 'AIza'. Prefer firebase_paste instead."),
+      ghl_firebase_refresh_token: import_zod37.z.string().optional().describe("(Workflow Builder, manual path) Firebase refresh token. Prefer firebase_paste instead.")
     },
     async (args) => {
       const lic = await validateLicense(args.email, args.license_key);
@@ -5912,24 +6005,42 @@ Purchase a license at https://elitedcs.com/ghl-mcp-server or contact support.` }
       if (!ghl.ok) {
         return { content: [{ type: "text", text: `GHL credential check failed: ${ghl.error}` }], isError: true };
       }
-      const wantsWorkflowBuilder = args.ghl_user_id || args.ghl_firebase_api_key || args.ghl_firebase_refresh_token;
+      let resolvedUserId = args.ghl_user_id;
+      let resolvedFbApi = args.ghl_firebase_api_key;
+      let resolvedFbRefresh = args.ghl_firebase_refresh_token;
+      if (args.firebase_paste) {
+        const parsed = parseFirebasePaste(args.firebase_paste);
+        if (!parsed) {
+          return {
+            content: [{
+              type: "text",
+              text: "Couldn't parse firebase_paste. Expected the JSON output from auto_capture_firebase_script. Re-run that tool, follow the steps, and paste the entire JSON object it copies to your clipboard."
+            }],
+            isError: true
+          };
+        }
+        resolvedUserId = parsed.ghl_user_id;
+        resolvedFbApi = parsed.ghl_firebase_api_key;
+        resolvedFbRefresh = parsed.ghl_firebase_refresh_token;
+      }
+      const wantsWorkflowBuilder = resolvedUserId || resolvedFbApi || resolvedFbRefresh;
       let workflowBuilderEnabled = false;
       let workflowBuilderNote = "";
       if (wantsWorkflowBuilder) {
-        if (!args.ghl_user_id || !args.ghl_firebase_api_key || !args.ghl_firebase_refresh_token) {
+        if (!resolvedUserId || !resolvedFbApi || !resolvedFbRefresh) {
           return {
             content: [{
               type: "text",
-              text: "Workflow Builder requires ALL THREE Firebase fields: ghl_user_id, ghl_firebase_api_key, ghl_firebase_refresh_token. Either provide all three or omit all three. See https://elitedcs.com/ghl-mcp-server/firebase for one-click capture."
+              text: "Workflow Builder requires ALL THREE Firebase fields: ghl_user_id, ghl_firebase_api_key, ghl_firebase_refresh_token. The easy way is `auto_capture_firebase_script` -> paste the JSON output into `firebase_paste`. Manual capture steps: https://elitedcs.com/ghl-mcp-firebase"
             }],
             isError: true
           };
         }
-        const fb = await validateFirebase(args.ghl_firebase_api_key, args.ghl_firebase_refresh_token);
+        const fb = await validateFirebase(resolvedFbApi, resolvedFbRefresh);
         if (!fb.ok) {
           workflowBuilderNote = `
 
-Note: Firebase credentials rejected (${fb.error}). Saved without Workflow Builder. Re-run setup_ghl_mcp later with fresh Firebase fields to enable it.`;
+Note: Firebase credentials rejected (${fb.error}). Saved without Workflow Builder. Re-run setup_ghl_mcp later with fresh Firebase fields (use auto_capture_firebase_script for a one-paste flow) to enable it.`;
         } else {
           workflowBuilderEnabled = true;
         }
@@ -5941,9 +6052,12 @@ Note: Firebase credentials rejected (${fb.error}). Saved without Workflow Builde
         ghl_api_key: args.ghl_api_key.trim(),
         ghl_location_id: args.ghl_location_id.trim(),
         ghl_company_id: args.ghl_company_id?.trim() || void 0,
-        ghl_user_id: workflowBuilderEnabled ? args.ghl_user_id?.trim() : void 0,
-        ghl_firebase_api_key: workflowBuilderEnabled ? args.ghl_firebase_api_key?.trim() : void 0,
-        ghl_firebase_refresh_token: workflowBuilderEnabled ? args.ghl_firebase_refresh_token?.trim() : void 0
+        ghl_user_id: workflowBuilderEnabled ? resolvedUserId?.trim() : void 0,
+        ghl_firebase_api_key: workflowBuilderEnabled ? resolvedFbApi?.trim() : void 0,
+        ghl_firebase_refresh_token: workflowBuilderEnabled ? resolvedFbRefresh?.trim() : void 0,
+        // v3.24.0+ attestation. Tied to email + license + device fingerprint;
+        // verified on every MCP startup. Closes the hand-crafted creds bypass.
+        signed_attestation: lic.signedAttestation
       });
       const toolCount = workflowBuilderEnabled ? "212" : "163";
       const wfLine = workflowBuilderEnabled ? "Workflow Builder: enabled." : "Workflow Builder: not configured (optional).";
@@ -5973,11 +6087,16 @@ Note: Firebase credentials rejected (${fb.error}). Saved without Workflow Builde
 function registerEnableWorkflowBuilderTool(server2) {
   server2.tool(
     "enable_workflow_builder",
-    "Add Firebase credentials to an existing GHL Command install to unlock 49 additional tools across the internal-API modules: workflow builder (create/edit/clone/delete/publish/validate workflows, build_if_else_branch, build_goal_event, get_trigger_registry), funnel + page builder, form builder, pipeline builder, workflow cloner, smart lists, reputation, email campaigns, email templates, and memberships, plus the pre-deploy validator. Requires you've already run setup_ghl_mcp. Capture the three Firebase values from your GHL browser session \u2014 see elitedcs.com/ghl-mcp-firebase for step-by-step DevTools instructions. Tool count goes from 163 to 212 after the next Claude restart.",
+    "Add Firebase credentials to an existing GHL Command install to unlock 49 additional tools across the internal-API modules: workflow builder (create/edit/clone/delete/publish/validate workflows, build_if_else_branch, build_goal_event, get_trigger_registry), funnel + page builder, form builder, pipeline builder, workflow cloner, smart lists, reputation, email campaigns, email templates, and memberships, plus the pre-deploy validator. Requires you've already run setup_ghl_mcp. EASIEST PATH: run `auto_capture_firebase_script` first, paste the JSON output into `firebase_paste` here. MANUAL PATH: capture the three Firebase fields via DevTools and pass them individually. Tool count goes from 163 to 212 after the next Claude restart.",
     {
-      ghl_user_id: import_zod37.z.string().min(10).describe("Firebase User ID (uid). DevTools \u2192 Application \u2192 IndexedDB \u2192 firebaseLocalStorageDb \u2192 firebaseLocalStorage \u2192 the value.uid field of the firebase:authUser row."),
-      ghl_firebase_api_key: import_zod37.z.string().min(10).describe("Firebase API Key starting with 'AIza'. The string between 'firebase:authUser:' and ':[DEFAULT]' in the row's Key column."),
-      ghl_firebase_refresh_token: import_zod37.z.string().min(10).describe("Firebase refresh token. value.stsTokenManager.refreshToken in the firebase:authUser row.")
+      // v3.25.0: one-paste path. Tool runs `auto_capture_firebase_script` to
+      // get the console script; the script returns a JSON object that pastes
+      // cleanly into this field. Saves the buyer from picking out three
+      // separate fields in IndexedDB.
+      firebase_paste: import_zod37.z.string().optional().describe("Paste the JSON output from auto_capture_firebase_script here. Replaces the three separate Firebase fields below."),
+      ghl_user_id: import_zod37.z.string().min(10).optional().describe("(Manual path) Firebase User ID (uid). Prefer firebase_paste."),
+      ghl_firebase_api_key: import_zod37.z.string().min(10).optional().describe("(Manual path) Firebase API Key starting with 'AIza'. Prefer firebase_paste."),
+      ghl_firebase_refresh_token: import_zod37.z.string().min(10).optional().describe("(Manual path) Firebase refresh token. Prefer firebase_paste.")
     },
     async (args) => {
       const existing = readCredentials();
@@ -5990,7 +6109,34 @@ function registerEnableWorkflowBuilderTool(server2) {
           isError: true
         };
       }
-      const fb = await validateFirebase(args.ghl_firebase_api_key.trim(), args.ghl_firebase_refresh_token.trim());
+      let userId = args.ghl_user_id;
+      let fbApi = args.ghl_firebase_api_key;
+      let fbRefresh = args.ghl_firebase_refresh_token;
+      if (args.firebase_paste) {
+        const parsed = parseFirebasePaste(args.firebase_paste);
+        if (!parsed) {
+          return {
+            content: [{
+              type: "text",
+              text: "Couldn't parse firebase_paste. Expected the JSON output from auto_capture_firebase_script. Re-run that tool, follow the steps, and paste the entire JSON object it copies to your clipboard."
+            }],
+            isError: true
+          };
+        }
+        userId = parsed.ghl_user_id;
+        fbApi = parsed.ghl_firebase_api_key;
+        fbRefresh = parsed.ghl_firebase_refresh_token;
+      }
+      if (!userId || !fbApi || !fbRefresh) {
+        return {
+          content: [{
+            type: "text",
+            text: "Workflow Builder needs all three Firebase fields. Easiest: run `auto_capture_firebase_script`, follow the prompt, then pass the JSON output as `firebase_paste`. Manual capture: https://elitedcs.com/ghl-mcp-firebase"
+          }],
+          isError: true
+        };
+      }
+      const fb = await validateFirebase(fbApi.trim(), fbRefresh.trim());
       if (!fb.ok) {
         return {
           content: [{
@@ -5998,7 +6144,7 @@ function registerEnableWorkflowBuilderTool(server2) {
             text: `Firebase credentials rejected: ${fb.error}
 
 Common causes:
-  - The refresh token has rotated (they rotate every few weeks). Re-extract from your GHL browser tab.
+  - The refresh token has rotated (they rotate every few weeks). Re-run auto_capture_firebase_script for a fresh one.
   - The Firebase API Key doesn't match the refresh token's project. Both must come from the SAME firebase:authUser row.
 
 DevTools steps: https://elitedcs.com/ghl-mcp-firebase`
@@ -6008,9 +6154,9 @@ DevTools steps: https://elitedcs.com/ghl-mcp-firebase`
       }
       writeCredentials({
         ...existing,
-        ghl_user_id: args.ghl_user_id.trim(),
-        ghl_firebase_api_key: args.ghl_firebase_api_key.trim(),
-        ghl_firebase_refresh_token: args.ghl_firebase_refresh_token.trim()
+        ghl_user_id: userId.trim(),
+        ghl_firebase_api_key: fbApi.trim(),
+        ghl_firebase_refresh_token: fbRefresh.trim()
       });
       return {
         content: [{
@@ -6031,6 +6177,43 @@ DevTools steps: https://elitedcs.com/ghl-mcp-firebase`
     }
   );
 }
+function registerFirebaseCaptureScriptTool(server2) {
+  server2.tool(
+    "auto_capture_firebase_script",
+    "Get the browser-console script that auto-extracts the 3 Firebase fields needed to enable the Workflow Builder. Run this, copy the script, paste it into Chrome DevTools Console on a tab logged into GHL, press Enter, and the result lands in your clipboard. Then paste the JSON into setup_ghl_mcp's firebase_paste field (or enable_workflow_builder's). No manual IndexedDB digging.",
+    {},
+    async () => {
+      const steps = [
+        "## One-paste Firebase capture",
+        "",
+        "**Step 1.** Open your GoHighLevel account in Chrome. Make sure you're logged in.",
+        "",
+        "**Step 2.** Open DevTools \u2014 press `F12` on Windows / Linux, or `Cmd+Option+I` on Mac. Click the **Console** tab.",
+        "",
+        "**Step 3.** Copy the script below, paste it into the Console, and press Enter:",
+        "",
+        "```javascript",
+        FIREBASE_CAPTURE_SCRIPT,
+        "```",
+        "",
+        "**Step 4.** The script prints a JSON object and copies it to your clipboard automatically. Looks like this (your values will be longer):",
+        "",
+        "```json",
+        "{",
+        `  "ghl_firebase_api_key": "AIza...",`,
+        `  "ghl_user_id": "abc...",`,
+        `  "ghl_firebase_refresh_token": "AMf-..."`,
+        "}",
+        "```",
+        "",
+        "**Step 5.** Come back to Claude. Run `setup_ghl_mcp` (first-time install) or `enable_workflow_builder` (already set up) and paste the JSON into the `firebase_paste` field. The MCP parses it automatically \u2014 you don't need to fill the individual `ghl_user_id`, `ghl_firebase_api_key`, `ghl_firebase_refresh_token` fields.",
+        "",
+        "Step-by-step screenshots: https://elitedcs.com/ghl-mcp-firebase"
+      ].join("\n");
+      return { content: [{ type: "text", text: steps }] };
+    }
+  );
+}
 function registerLeadCaptureTool(server2) {
   server2.tool(
     "request_license",
@@ -8282,6 +8465,92 @@ function registerAllTools(server2, client, registry2, mcpVersion) {
   registerLocationSwitcherTools(server2, client, builderClient, registry2, mcpVersion);
 }
 
+// src/attestation.ts
+var import_node_crypto = require("node:crypto");
+var ATTESTATION_PUBLIC_KEY_B64 = "8KJo8V3Z7ngeToIQfOXpKdlr/EA34hXJVEIpW0A7wqs=";
+var ATTESTATION_VERSION = 1;
+var ATTESTATION_GRACE_DAYS = 14;
+function deviceFingerprint2() {
+  const os3 = require("node:os");
+  const crypto4 = require("node:crypto");
+  const raw = `${os3.hostname()}:${os3.userInfo().username}:${os3.platform()}:${os3.arch()}`;
+  return crypto4.createHash("sha256").update(raw).digest("hex").slice(0, 16);
+}
+function base64urlDecode(s) {
+  const b64 = s.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = b64 + "=".repeat((4 - b64.length % 4) % 4);
+  return new Uint8Array(Buffer.from(padded, "base64"));
+}
+var cachedPublicKey = null;
+async function getPublicKey() {
+  if (cachedPublicKey) return cachedPublicKey;
+  const raw = Buffer.from(ATTESTATION_PUBLIC_KEY_B64, "base64");
+  cachedPublicKey = await import_node_crypto.webcrypto.subtle.importKey(
+    "raw",
+    raw,
+    { name: "Ed25519" },
+    false,
+    ["verify"]
+  );
+  return cachedPublicKey;
+}
+async function verifyAttestation(token, bindings, now = /* @__PURE__ */ new Date()) {
+  if (typeof token !== "string" || !token) return { ok: false, reason: "malformed" };
+  const dot = token.indexOf(".");
+  if (dot <= 0 || dot === token.length - 1) return { ok: false, reason: "malformed" };
+  let payloadBytes;
+  let signatureBytes;
+  try {
+    payloadBytes = base64urlDecode(token.slice(0, dot));
+    signatureBytes = base64urlDecode(token.slice(dot + 1));
+  } catch {
+    return { ok: false, reason: "malformed" };
+  }
+  let payload;
+  try {
+    const parsed = JSON.parse(new TextDecoder().decode(payloadBytes));
+    if (typeof parsed.v !== "number") return { ok: false, reason: "malformed" };
+    if (parsed.v !== ATTESTATION_VERSION) return { ok: false, reason: "unsupported-version" };
+    payload = parsed;
+  } catch {
+    return { ok: false, reason: "malformed" };
+  }
+  let signatureValid;
+  try {
+    const key = await getPublicKey();
+    signatureValid = await import_node_crypto.webcrypto.subtle.verify({ name: "Ed25519" }, key, signatureBytes, payloadBytes);
+  } catch {
+    return { ok: false, reason: "bad-signature" };
+  }
+  if (!signatureValid) return { ok: false, reason: "bad-signature" };
+  if (payload.email.toLowerCase() !== bindings.email.toLowerCase()) {
+    return { ok: false, reason: "wrong-email" };
+  }
+  if (payload.license_key !== bindings.license_key) {
+    return { ok: false, reason: "wrong-license" };
+  }
+  const fingerprint = bindings.expectedFingerprint ?? deviceFingerprint2();
+  if (payload.device_fingerprint !== fingerprint) {
+    return { ok: false, reason: "wrong-device" };
+  }
+  const expiry = Date.parse(payload.expires_at);
+  if (!Number.isFinite(expiry)) return { ok: false, reason: "malformed" };
+  const graceDeadline = expiry + ATTESTATION_GRACE_DAYS * 24 * 60 * 60 * 1e3;
+  if (now.getTime() <= expiry) {
+    return { ok: true, payload, reason: "valid" };
+  }
+  if (now.getTime() <= graceDeadline) {
+    return { ok: true, payload, reason: "in-grace" };
+  }
+  return { ok: false, reason: "expired" };
+}
+function shouldRenew(payload, now = /* @__PURE__ */ new Date()) {
+  const expiry = Date.parse(payload.expires_at);
+  if (!Number.isFinite(expiry)) return true;
+  const remainingMs = expiry - now.getTime();
+  return remainingMs < 7 * 24 * 60 * 60 * 1e3;
+}
+
 // src/tools/meta.ts
 function registerMetaTools(server2, installedVersion) {
   server2.tool(
@@ -8364,8 +8633,70 @@ var server = new import_mcp.McpServer({
 });
 registerMetaTools(server, pkg.version);
 var inBootstrapMode = true;
+async function renewAttestation(creds) {
+  if (!creds.email || !creds.license_key) return false;
+  try {
+    const lic = await validateLicense(creds.email, creds.license_key);
+    if (!lic.ok) {
+      process.stderr.write(`[ghl-mcp] Re-validate failed: ${lic.error}
+`);
+      return false;
+    }
+    try {
+      writeCredentials({
+        ...creds,
+        verified_at: (/* @__PURE__ */ new Date()).toISOString(),
+        ...lic.signedAttestation ? { signed_attestation: lic.signedAttestation } : {}
+      });
+    } catch {
+    }
+    if (!lic.signedAttestation) {
+      process.stderr.write("[ghl-mcp] License re-validated, but the license server did not return a signed attestation. Falling back to legacy trust for this session.\n");
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+function renewAttestationInBackground(creds) {
+  return renewAttestation(creds).then(() => void 0, () => void 0);
+}
 async function resolveAccessAndRegister() {
-  let licenseVerified = Boolean(fileCreds?.verified_at && fileCreds?.license_key);
+  let licenseVerified = false;
+  let attestationStatus = "no-creds";
+  if (fileCreds?.email && fileCreds?.license_key && fileCreds.signed_attestation) {
+    const verify = await verifyAttestation(fileCreds.signed_attestation, {
+      email: fileCreds.email,
+      license_key: fileCreds.license_key
+    });
+    if (verify.ok) {
+      licenseVerified = true;
+      attestationStatus = verify.reason;
+      if (verify.reason === "in-grace" || shouldRenew(verify.payload)) {
+        void renewAttestationInBackground(fileCreds);
+      }
+    } else {
+      process.stderr.write(`[ghl-mcp] Stored attestation rejected: ${verify.reason}. Re-validating online.
+`);
+      const renewed = await renewAttestation(fileCreds);
+      if (renewed) {
+        licenseVerified = true;
+        attestationStatus = "renewed-after-tamper";
+      } else {
+        attestationStatus = "needs-reset";
+      }
+    }
+  } else if (fileCreds?.email && fileCreds?.license_key) {
+    process.stderr.write("[ghl-mcp] Upgrading legacy credentials.json to signed attestation.\n");
+    const renewed = await renewAttestation(fileCreds);
+    if (renewed) {
+      licenseVerified = true;
+      attestationStatus = "renewed-from-legacy";
+    } else {
+      attestationStatus = "needs-reset";
+      process.stderr.write("[ghl-mcp] Could not re-validate. Run setup_ghl_mcp again.\n");
+    }
+  }
   if (!licenseVerified && apiKey && locationId) {
     const licEmail = (process.env.GHL_LICENSE_EMAIL || fileCreds?.email)?.trim();
     const licKey = (process.env.GHL_LICENSE_KEY || fileCreds?.license_key)?.trim();
@@ -8373,6 +8704,7 @@ async function resolveAccessAndRegister() {
       const lic = await validateLicense(licEmail, licKey);
       if (lic.ok) {
         licenseVerified = true;
+        attestationStatus = "renewed";
         try {
           writeCredentials({
             license_key: licKey,
@@ -8383,7 +8715,8 @@ async function resolveAccessAndRegister() {
             ...process.env.GHL_COMPANY_ID ? { ghl_company_id: process.env.GHL_COMPANY_ID } : {},
             ...process.env.GHL_USER_ID ? { ghl_user_id: process.env.GHL_USER_ID } : {},
             ...process.env.GHL_FIREBASE_API_KEY ? { ghl_firebase_api_key: process.env.GHL_FIREBASE_API_KEY } : {},
-            ...process.env.GHL_FIREBASE_REFRESH_TOKEN ? { ghl_firebase_refresh_token: process.env.GHL_FIREBASE_REFRESH_TOKEN } : {}
+            ...process.env.GHL_FIREBASE_REFRESH_TOKEN ? { ghl_firebase_refresh_token: process.env.GHL_FIREBASE_REFRESH_TOKEN } : {},
+            ...lic.signedAttestation ? { signed_attestation: lic.signedAttestation } : {}
           });
           process.stderr.write("[ghl-mcp] License validated and cached.\n");
         } catch {
@@ -8398,20 +8731,26 @@ async function resolveAccessAndRegister() {
       );
     }
   }
+  if (licenseVerified) {
+    process.stderr.write(`[ghl-mcp] License gate: ${attestationStatus}.
+`);
+  }
   inBootstrapMode = !apiKey || !locationId || !licenseVerified;
   if (inBootstrapMode) {
     process.stderr.write(
       `[ghl-mcp] Bootstrap mode.
 [ghl-mcp] Need a valid license plus GHL_API_KEY + GHL_LOCATION_ID (env vars or credentials file at ${credentialsPath()}).
-[ghl-mcp] Only setup_ghl_mcp, request_license, and get_mcp_version are available. Run setup_ghl_mcp with your license + GHL credentials \u2014 or request_license if you don't have a license yet.
+[ghl-mcp] Available: setup_ghl_mcp, request_license, auto_capture_firebase_script, get_mcp_version. Run setup_ghl_mcp with your license + GHL credentials \u2014 or request_license if you don't have a license yet.
 `
     );
     registerSetupTool(server);
     registerLeadCaptureTool(server);
+    registerFirebaseCaptureScriptTool(server);
   } else {
     const client = new GHLClient({ apiKey, locationId });
     registerAllTools(server, client, registry, pkg.version);
     registerEnableWorkflowBuilderTool(server);
+    registerFirebaseCaptureScriptTool(server);
     if (fileCreds && !process.env.GHL_API_KEY) {
       process.stderr.write(`[ghl-mcp] Loaded credentials from ${credentialsPath()}
 `);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elitedcs/ghl-mcp",
-  "version": "3.23.0",
+  "version": "3.25.0",
   "mcpName": "io.github.drjerryrelth/ghl-command",
   "description": "GoHighLevel MCP Server for Claude. 212 tools — full CRM, automation, marketing control, and the only programmatic GHL workflow builder, now multi-tenant across client accounts.",
   "main": "dist/index.js",