@elitedcs/ghl-mcp 3.24.0 → 3.26.0

package/CHANGELOG.md

@@ -1,5 +1,52 @@
 # Changelog
 
+## 3.26.0 — Codex adversarial audit fixes
+
+**Tool count unchanged (213). No new features — closes a set of silent bugs Codex flagged in a third-party adversarial review of the v3.21.0–v3.25.0 release arc.**
+
+Now that paid customers run this code, we ran the same Codex-rescue review pattern we use on the PN tracker app. Codex turned up 10 issues; v3.26.0 ships the ones with concrete fixes. Deferred items (server-outage recovery, rate-limiting at the edge) are documented in the project memory.
+
+**Security tightening:**
+
+- **Cancelled-subscription detection.** Before: a cancelled license kept running for up to 44 days (30-day attestation TTL + 14-day grace) because the MCP never reacted to a server "cancelled" response — it just kept using the cached attestation until expiry. Now: `validateLicense` distinguishes `cancelled` / `unauthorized` / `unreachable`, and on `cancelled`/`unauthorized` the cached attestation is wiped from `credentials.json` so the next restart drops to bootstrap. The buyer's current session keeps running (we don't kill tools mid-call); the gate latches on next launch.
+- **Background renewal on every startup.** Previously only triggered when the attestation was nearing expiry. Now every startup fires a fire-and-forget renewal so cancellations propagate within one restart instead of up-to-44-days.
+- **Fail-closed when the server stops issuing signed attestations.** Before: if `ATTESTATION_PRIVATE_KEY` ever dropped off Cloudflare (env reset, accidental rotation, partial deploy), validate-license would still return `valid:true` without a `signed_attestation` and the MCP would silently fall back to legacy trust — re-opening the credentials.json bypass v3.24.0 closed. Now: after the `TRANSITIONAL_ATTESTATION_DEADLINE` (2026-06-15), an unsigned `valid:true` response is treated as bootstrap; before the deadline we still accept it for migration but log a warning with the cutoff date.
+
+**Correctness:**
+
+- **Atomic `credentials.json` writes.** Replaced the bare `writeFileSync` with write-to-temp-then-rename plus process-unique temp suffixes. Mid-write crashes can no longer corrupt the file, and concurrent writers (e.g. `enable_workflow_builder` racing a Firebase token rotation) can't leave it half-formed. New tests in `credentials-store.test.ts` cover both the happy path and a 20-way concurrent-write fan-out.
+- **`update_calendar` schema is now `.strict()`.** Unknown fields on `teamMembers` or `locationConfigurations` (e.g. `userid` instead of `userId`, or a new GHL field we haven't captured) now error at the MCP boundary with a useful 422 instead of being silently dropped before the GHL PUT. Buyers stop wondering why a field they passed didn't save.
+
+**Observability:**
+
+- **`pipeline_skip` telemetry event.** When `validate-license` can't advance a buyer's pipeline opportunity (no opportunity exists, or all opportunities are closed), we now emit a distinct `[telemetry] pipeline_skip` line with the reason. Lets us surface "buyer's opportunity was accidentally closed" cases for manual reopen instead of silently failing forever.
+- **Telemetry key-name redaction.** The `recordEvent` helper now scrubs any `extra` key whose name matches `/email|license|key|token|secret|refresh|password|pit/i` before logging. Belt-and-suspenders against a future caller accidentally passing a secret as a metric tag.
+
+**UX:**
+
+- **`enable_workflow_builder` restart messaging.** Now explicit that workflow-builder tools called BEFORE the restart will keep using the old Firebase auth and 401 — even though the tool reported success. Removes the "I ran the tool, why doesn't it work" confusion.
+- **Welcome email "fifth field" not "sixth."** Off-by-one in the advanced-shortcut paragraph corrected.
+- **Firebase capture script handles multiple GHL logins.** Previously the script returned the first matching `firebase:authUser:` row, which could be the wrong account if the buyer had multiple GHL logins in the same browser. Now it enumerates ALL candidates, prints each with email + uid + last-login timestamp, picks the first one (still freshest by Firebase's storage order), and tells the buyer how to re-run against a different account.
+
+## 3.25.0 — One-paste Firebase capture
+
+**New bootstrap-and-normal-mode tool. Tool count goes from 212 to 213 (the new tool counts whether you're set up or not).**
+
+The worst-pain step of GHL Command setup has been the three separate IndexedDB lookups buyers had to do for Firebase credentials. v3.0.x tried bookmarklets; per memory that failed because buyers couldn't drag them onto their bookmarks bar. v3.25.0 ships the working version: a tool that hands the buyer a 25-line Chrome console script. One copy, one paste in DevTools, one Enter — the script extracts all three Firebase fields from IndexedDB and copies the result to the clipboard as a JSON object. The buyer pastes the JSON back into `setup_ghl_mcp` (or `enable_workflow_builder`) via a new `firebase_paste` parameter. Three separate captures → one paste.
+
+**New tool: `auto_capture_firebase_script`**. Available in bootstrap mode AND normal mode (the latter so existing buyers can re-grab a fresh token when their refresh rotates). Takes no arguments; returns the script plus a numbered walkthrough.
+
+**Updated tools:**
+
+- `setup_ghl_mcp` accepts a new optional `firebase_paste` parameter. When provided, it parses the three Firebase fields out of the JSON and treats them as if you'd filled `ghl_user_id`, `ghl_firebase_api_key`, `ghl_firebase_refresh_token` manually. The three separate fields still work (manual fallback for locked-down browsers).
+- `enable_workflow_builder` accepts the same `firebase_paste` parameter, again with the three separate fields as fallback.
+
+**Parser is forgiving.** Strips markdown code fences (chat-copy artifact), normalizes curly quotes (email-client artifact), trims whitespace, and demands the API key actually start with `AIza` (catches misdirected pastes — e.g. pasting the PIT key here by mistake).
+
+**Website + email also updated.** `elitedcs.com/ghl-mcp-firebase` now leads with a copy-button that grabs the script, falls back to manual capture in a collapsed details element. The Stripe-webhook welcome email points buyers at `auto_capture_firebase_script` instead of the old four-step DevTools dive.
+
+Locked in by 19 new tests covering parse paths (clean JSON, fence-wrapped, curly-quoted, whitespace, malformed, missing fields, wrong API-key prefix) plus the script contract (self-contained IIFE, IndexedDB + clipboard usage, expected field names, not-logged-in branch).
+
 ## 3.24.0 — Signed-attestation gate closes the credentials.json bypass
 
 **Security fix. Tool count unchanged (212 across 43 modules).**

package/dist/index.js

@@ -31,7 +31,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@elitedcs/ghl-mcp",
-      version: "3.24.0",
+      version: "3.26.0",
       mcpName: "io.github.drjerryrelth/ghl-command",
       description: "GoHighLevel MCP Server for Claude. 212 tools \u2014 full CRM, automation, marketing control, and the only programmatic GHL workflow builder, now multi-tenant across client accounts.",
       main: "dist/index.js",
@@ -359,12 +359,22 @@ function foldCredentialsIntoEnv(creds, env = process.env) {
 function writeCredentials(creds) {
   ensureAppDataDir();
   const file = credentialsPath();
-  fs.writeFileSync(file, JSON.stringify(creds, null, 2) + "\n", "utf-8");
-  if (process.platform !== "win32") {
+  const tmp = `${file}.tmp.${process.pid}.${Date.now()}`;
+  try {
+    fs.writeFileSync(tmp, JSON.stringify(creds, null, 2) + "\n", "utf-8");
+    if (process.platform !== "win32") {
+      try {
+        fs.chmodSync(tmp, 384);
+      } catch {
+      }
+    }
+    fs.renameSync(tmp, file);
+  } catch (err) {
     try {
-      fs.chmodSync(file, 384);
+      fs.unlinkSync(tmp);
     } catch {
     }
+    throw err;
   }
 }
 
@@ -2398,14 +2408,14 @@ var TeamMemberLocationConfigSchema = import_zod9.z.object({
   kind: import_zod9.z.string().describe("Meeting location kind. Common values: 'custom', 'zoom_conference', 'google_meet'."),
   position: import_zod9.z.number().int().nonnegative().describe("Position index for ordering (0-based)."),
   location: import_zod9.z.string().optional().describe("Display string for the meeting location (URL or address). Optional for kind='custom'.")
-});
+}).strict();
 var CalendarTeamMemberSchema = import_zod9.z.object({
   userId: import_zod9.z.string().describe("GHL user ID to assign. Must exist in this sub-account."),
   priority: import_zod9.z.union([import_zod9.z.literal(0), import_zod9.z.literal(0.5), import_zod9.z.literal(1)]).describe("Booking priority. Exactly 0, 0.5, or 1 (anything else 422s from GHL). Higher = preferred for round-robin."),
   isPrimary: import_zod9.z.boolean().describe("Whether this user is the primary assignee."),
   selected: import_zod9.z.boolean().describe("Whether this user is currently active on the calendar (true to enable)."),
   locationConfigurations: import_zod9.z.array(TeamMemberLocationConfigSchema).min(1).describe("At least one meeting-location config. Typical shape: [{kind:'custom', position:0, location:''}].")
-});
+}).strict();
 function registerCalendarTools(server2, client) {
   safeTool(
     server2,
@@ -5828,6 +5838,93 @@ var import_zod38 = require("zod");
 var os2 = __toESM(require("os"));
 var crypto2 = __toESM(require("crypto"));
 var import_zod37 = require("zod");
+
+// src/firebase-capture-script.ts
+var FIREBASE_CAPTURE_SCRIPT = `(async () => {
+  try {
+    const db = await new Promise((res, rej) => {
+      const r = indexedDB.open('firebaseLocalStorageDb');
+      r.onsuccess = () => res(r.result);
+      r.onerror = () => rej(r.error);
+    });
+    const tx = db.transaction('firebaseLocalStorage', 'readonly');
+    const store = tx.objectStore('firebaseLocalStorage');
+    const rows = await new Promise((res, rej) => {
+      const r = store.getAll();
+      r.onsuccess = () => res(r.result);
+      r.onerror = () => rej(r.error);
+    });
+    const candidates = rows.filter(r => typeof r?.fbase_key === 'string' && r.fbase_key.startsWith('firebase:authUser:AIza') && r?.value?.apiKey && r?.value?.uid && r?.value?.stsTokenManager?.refreshToken);
+    if (!candidates.length) {
+      console.log('%cGHL Command: no Firebase login found.', 'color:red;font-weight:bold');
+      console.log('Open a tab logged into your GHL account, then run this again in that tab.');
+      return;
+    }
+    // Multi-account safety (v3.26.0): if the browser has more than one
+    // GHL Firebase login cached, show the buyer which one we're using and
+    // how to pick a different one. The first matching row is the freshest
+    // login per Firebase's storage order, but it isn't always the buyer's
+    // CURRENT account if they recently switched.
+    if (candidates.length > 1) {
+      console.log('%cGHL Command: ' + candidates.length + ' Firebase logins found in this browser:', 'color:orange;font-weight:bold');
+      candidates.forEach((c, i) => {
+        const v = c.value || {};
+        const lastLogin = v.lastLoginAt ? new Date(Number(v.lastLoginAt)).toISOString() : '(no timestamp)';
+        console.log('  [' + i + '] ' + (v.email || '(no email)') + ' \u2014 uid ' + (v.uid || '').slice(0, 8) + '\u2026 \u2014 last login ' + lastLogin);
+      });
+      console.log('Using [0] (most recently active). If that is the wrong account, log out of the others in their GHL tabs and re-run this script.');
+    }
+    const v = candidates[0].value;
+    const out = {
+      ghl_firebase_api_key: v.apiKey,
+      ghl_user_id: v.uid,
+      ghl_firebase_refresh_token: v.stsTokenManager.refreshToken,
+    };
+    const json = JSON.stringify(out, null, 2);
+    console.log('%cGHL Command: paste this into setup_ghl_mcp (firebase_paste field):', 'color:green;font-weight:bold');
+    if (v.email) console.log('Account: ' + v.email);
+    console.log(json);
+    try {
+      await navigator.clipboard.writeText(json);
+      console.log('%cAlready copied to your clipboard \u2014 Cmd+V / Ctrl+V to paste.', 'color:green');
+    } catch (e) {
+      console.log('%cCopy it manually from above (clipboard access not granted).', 'color:orange');
+    }
+  } catch (err) {
+    console.log('%cGHL Command: script error.', 'color:red;font-weight:bold');
+    console.log(err);
+  }
+})();`;
+function parseFirebasePaste(input) {
+  if (typeof input !== "string") return null;
+  let cleaned = input.trim();
+  cleaned = cleaned.replace(/^```(?:json)?\s*/i, "").replace(/```$/i, "").trim();
+  cleaned = cleaned.replace(/[“”]/g, '"').replace(/[‘’]/g, "'");
+  let parsed;
+  try {
+    parsed = JSON.parse(cleaned);
+  } catch {
+    return null;
+  }
+  if (!parsed || typeof parsed !== "object") return null;
+  const obj = parsed;
+  const api = obj.ghl_firebase_api_key;
+  const uid = obj.ghl_user_id;
+  const refresh = obj.ghl_firebase_refresh_token;
+  if (typeof api !== "string" || typeof uid !== "string" || typeof refresh !== "string") return null;
+  const trimmedApi = api.trim();
+  const trimmedUid = uid.trim();
+  const trimmedRefresh = refresh.trim();
+  if (!trimmedApi.startsWith("AIza")) return null;
+  if (!trimmedUid || !trimmedRefresh) return null;
+  return {
+    ghl_firebase_api_key: trimmedApi,
+    ghl_user_id: trimmedUid,
+    ghl_firebase_refresh_token: trimmedRefresh
+  };
+}
+
+// src/setup-tool.ts
 var LICENSE_API = "https://elitedcs.com/api/validate-license";
 var CAPTURE_API = "https://elitedcs.com/api/capture-lead";
 var GHL_API = "https://services.leadconnectorhq.com";
@@ -5837,8 +5934,9 @@ function deviceFingerprint() {
   return crypto2.createHash("sha256").update(raw).digest("hex").slice(0, 16);
 }
 async function validateLicense(email, licenseKey) {
+  let res;
   try {
-    const res = await fetch(LICENSE_API, {
+    res = await fetch(LICENSE_API, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -5848,19 +5946,28 @@ async function validateLicense(email, licenseKey) {
       }),
       signal: AbortSignal.timeout(1e4)
     });
-    const data = await res.json().catch(() => ({}));
-    if (res.ok && data.valid) {
-      return {
-        ok: true,
-        installs: `${data.installs_used}/${data.installs_max}`,
-        signedAttestation: typeof data.signed_attestation === "string" ? data.signed_attestation : void 0
-      };
-    }
-    return { ok: false, error: data.error || data.message || `License validation failed (HTTP ${res.status})` };
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
-    return { ok: false, error: `Could not reach license server: ${msg}` };
+    return { ok: false, error: `Could not reach license server: ${msg}`, reason: "unreachable" };
+  }
+  if (res.status >= 500) {
+    return { ok: false, error: `License server returned HTTP ${res.status}`, reason: "unreachable" };
   }
+  const data = await res.json().catch(() => ({}));
+  if (res.ok && data.valid) {
+    return {
+      ok: true,
+      installs: `${data.installs_used}/${data.installs_max}`,
+      signedAttestation: typeof data.signed_attestation === "string" ? data.signed_attestation : void 0
+    };
+  }
+  const errorText = String(data.error || data.message || "").toLowerCase();
+  const looksCancelled = res.status === 403 || errorText.includes("cancel") || errorText.includes("install limit");
+  return {
+    ok: false,
+    error: data.error || data.message || `License validation failed (HTTP ${res.status})`,
+    reason: looksCancelled ? "cancelled" : "unauthorized"
+  };
 }
 async function validateGhl(apiKey2, locationId2) {
   try {
@@ -5908,9 +6015,14 @@ function registerSetupTool(server2) {
       ghl_api_key: import_zod37.z.string().min(10).describe("GHL Private Integration key (starts with 'pit-'). Created INSIDE the sub-account at Settings > Integrations > Private Integrations."),
       ghl_location_id: import_zod37.z.string().min(10).describe("GHL Location ID (sub-account ID). Found in your GHL URL: /location/THIS_PART/dashboard."),
       ghl_company_id: import_zod37.z.string().optional().describe("(Agency only) Company ID for multi-location access."),
-      ghl_user_id: import_zod37.z.string().optional().describe("(Workflow Builder, optional) Firebase User ID. See README for browser capture instructions."),
-      ghl_firebase_api_key: import_zod37.z.string().optional().describe("(Workflow Builder, optional) Firebase API Key starting with 'AIza'."),
-      ghl_firebase_refresh_token: import_zod37.z.string().optional().describe("(Workflow Builder, optional) Firebase refresh token starting with 'AMf-'.")
+      // v3.25.0: one-paste shortcut. Run `auto_capture_firebase_script` first;
+      // it returns a console script that fills the clipboard with this exact
+      // JSON payload. Pasting it here removes the need to fill ghl_user_id,
+      // ghl_firebase_api_key, and ghl_firebase_refresh_token individually.
+      firebase_paste: import_zod37.z.string().optional().describe("(Workflow Builder, one-paste path) Paste the JSON output from auto_capture_firebase_script here. Replaces the three separate Firebase fields below."),
+      ghl_user_id: import_zod37.z.string().optional().describe("(Workflow Builder, manual path) Firebase User ID. Prefer firebase_paste instead."),
+      ghl_firebase_api_key: import_zod37.z.string().optional().describe("(Workflow Builder, manual path) Firebase API Key starting with 'AIza'. Prefer firebase_paste instead."),
+      ghl_firebase_refresh_token: import_zod37.z.string().optional().describe("(Workflow Builder, manual path) Firebase refresh token. Prefer firebase_paste instead.")
     },
     async (args) => {
       const lic = await validateLicense(args.email, args.license_key);
@@ -5923,24 +6035,42 @@ Purchase a license at https://elitedcs.com/ghl-mcp-server or contact support.` }
       if (!ghl.ok) {
         return { content: [{ type: "text", text: `GHL credential check failed: ${ghl.error}` }], isError: true };
       }
-      const wantsWorkflowBuilder = args.ghl_user_id || args.ghl_firebase_api_key || args.ghl_firebase_refresh_token;
+      let resolvedUserId = args.ghl_user_id;
+      let resolvedFbApi = args.ghl_firebase_api_key;
+      let resolvedFbRefresh = args.ghl_firebase_refresh_token;
+      if (args.firebase_paste) {
+        const parsed = parseFirebasePaste(args.firebase_paste);
+        if (!parsed) {
+          return {
+            content: [{
+              type: "text",
+              text: "Couldn't parse firebase_paste. Expected the JSON output from auto_capture_firebase_script. Re-run that tool, follow the steps, and paste the entire JSON object it copies to your clipboard."
+            }],
+            isError: true
+          };
+        }
+        resolvedUserId = parsed.ghl_user_id;
+        resolvedFbApi = parsed.ghl_firebase_api_key;
+        resolvedFbRefresh = parsed.ghl_firebase_refresh_token;
+      }
+      const wantsWorkflowBuilder = resolvedUserId || resolvedFbApi || resolvedFbRefresh;
       let workflowBuilderEnabled = false;
       let workflowBuilderNote = "";
       if (wantsWorkflowBuilder) {
-        if (!args.ghl_user_id || !args.ghl_firebase_api_key || !args.ghl_firebase_refresh_token) {
+        if (!resolvedUserId || !resolvedFbApi || !resolvedFbRefresh) {
           return {
             content: [{
               type: "text",
-              text: "Workflow Builder requires ALL THREE Firebase fields: ghl_user_id, ghl_firebase_api_key, ghl_firebase_refresh_token. Either provide all three or omit all three. See https://elitedcs.com/ghl-mcp-server/firebase for one-click capture."
+              text: "Workflow Builder requires ALL THREE Firebase fields: ghl_user_id, ghl_firebase_api_key, ghl_firebase_refresh_token. The easy way is `auto_capture_firebase_script` -> paste the JSON output into `firebase_paste`. Manual capture steps: https://elitedcs.com/ghl-mcp-firebase"
             }],
             isError: true
           };
         }
-        const fb = await validateFirebase(args.ghl_firebase_api_key, args.ghl_firebase_refresh_token);
+        const fb = await validateFirebase(resolvedFbApi, resolvedFbRefresh);
         if (!fb.ok) {
           workflowBuilderNote = `
 
-Note: Firebase credentials rejected (${fb.error}). Saved without Workflow Builder. Re-run setup_ghl_mcp later with fresh Firebase fields to enable it.`;
+Note: Firebase credentials rejected (${fb.error}). Saved without Workflow Builder. Re-run setup_ghl_mcp later with fresh Firebase fields (use auto_capture_firebase_script for a one-paste flow) to enable it.`;
         } else {
           workflowBuilderEnabled = true;
         }
@@ -5952,9 +6082,9 @@ Note: Firebase credentials rejected (${fb.error}). Saved without Workflow Builde
         ghl_api_key: args.ghl_api_key.trim(),
         ghl_location_id: args.ghl_location_id.trim(),
         ghl_company_id: args.ghl_company_id?.trim() || void 0,
-        ghl_user_id: workflowBuilderEnabled ? args.ghl_user_id?.trim() : void 0,
-        ghl_firebase_api_key: workflowBuilderEnabled ? args.ghl_firebase_api_key?.trim() : void 0,
-        ghl_firebase_refresh_token: workflowBuilderEnabled ? args.ghl_firebase_refresh_token?.trim() : void 0,
+        ghl_user_id: workflowBuilderEnabled ? resolvedUserId?.trim() : void 0,
+        ghl_firebase_api_key: workflowBuilderEnabled ? resolvedFbApi?.trim() : void 0,
+        ghl_firebase_refresh_token: workflowBuilderEnabled ? resolvedFbRefresh?.trim() : void 0,
         // v3.24.0+ attestation. Tied to email + license + device fingerprint;
         // verified on every MCP startup. Closes the hand-crafted creds bypass.
         signed_attestation: lic.signedAttestation
@@ -5987,11 +6117,16 @@ Note: Firebase credentials rejected (${fb.error}). Saved without Workflow Builde
 function registerEnableWorkflowBuilderTool(server2) {
   server2.tool(
     "enable_workflow_builder",
-    "Add Firebase credentials to an existing GHL Command install to unlock 49 additional tools across the internal-API modules: workflow builder (create/edit/clone/delete/publish/validate workflows, build_if_else_branch, build_goal_event, get_trigger_registry), funnel + page builder, form builder, pipeline builder, workflow cloner, smart lists, reputation, email campaigns, email templates, and memberships, plus the pre-deploy validator. Requires you've already run setup_ghl_mcp. Capture the three Firebase values from your GHL browser session \u2014 see elitedcs.com/ghl-mcp-firebase for step-by-step DevTools instructions. Tool count goes from 163 to 212 after the next Claude restart.",
+    "Add Firebase credentials to an existing GHL Command install to unlock 49 additional tools across the internal-API modules: workflow builder (create/edit/clone/delete/publish/validate workflows, build_if_else_branch, build_goal_event, get_trigger_registry), funnel + page builder, form builder, pipeline builder, workflow cloner, smart lists, reputation, email campaigns, email templates, and memberships, plus the pre-deploy validator. Requires you've already run setup_ghl_mcp. EASIEST PATH: run `auto_capture_firebase_script` first, paste the JSON output into `firebase_paste` here. MANUAL PATH: capture the three Firebase fields via DevTools and pass them individually. Tool count goes from 163 to 212 after the next Claude restart.",
     {
-      ghl_user_id: import_zod37.z.string().min(10).describe("Firebase User ID (uid). DevTools \u2192 Application \u2192 IndexedDB \u2192 firebaseLocalStorageDb \u2192 firebaseLocalStorage \u2192 the value.uid field of the firebase:authUser row."),
-      ghl_firebase_api_key: import_zod37.z.string().min(10).describe("Firebase API Key starting with 'AIza'. The string between 'firebase:authUser:' and ':[DEFAULT]' in the row's Key column."),
-      ghl_firebase_refresh_token: import_zod37.z.string().min(10).describe("Firebase refresh token. value.stsTokenManager.refreshToken in the firebase:authUser row.")
+      // v3.25.0: one-paste path. Tool runs `auto_capture_firebase_script` to
+      // get the console script; the script returns a JSON object that pastes
+      // cleanly into this field. Saves the buyer from picking out three
+      // separate fields in IndexedDB.
+      firebase_paste: import_zod37.z.string().optional().describe("Paste the JSON output from auto_capture_firebase_script here. Replaces the three separate Firebase fields below."),
+      ghl_user_id: import_zod37.z.string().min(10).optional().describe("(Manual path) Firebase User ID (uid). Prefer firebase_paste."),
+      ghl_firebase_api_key: import_zod37.z.string().min(10).optional().describe("(Manual path) Firebase API Key starting with 'AIza'. Prefer firebase_paste."),
+      ghl_firebase_refresh_token: import_zod37.z.string().min(10).optional().describe("(Manual path) Firebase refresh token. Prefer firebase_paste.")
     },
     async (args) => {
       const existing = readCredentials();
@@ -6004,7 +6139,34 @@ function registerEnableWorkflowBuilderTool(server2) {
           isError: true
         };
       }
-      const fb = await validateFirebase(args.ghl_firebase_api_key.trim(), args.ghl_firebase_refresh_token.trim());
+      let userId = args.ghl_user_id;
+      let fbApi = args.ghl_firebase_api_key;
+      let fbRefresh = args.ghl_firebase_refresh_token;
+      if (args.firebase_paste) {
+        const parsed = parseFirebasePaste(args.firebase_paste);
+        if (!parsed) {
+          return {
+            content: [{
+              type: "text",
+              text: "Couldn't parse firebase_paste. Expected the JSON output from auto_capture_firebase_script. Re-run that tool, follow the steps, and paste the entire JSON object it copies to your clipboard."
+            }],
+            isError: true
+          };
+        }
+        userId = parsed.ghl_user_id;
+        fbApi = parsed.ghl_firebase_api_key;
+        fbRefresh = parsed.ghl_firebase_refresh_token;
+      }
+      if (!userId || !fbApi || !fbRefresh) {
+        return {
+          content: [{
+            type: "text",
+            text: "Workflow Builder needs all three Firebase fields. Easiest: run `auto_capture_firebase_script`, follow the prompt, then pass the JSON output as `firebase_paste`. Manual capture: https://elitedcs.com/ghl-mcp-firebase"
+          }],
+          isError: true
+        };
+      }
+      const fb = await validateFirebase(fbApi.trim(), fbRefresh.trim());
       if (!fb.ok) {
         return {
           content: [{
@@ -6012,7 +6174,7 @@ function registerEnableWorkflowBuilderTool(server2) {
             text: `Firebase credentials rejected: ${fb.error}
 
 Common causes:
-  - The refresh token has rotated (they rotate every few weeks). Re-extract from your GHL browser tab.
+  - The refresh token has rotated (they rotate every few weeks). Re-run auto_capture_firebase_script for a fresh one.
   - The Firebase API Key doesn't match the refresh token's project. Both must come from the SAME firebase:authUser row.
 
 DevTools steps: https://elitedcs.com/ghl-mcp-firebase`
@@ -6022,9 +6184,9 @@ DevTools steps: https://elitedcs.com/ghl-mcp-firebase`
       }
       writeCredentials({
         ...existing,
-        ghl_user_id: args.ghl_user_id.trim(),
-        ghl_firebase_api_key: args.ghl_firebase_api_key.trim(),
-        ghl_firebase_refresh_token: args.ghl_firebase_refresh_token.trim()
+        ghl_user_id: userId.trim(),
+        ghl_firebase_api_key: fbApi.trim(),
+        ghl_firebase_refresh_token: fbRefresh.trim()
       });
       return {
         content: [{
@@ -6032,19 +6194,56 @@ DevTools steps: https://elitedcs.com/ghl-mcp-firebase`
           text: [
             "Workflow Builder enabled!",
             "",
-            "Firebase credentials verified and saved.",
+            "Firebase credentials verified and saved to credentials.json.",
             "",
-            "**Restart Claude (quit fully and reopen) to load the workflow builder + funnel builder + pipeline builder + form builder + workflow cloner tools (212 total).**",
+            "**You MUST restart Claude before using any workflow-builder tool.** Quit Claude completely (Cmd+Q on Mac, full exit on Windows) and reopen. Without a restart, the workflow builder tools will keep using the OLD Firebase auth from before this call and fail with 401 errors \u2014 even though this tool reported success.",
             "",
-            'After restart, try: "List my workflows in full detail" or "Validate workflow <id>".',
+            'After restart, all 212 tools load. Try: "List my workflows in full detail" or "Validate workflow <id>".',
             "",
-            "Note: Firebase refresh tokens rotate every few weeks. If workflow tools stop working, re-run enable_workflow_builder with fresh values from a current GHL browser session."
+            "Note: Firebase refresh tokens rotate every few weeks. If workflow tools stop working in a few weeks (run `health_check` to confirm Firebase auth: FAIL), run `auto_capture_firebase_script` for fresh values and re-run this tool with the new firebase_paste."
           ].join("\n")
         }]
       };
     }
   );
 }
+function registerFirebaseCaptureScriptTool(server2) {
+  server2.tool(
+    "auto_capture_firebase_script",
+    "Get the browser-console script that auto-extracts the 3 Firebase fields needed to enable the Workflow Builder. Run this, copy the script, paste it into Chrome DevTools Console on a tab logged into GHL, press Enter, and the result lands in your clipboard. Then paste the JSON into setup_ghl_mcp's firebase_paste field (or enable_workflow_builder's). No manual IndexedDB digging.",
+    {},
+    async () => {
+      const steps = [
+        "## One-paste Firebase capture",
+        "",
+        "**Step 1.** Open your GoHighLevel account in Chrome. Make sure you're logged in.",
+        "",
+        "**Step 2.** Open DevTools \u2014 press `F12` on Windows / Linux, or `Cmd+Option+I` on Mac. Click the **Console** tab.",
+        "",
+        "**Step 3.** Copy the script below, paste it into the Console, and press Enter:",
+        "",
+        "```javascript",
+        FIREBASE_CAPTURE_SCRIPT,
+        "```",
+        "",
+        "**Step 4.** The script prints a JSON object and copies it to your clipboard automatically. Looks like this (your values will be longer):",
+        "",
+        "```json",
+        "{",
+        `  "ghl_firebase_api_key": "AIza...",`,
+        `  "ghl_user_id": "abc...",`,
+        `  "ghl_firebase_refresh_token": "AMf-..."`,
+        "}",
+        "```",
+        "",
+        "**Step 5.** Come back to Claude. Run `setup_ghl_mcp` (first-time install) or `enable_workflow_builder` (already set up) and paste the JSON into the `firebase_paste` field. The MCP parses it automatically \u2014 you don't need to fill the individual `ghl_user_id`, `ghl_firebase_api_key`, `ghl_firebase_refresh_token` fields.",
+        "",
+        "Step-by-step screenshots: https://elitedcs.com/ghl-mcp-firebase"
+      ].join("\n");
+      return { content: [{ type: "text", text: steps }] };
+    }
+  );
+}
 function registerLeadCaptureTool(server2) {
   server2.tool(
     "request_license",
@@ -8375,12 +8574,6 @@ async function verifyAttestation(token, bindings, now = /* @__PURE__ */ new Date
   }
   return { ok: false, reason: "expired" };
 }
-function shouldRenew(payload, now = /* @__PURE__ */ new Date()) {
-  const expiry = Date.parse(payload.expires_at);
-  if (!Number.isFinite(expiry)) return true;
-  const remainingMs = expiry - now.getTime();
-  return remainingMs < 7 * 24 * 60 * 60 * 1e3;
-}
 
 // src/tools/meta.ts
 function registerMetaTools(server2, installedVersion) {
@@ -8464,15 +8657,16 @@ var server = new import_mcp.McpServer({
 });
 registerMetaTools(server, pkg.version);
 var inBootstrapMode = true;
+var TRANSITIONAL_ATTESTATION_DEADLINE = Date.parse("2026-06-15T00:00:00.000Z");
 async function renewAttestation(creds) {
-  if (!creds.email || !creds.license_key) return false;
+  if (!creds.email || !creds.license_key) return "unauthorized";
+  let lic;
   try {
-    const lic = await validateLicense(creds.email, creds.license_key);
-    if (!lic.ok) {
-      process.stderr.write(`[ghl-mcp] Re-validate failed: ${lic.error}
-`);
-      return false;
-    }
+    lic = await validateLicense(creds.email, creds.license_key);
+  } catch {
+    return "unreachable";
+  }
+  if (lic.ok) {
     try {
       writeCredentials({
         ...creds,
@@ -8482,12 +8676,23 @@ async function renewAttestation(creds) {
     } catch {
     }
     if (!lic.signedAttestation) {
-      process.stderr.write("[ghl-mcp] License re-validated, but the license server did not return a signed attestation. Falling back to legacy trust for this session.\n");
+      process.stderr.write("[ghl-mcp] License re-validated, but the license server did not return a signed attestation. This path closes on " + new Date(TRANSITIONAL_ATTESTATION_DEADLINE).toISOString().slice(0, 10) + ".\n");
+      return "renewed-unsigned";
     }
-    return true;
-  } catch {
-    return false;
+    return "renewed";
   }
+  if (lic.reason === "cancelled" || lic.reason === "unauthorized") {
+    try {
+      writeCredentials({ ...creds, signed_attestation: void 0 });
+      process.stderr.write(`[ghl-mcp] Server rejected license (${lic.reason}). Dropping to bootstrap mode.
+`);
+    } catch {
+    }
+    return lic.reason;
+  }
+  process.stderr.write(`[ghl-mcp] License re-validate unreachable: ${lic.error}
+`);
+  return "unreachable";
 }
 function renewAttestationInBackground(creds) {
   return renewAttestation(creds).then(() => void 0, () => void 0);
@@ -8503,14 +8708,15 @@ async function resolveAccessAndRegister() {
     if (verify.ok) {
       licenseVerified = true;
       attestationStatus = verify.reason;
-      if (verify.reason === "in-grace" || shouldRenew(verify.payload)) {
-        void renewAttestationInBackground(fileCreds);
-      }
+      void renewAttestationInBackground(fileCreds);
     } else {
       process.stderr.write(`[ghl-mcp] Stored attestation rejected: ${verify.reason}. Re-validating online.
 `);
       const renewed = await renewAttestation(fileCreds);
-      if (renewed) {
+      if (renewed === "renewed") {
+        licenseVerified = true;
+        attestationStatus = "renewed-after-tamper";
+      } else if (renewed === "renewed-unsigned" && Date.now() < TRANSITIONAL_ATTESTATION_DEADLINE) {
         licenseVerified = true;
         attestationStatus = "renewed-after-tamper";
       } else {
@@ -8520,12 +8726,22 @@ async function resolveAccessAndRegister() {
   } else if (fileCreds?.email && fileCreds?.license_key) {
     process.stderr.write("[ghl-mcp] Upgrading legacy credentials.json to signed attestation.\n");
     const renewed = await renewAttestation(fileCreds);
-    if (renewed) {
+    if (renewed === "renewed") {
+      licenseVerified = true;
+      attestationStatus = "renewed-from-legacy";
+    } else if (renewed === "renewed-unsigned" && Date.now() < TRANSITIONAL_ATTESTATION_DEADLINE) {
       licenseVerified = true;
       attestationStatus = "renewed-from-legacy";
     } else {
       attestationStatus = "needs-reset";
-      process.stderr.write("[ghl-mcp] Could not re-validate. Run setup_ghl_mcp again.\n");
+      if (renewed === "cancelled" || renewed === "unauthorized") {
+        process.stderr.write(`[ghl-mcp] Server says license is ${renewed}. Bootstrap mode.
+`);
+      } else if (renewed === "renewed-unsigned") {
+        process.stderr.write("[ghl-mcp] Server is in unsigned-attestation mode past the transition deadline. Bootstrap mode.\n");
+      } else {
+        process.stderr.write("[ghl-mcp] Could not re-validate. Run setup_ghl_mcp again.\n");
+      }
     }
   }
   if (!licenseVerified && apiKey && locationId) {
@@ -8533,7 +8749,8 @@ async function resolveAccessAndRegister() {
     const licKey = (process.env.GHL_LICENSE_KEY || fileCreds?.license_key)?.trim();
     if (licEmail && licKey) {
       const lic = await validateLicense(licEmail, licKey);
-      if (lic.ok) {
+      const acceptUnsigned = !lic.ok ? false : lic.signedAttestation || Date.now() < TRANSITIONAL_ATTESTATION_DEADLINE;
+      if (lic.ok && acceptUnsigned) {
         licenseVerified = true;
         attestationStatus = "renewed";
         try {
@@ -8571,15 +8788,17 @@ async function resolveAccessAndRegister() {
     process.stderr.write(
       `[ghl-mcp] Bootstrap mode.
 [ghl-mcp] Need a valid license plus GHL_API_KEY + GHL_LOCATION_ID (env vars or credentials file at ${credentialsPath()}).
-[ghl-mcp] Only setup_ghl_mcp, request_license, and get_mcp_version are available. Run setup_ghl_mcp with your license + GHL credentials \u2014 or request_license if you don't have a license yet.
+[ghl-mcp] Available: setup_ghl_mcp, request_license, auto_capture_firebase_script, get_mcp_version. Run setup_ghl_mcp with your license + GHL credentials \u2014 or request_license if you don't have a license yet.
 `
     );
     registerSetupTool(server);
     registerLeadCaptureTool(server);
+    registerFirebaseCaptureScriptTool(server);
   } else {
     const client = new GHLClient({ apiKey, locationId });
     registerAllTools(server, client, registry, pkg.version);
     registerEnableWorkflowBuilderTool(server);
+    registerFirebaseCaptureScriptTool(server);
     if (fileCreds && !process.env.GHL_API_KEY) {
       process.stderr.write(`[ghl-mcp] Loaded credentials from ${credentialsPath()}
 `);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elitedcs/ghl-mcp",
-  "version": "3.24.0",
+  "version": "3.26.0",
   "mcpName": "io.github.drjerryrelth/ghl-command",
   "description": "GoHighLevel MCP Server for Claude. 212 tools — full CRM, automation, marketing control, and the only programmatic GHL workflow builder, now multi-tenant across client accounts.",
   "main": "dist/index.js",