@elitedcs/ghl-mcp 3.25.0 → 3.26.0

package/CHANGELOG.md

@@ -1,5 +1,33 @@
 # Changelog
 
+## 3.26.0 — Codex adversarial audit fixes
+
+**Tool count unchanged (213). No new features — closes a set of silent bugs Codex flagged in a third-party adversarial review of the v3.21.0–v3.25.0 release arc.**
+
+Now that paid customers run this code, we ran the same Codex-rescue review pattern we use on the PN tracker app. Codex turned up 10 issues; v3.26.0 ships the ones with concrete fixes. Deferred items (server-outage recovery, rate-limiting at the edge) are documented in the project memory.
+
+**Security tightening:**
+
+- **Cancelled-subscription detection.** Before: a cancelled license kept running for up to 44 days (30-day attestation TTL + 14-day grace) because the MCP never reacted to a server "cancelled" response — it just kept using the cached attestation until expiry. Now: `validateLicense` distinguishes `cancelled` / `unauthorized` / `unreachable`, and on `cancelled`/`unauthorized` the cached attestation is wiped from `credentials.json` so the next restart drops to bootstrap. The buyer's current session keeps running (we don't kill tools mid-call); the gate latches on next launch.
+- **Background renewal on every startup.** Previously only triggered when the attestation was nearing expiry. Now every startup fires a fire-and-forget renewal so cancellations propagate within one restart instead of up-to-44-days.
+- **Fail-closed when the server stops issuing signed attestations.** Before: if `ATTESTATION_PRIVATE_KEY` ever dropped off Cloudflare (env reset, accidental rotation, partial deploy), validate-license would still return `valid:true` without a `signed_attestation` and the MCP would silently fall back to legacy trust — re-opening the credentials.json bypass v3.24.0 closed. Now: after the `TRANSITIONAL_ATTESTATION_DEADLINE` (2026-06-15), an unsigned `valid:true` response is treated as bootstrap; before the deadline we still accept it for migration but log a warning with the cutoff date.
+
+**Correctness:**
+
+- **Atomic `credentials.json` writes.** Replaced the bare `writeFileSync` with write-to-temp-then-rename plus process-unique temp suffixes. Mid-write crashes can no longer corrupt the file, and concurrent writers (e.g. `enable_workflow_builder` racing a Firebase token rotation) can't leave it half-formed. New tests in `credentials-store.test.ts` cover both the happy path and a 20-way concurrent-write fan-out.
+- **`update_calendar` schema is now `.strict()`.** Unknown fields on `teamMembers` or `locationConfigurations` (e.g. `userid` instead of `userId`, or a new GHL field we haven't captured) now error at the MCP boundary with a useful 422 instead of being silently dropped before the GHL PUT. Buyers stop wondering why a field they passed didn't save.
+
+**Observability:**
+
+- **`pipeline_skip` telemetry event.** When `validate-license` can't advance a buyer's pipeline opportunity (no opportunity exists, or all opportunities are closed), we now emit a distinct `[telemetry] pipeline_skip` line with the reason. Lets us surface "buyer's opportunity was accidentally closed" cases for manual reopen instead of silently failing forever.
+- **Telemetry key-name redaction.** The `recordEvent` helper now scrubs any `extra` key whose name matches `/email|license|key|token|secret|refresh|password|pit/i` before logging. Belt-and-suspenders against a future caller accidentally passing a secret as a metric tag.
+
+**UX:**
+
+- **`enable_workflow_builder` restart messaging.** Now explicit that workflow-builder tools called BEFORE the restart will keep using the old Firebase auth and 401 — even though the tool reported success. Removes the "I ran the tool, why doesn't it work" confusion.
+- **Welcome email "fifth field" not "sixth."** Off-by-one in the advanced-shortcut paragraph corrected.
+- **Firebase capture script handles multiple GHL logins.** Previously the script returned the first matching `firebase:authUser:` row, which could be the wrong account if the buyer had multiple GHL logins in the same browser. Now it enumerates ALL candidates, prints each with email + uid + last-login timestamp, picks the first one (still freshest by Firebase's storage order), and tells the buyer how to re-run against a different account.
+
 ## 3.25.0 — One-paste Firebase capture
 
 **New bootstrap-and-normal-mode tool. Tool count goes from 212 to 213 (the new tool counts whether you're set up or not).**

package/dist/index.js

@@ -31,7 +31,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@elitedcs/ghl-mcp",
-      version: "3.25.0",
+      version: "3.26.0",
       mcpName: "io.github.drjerryrelth/ghl-command",
       description: "GoHighLevel MCP Server for Claude. 212 tools \u2014 full CRM, automation, marketing control, and the only programmatic GHL workflow builder, now multi-tenant across client accounts.",
       main: "dist/index.js",
@@ -359,12 +359,22 @@ function foldCredentialsIntoEnv(creds, env = process.env) {
 function writeCredentials(creds) {
   ensureAppDataDir();
   const file = credentialsPath();
-  fs.writeFileSync(file, JSON.stringify(creds, null, 2) + "\n", "utf-8");
-  if (process.platform !== "win32") {
+  const tmp = `${file}.tmp.${process.pid}.${Date.now()}`;
+  try {
+    fs.writeFileSync(tmp, JSON.stringify(creds, null, 2) + "\n", "utf-8");
+    if (process.platform !== "win32") {
+      try {
+        fs.chmodSync(tmp, 384);
+      } catch {
+      }
+    }
+    fs.renameSync(tmp, file);
+  } catch (err) {
     try {
-      fs.chmodSync(file, 384);
+      fs.unlinkSync(tmp);
     } catch {
     }
+    throw err;
   }
 }
 
@@ -2398,14 +2408,14 @@ var TeamMemberLocationConfigSchema = import_zod9.z.object({
   kind: import_zod9.z.string().describe("Meeting location kind. Common values: 'custom', 'zoom_conference', 'google_meet'."),
   position: import_zod9.z.number().int().nonnegative().describe("Position index for ordering (0-based)."),
   location: import_zod9.z.string().optional().describe("Display string for the meeting location (URL or address). Optional for kind='custom'.")
-});
+}).strict();
 var CalendarTeamMemberSchema = import_zod9.z.object({
   userId: import_zod9.z.string().describe("GHL user ID to assign. Must exist in this sub-account."),
   priority: import_zod9.z.union([import_zod9.z.literal(0), import_zod9.z.literal(0.5), import_zod9.z.literal(1)]).describe("Booking priority. Exactly 0, 0.5, or 1 (anything else 422s from GHL). Higher = preferred for round-robin."),
   isPrimary: import_zod9.z.boolean().describe("Whether this user is the primary assignee."),
   selected: import_zod9.z.boolean().describe("Whether this user is currently active on the calendar (true to enable)."),
   locationConfigurations: import_zod9.z.array(TeamMemberLocationConfigSchema).min(1).describe("At least one meeting-location config. Typical shape: [{kind:'custom', position:0, location:''}].")
-});
+}).strict();
 function registerCalendarTools(server2, client) {
   safeTool(
     server2,
@@ -5844,25 +5854,35 @@ var FIREBASE_CAPTURE_SCRIPT = `(async () => {
       r.onsuccess = () => res(r.result);
       r.onerror = () => rej(r.error);
     });
-    const row = rows.find(r => typeof r?.fbase_key === 'string' && r.fbase_key.startsWith('firebase:authUser:AIza'));
-    if (!row) {
+    const candidates = rows.filter(r => typeof r?.fbase_key === 'string' && r.fbase_key.startsWith('firebase:authUser:AIza') && r?.value?.apiKey && r?.value?.uid && r?.value?.stsTokenManager?.refreshToken);
+    if (!candidates.length) {
       console.log('%cGHL Command: no Firebase login found.', 'color:red;font-weight:bold');
       console.log('Open a tab logged into your GHL account, then run this again in that tab.');
       return;
     }
-    const v = row.value || {};
+    // Multi-account safety (v3.26.0): if the browser has more than one
+    // GHL Firebase login cached, show the buyer which one we're using and
+    // how to pick a different one. The first matching row is the freshest
+    // login per Firebase's storage order, but it isn't always the buyer's
+    // CURRENT account if they recently switched.
+    if (candidates.length > 1) {
+      console.log('%cGHL Command: ' + candidates.length + ' Firebase logins found in this browser:', 'color:orange;font-weight:bold');
+      candidates.forEach((c, i) => {
+        const v = c.value || {};
+        const lastLogin = v.lastLoginAt ? new Date(Number(v.lastLoginAt)).toISOString() : '(no timestamp)';
+        console.log('  [' + i + '] ' + (v.email || '(no email)') + ' \u2014 uid ' + (v.uid || '').slice(0, 8) + '\u2026 \u2014 last login ' + lastLogin);
+      });
+      console.log('Using [0] (most recently active). If that is the wrong account, log out of the others in their GHL tabs and re-run this script.');
+    }
+    const v = candidates[0].value;
     const out = {
       ghl_firebase_api_key: v.apiKey,
       ghl_user_id: v.uid,
-      ghl_firebase_refresh_token: v.stsTokenManager?.refreshToken,
+      ghl_firebase_refresh_token: v.stsTokenManager.refreshToken,
     };
-    if (!out.ghl_firebase_api_key || !out.ghl_user_id || !out.ghl_firebase_refresh_token) {
-      console.log('%cGHL Command: found Firebase login but a field was missing.', 'color:red;font-weight:bold');
-      console.log('Try logging out of GHL and back in, then run this again.');
-      return;
-    }
     const json = JSON.stringify(out, null, 2);
     console.log('%cGHL Command: paste this into setup_ghl_mcp (firebase_paste field):', 'color:green;font-weight:bold');
+    if (v.email) console.log('Account: ' + v.email);
     console.log(json);
     try {
       await navigator.clipboard.writeText(json);
@@ -5914,8 +5934,9 @@ function deviceFingerprint() {
   return crypto2.createHash("sha256").update(raw).digest("hex").slice(0, 16);
 }
 async function validateLicense(email, licenseKey) {
+  let res;
   try {
-    const res = await fetch(LICENSE_API, {
+    res = await fetch(LICENSE_API, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -5925,19 +5946,28 @@ async function validateLicense(email, licenseKey) {
       }),
       signal: AbortSignal.timeout(1e4)
     });
-    const data = await res.json().catch(() => ({}));
-    if (res.ok && data.valid) {
-      return {
-        ok: true,
-        installs: `${data.installs_used}/${data.installs_max}`,
-        signedAttestation: typeof data.signed_attestation === "string" ? data.signed_attestation : void 0
-      };
-    }
-    return { ok: false, error: data.error || data.message || `License validation failed (HTTP ${res.status})` };
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
-    return { ok: false, error: `Could not reach license server: ${msg}` };
+    return { ok: false, error: `Could not reach license server: ${msg}`, reason: "unreachable" };
+  }
+  if (res.status >= 500) {
+    return { ok: false, error: `License server returned HTTP ${res.status}`, reason: "unreachable" };
   }
+  const data = await res.json().catch(() => ({}));
+  if (res.ok && data.valid) {
+    return {
+      ok: true,
+      installs: `${data.installs_used}/${data.installs_max}`,
+      signedAttestation: typeof data.signed_attestation === "string" ? data.signed_attestation : void 0
+    };
+  }
+  const errorText = String(data.error || data.message || "").toLowerCase();
+  const looksCancelled = res.status === 403 || errorText.includes("cancel") || errorText.includes("install limit");
+  return {
+    ok: false,
+    error: data.error || data.message || `License validation failed (HTTP ${res.status})`,
+    reason: looksCancelled ? "cancelled" : "unauthorized"
+  };
 }
 async function validateGhl(apiKey2, locationId2) {
   try {
@@ -6164,13 +6194,13 @@ DevTools steps: https://elitedcs.com/ghl-mcp-firebase`
           text: [
             "Workflow Builder enabled!",
             "",
-            "Firebase credentials verified and saved.",
+            "Firebase credentials verified and saved to credentials.json.",
             "",
-            "**Restart Claude (quit fully and reopen) to load the workflow builder + funnel builder + pipeline builder + form builder + workflow cloner tools (212 total).**",
+            "**You MUST restart Claude before using any workflow-builder tool.** Quit Claude completely (Cmd+Q on Mac, full exit on Windows) and reopen. Without a restart, the workflow builder tools will keep using the OLD Firebase auth from before this call and fail with 401 errors \u2014 even though this tool reported success.",
             "",
-            'After restart, try: "List my workflows in full detail" or "Validate workflow <id>".',
+            'After restart, all 212 tools load. Try: "List my workflows in full detail" or "Validate workflow <id>".',
             "",
-            "Note: Firebase refresh tokens rotate every few weeks. If workflow tools stop working, re-run enable_workflow_builder with fresh values from a current GHL browser session."
+            "Note: Firebase refresh tokens rotate every few weeks. If workflow tools stop working in a few weeks (run `health_check` to confirm Firebase auth: FAIL), run `auto_capture_firebase_script` for fresh values and re-run this tool with the new firebase_paste."
           ].join("\n")
         }]
       };
@@ -8544,12 +8574,6 @@ async function verifyAttestation(token, bindings, now = /* @__PURE__ */ new Date
   }
   return { ok: false, reason: "expired" };
 }
-function shouldRenew(payload, now = /* @__PURE__ */ new Date()) {
-  const expiry = Date.parse(payload.expires_at);
-  if (!Number.isFinite(expiry)) return true;
-  const remainingMs = expiry - now.getTime();
-  return remainingMs < 7 * 24 * 60 * 60 * 1e3;
-}
 
 // src/tools/meta.ts
 function registerMetaTools(server2, installedVersion) {
@@ -8633,15 +8657,16 @@ var server = new import_mcp.McpServer({
 });
 registerMetaTools(server, pkg.version);
 var inBootstrapMode = true;
+var TRANSITIONAL_ATTESTATION_DEADLINE = Date.parse("2026-06-15T00:00:00.000Z");
 async function renewAttestation(creds) {
-  if (!creds.email || !creds.license_key) return false;
+  if (!creds.email || !creds.license_key) return "unauthorized";
+  let lic;
   try {
-    const lic = await validateLicense(creds.email, creds.license_key);
-    if (!lic.ok) {
-      process.stderr.write(`[ghl-mcp] Re-validate failed: ${lic.error}
-`);
-      return false;
-    }
+    lic = await validateLicense(creds.email, creds.license_key);
+  } catch {
+    return "unreachable";
+  }
+  if (lic.ok) {
     try {
       writeCredentials({
         ...creds,
@@ -8651,12 +8676,23 @@ async function renewAttestation(creds) {
     } catch {
     }
     if (!lic.signedAttestation) {
-      process.stderr.write("[ghl-mcp] License re-validated, but the license server did not return a signed attestation. Falling back to legacy trust for this session.\n");
+      process.stderr.write("[ghl-mcp] License re-validated, but the license server did not return a signed attestation. This path closes on " + new Date(TRANSITIONAL_ATTESTATION_DEADLINE).toISOString().slice(0, 10) + ".\n");
+      return "renewed-unsigned";
     }
-    return true;
-  } catch {
-    return false;
+    return "renewed";
   }
+  if (lic.reason === "cancelled" || lic.reason === "unauthorized") {
+    try {
+      writeCredentials({ ...creds, signed_attestation: void 0 });
+      process.stderr.write(`[ghl-mcp] Server rejected license (${lic.reason}). Dropping to bootstrap mode.
+`);
+    } catch {
+    }
+    return lic.reason;
+  }
+  process.stderr.write(`[ghl-mcp] License re-validate unreachable: ${lic.error}
+`);
+  return "unreachable";
 }
 function renewAttestationInBackground(creds) {
   return renewAttestation(creds).then(() => void 0, () => void 0);
@@ -8672,14 +8708,15 @@ async function resolveAccessAndRegister() {
     if (verify.ok) {
       licenseVerified = true;
       attestationStatus = verify.reason;
-      if (verify.reason === "in-grace" || shouldRenew(verify.payload)) {
-        void renewAttestationInBackground(fileCreds);
-      }
+      void renewAttestationInBackground(fileCreds);
     } else {
       process.stderr.write(`[ghl-mcp] Stored attestation rejected: ${verify.reason}. Re-validating online.
 `);
       const renewed = await renewAttestation(fileCreds);
-      if (renewed) {
+      if (renewed === "renewed") {
+        licenseVerified = true;
+        attestationStatus = "renewed-after-tamper";
+      } else if (renewed === "renewed-unsigned" && Date.now() < TRANSITIONAL_ATTESTATION_DEADLINE) {
         licenseVerified = true;
         attestationStatus = "renewed-after-tamper";
       } else {
@@ -8689,12 +8726,22 @@ async function resolveAccessAndRegister() {
   } else if (fileCreds?.email && fileCreds?.license_key) {
     process.stderr.write("[ghl-mcp] Upgrading legacy credentials.json to signed attestation.\n");
     const renewed = await renewAttestation(fileCreds);
-    if (renewed) {
+    if (renewed === "renewed") {
+      licenseVerified = true;
+      attestationStatus = "renewed-from-legacy";
+    } else if (renewed === "renewed-unsigned" && Date.now() < TRANSITIONAL_ATTESTATION_DEADLINE) {
       licenseVerified = true;
       attestationStatus = "renewed-from-legacy";
     } else {
       attestationStatus = "needs-reset";
-      process.stderr.write("[ghl-mcp] Could not re-validate. Run setup_ghl_mcp again.\n");
+      if (renewed === "cancelled" || renewed === "unauthorized") {
+        process.stderr.write(`[ghl-mcp] Server says license is ${renewed}. Bootstrap mode.
+`);
+      } else if (renewed === "renewed-unsigned") {
+        process.stderr.write("[ghl-mcp] Server is in unsigned-attestation mode past the transition deadline. Bootstrap mode.\n");
+      } else {
+        process.stderr.write("[ghl-mcp] Could not re-validate. Run setup_ghl_mcp again.\n");
+      }
     }
   }
   if (!licenseVerified && apiKey && locationId) {
@@ -8702,7 +8749,8 @@ async function resolveAccessAndRegister() {
     const licKey = (process.env.GHL_LICENSE_KEY || fileCreds?.license_key)?.trim();
     if (licEmail && licKey) {
       const lic = await validateLicense(licEmail, licKey);
-      if (lic.ok) {
+      const acceptUnsigned = !lic.ok ? false : lic.signedAttestation || Date.now() < TRANSITIONAL_ATTESTATION_DEADLINE;
+      if (lic.ok && acceptUnsigned) {
         licenseVerified = true;
         attestationStatus = "renewed";
         try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elitedcs/ghl-mcp",
-  "version": "3.25.0",
+  "version": "3.26.0",
   "mcpName": "io.github.drjerryrelth/ghl-command",
   "description": "GoHighLevel MCP Server for Claude. 212 tools — full CRM, automation, marketing control, and the only programmatic GHL workflow builder, now multi-tenant across client accounts.",
   "main": "dist/index.js",