@elitedcs/ghl-mcp 3.25.0 → 3.27.0

package/CHANGELOG.md

@@ -1,5 +1,53 @@
 # Changelog
 
+## 3.27.0 — Multi-tenant Firebase binding fix
+
+**Fixes the bug that blocked workflow-builder tools in client sub-accounts even after a successful `register_company_firebase`.**
+
+**Root cause.** GHL uses two different company identifiers. The ID shown in the agency dashboard URL is NOT the `companyId` that `/locations/{id}` returns or that the Firebase token carries in its `company_id` claim. `register_company_firebase` stored the credentials under the human-typed (agency-URL) ID, but `switch_location` resolves a sub-account's owner from `/locations/{id}.companyId` — the internal ID. The two never matched, so the lookup missed, the workflow builder fell back to home auth, and every Firebase-gated call 401'd. The warning even told the user to run `register_company_firebase` again — which they already had.
+
+**Fixes:**
+
+- **Store under the token's real company.** `register_company_firebase` now decodes the Firebase ID token's `company_id` claim and keys the registry entry on THAT value, not the typed one. Pass any company ID you have; it self-corrects. A note tells you when the stored ID differs from what you entered.
+- **Verification now exercises the real path.** The optional end-to-end test resolves the test location's company the same way `switch_location` does, confirms the registry lookup actually hits, then makes a live workflow-builder call. The old probe used an inline client that bypassed the lookup, so it passed even when the stored key would never be found.
+- **PIT/Firebase mismatch detection.** Every time the client mints an ID token, it compares the token's `company_id` claim against the company we intend to act on. A mismatch (the exact signature of this bug, or any future regression) writes a loud one-time stderr warning instead of failing silently. Direct Firebase-gated tool calls bypass `switch_location`'s routing, so this lives at the token-mint layer.
+- **Honest `health_check`.** Firebase auth now reports the company the token ACTUALLY authenticates as, and returns `fail` (not a bare `pass`) when that disagrees with the active company.
+- **Registry key normalization.** Company IDs are trimmed on store/lookup so a stray pasted space can't fork one company into two entries.
+- **Misleading warning fixed.** When a sub-account's company has no matching key, `switch_location` now distinguishes "nothing registered" from "registered under a different ID" and names the mismatch, instead of blindly telling the user to re-register.
+- **Updated `register_company_firebase` description + DevTools doc** so we stop telling users to copy the company ID from the agency URL.
+
+**Known behavior (by design):** after an MCP restart you must `switch_location` once into a client account before its workflow-builder tools work — the active company resets to home on launch. `health_check` and the mismatch warning now make this obvious.
+
+**Tests:** new `workflow-builder-mismatch.test.ts` covers claim decoding, registry key normalization, mismatch warn/no-warn, and warn-once dedup. Full suite green (163 passing).
+
+## 3.26.0 — Codex adversarial audit fixes
+
+**Tool count unchanged (213). No new features — closes a set of silent bugs Codex flagged in a third-party adversarial review of the v3.21.0–v3.25.0 release arc.**
+
+Now that paid customers run this code, we ran the same Codex-rescue review pattern we use on the PN tracker app. Codex turned up 10 issues; v3.26.0 ships the ones with concrete fixes. Deferred items (server-outage recovery, rate-limiting at the edge) are documented in the project memory.
+
+**Security tightening:**
+
+- **Cancelled-subscription detection.** Before: a cancelled license kept running for up to 44 days (30-day attestation TTL + 14-day grace) because the MCP never reacted to a server "cancelled" response — it just kept using the cached attestation until expiry. Now: `validateLicense` distinguishes `cancelled` / `unauthorized` / `unreachable`, and on `cancelled`/`unauthorized` the cached attestation is wiped from `credentials.json` so the next restart drops to bootstrap. The buyer's current session keeps running (we don't kill tools mid-call); the gate latches on next launch.
+- **Background renewal on every startup.** Previously only triggered when the attestation was nearing expiry. Now every startup fires a fire-and-forget renewal so cancellations propagate within one restart instead of up-to-44-days.
+- **Fail-closed when the server stops issuing signed attestations.** Before: if `ATTESTATION_PRIVATE_KEY` ever dropped off Cloudflare (env reset, accidental rotation, partial deploy), validate-license would still return `valid:true` without a `signed_attestation` and the MCP would silently fall back to legacy trust — re-opening the credentials.json bypass v3.24.0 closed. Now: after the `TRANSITIONAL_ATTESTATION_DEADLINE` (2026-06-15), an unsigned `valid:true` response is treated as bootstrap; before the deadline we still accept it for migration but log a warning with the cutoff date.
+
+**Correctness:**
+
+- **Atomic `credentials.json` writes.** Replaced the bare `writeFileSync` with write-to-temp-then-rename plus process-unique temp suffixes. Mid-write crashes can no longer corrupt the file, and concurrent writers (e.g. `enable_workflow_builder` racing a Firebase token rotation) can't leave it half-formed. New tests in `credentials-store.test.ts` cover both the happy path and a 20-way concurrent-write fan-out.
+- **`update_calendar` schema is now `.strict()`.** Unknown fields on `teamMembers` or `locationConfigurations` (e.g. `userid` instead of `userId`, or a new GHL field we haven't captured) now error at the MCP boundary with a useful 422 instead of being silently dropped before the GHL PUT. Buyers stop wondering why a field they passed didn't save.
+
+**Observability:**
+
+- **`pipeline_skip` telemetry event.** When `validate-license` can't advance a buyer's pipeline opportunity (no opportunity exists, or all opportunities are closed), we now emit a distinct `[telemetry] pipeline_skip` line with the reason. Lets us surface "buyer's opportunity was accidentally closed" cases for manual reopen instead of silently failing forever.
+- **Telemetry key-name redaction.** The `recordEvent` helper now scrubs any `extra` key whose name matches `/email|license|key|token|secret|refresh|password|pit/i` before logging. Belt-and-suspenders against a future caller accidentally passing a secret as a metric tag.
+
+**UX:**
+
+- **`enable_workflow_builder` restart messaging.** Now explicit that workflow-builder tools called BEFORE the restart will keep using the old Firebase auth and 401 — even though the tool reported success. Removes the "I ran the tool, why doesn't it work" confusion.
+- **Welcome email "fifth field" not "sixth."** Off-by-one in the advanced-shortcut paragraph corrected.
+- **Firebase capture script handles multiple GHL logins.** Previously the script returned the first matching `firebase:authUser:` row, which could be the wrong account if the buyer had multiple GHL logins in the same browser. Now it enumerates ALL candidates, prints each with email + uid + last-login timestamp, picks the first one (still freshest by Firebase's storage order), and tells the buyer how to re-run against a different account.
+
 ## 3.25.0 — One-paste Firebase capture
 
 **New bootstrap-and-normal-mode tool. Tool count goes from 212 to 213 (the new tool counts whether you're set up or not).**

package/README.md

@@ -185,12 +185,13 @@ To unlock full builder access across multiple clients from one install:
 3. **Register the client's company Firebase:**
    ```
    register_company_firebase
-     companyId: CLIENT_COMPANY_ID         (shown in register_location's output)
+     companyId: CLIENT_COMPANY_ID         (best-effort — see note)
      name: "Client Name"
      ghl_firebase_refresh_token: FROM_STEP_7
      ghl_user_id: FROM_STEP_6
      test_location_id: CLIENT_LOCATION_ID  (optional — runs a live check that it works)
    ```
+   > **`companyId` is best-effort.** GHL's agency-URL company ID is a *different* identifier than the internal one used for sub-accounts. The tool decodes the company ID the Firebase token itself authenticates as and stores the entry under that, so you don't have to track down the exact internal ID — pass whatever you have (e.g. from `register_location`'s output) and it self-corrects.
 
 4. **Switch and build:** `switch_location CLIENT_LOCATION_ID` swaps both the API key *and* the Firebase auth automatically. The workflow builder now operates in the client's account. Switching back to your own location restores your home Firebase.
 

package/dist/index.js

@@ -31,7 +31,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@elitedcs/ghl-mcp",
-      version: "3.25.0",
+      version: "3.27.0",
       mcpName: "io.github.drjerryrelth/ghl-command",
       description: "GoHighLevel MCP Server for Claude. 212 tools \u2014 full CRM, automation, marketing control, and the only programmatic GHL workflow builder, now multi-tenant across client accounts.",
       main: "dist/index.js",
@@ -359,12 +359,22 @@ function foldCredentialsIntoEnv(creds, env = process.env) {
 function writeCredentials(creds) {
   ensureAppDataDir();
   const file = credentialsPath();
-  fs.writeFileSync(file, JSON.stringify(creds, null, 2) + "\n", "utf-8");
-  if (process.platform !== "win32") {
+  const tmp = `${file}.tmp.${process.pid}.${Date.now()}`;
+  try {
+    fs.writeFileSync(tmp, JSON.stringify(creds, null, 2) + "\n", "utf-8");
+    if (process.platform !== "win32") {
+      try {
+        fs.chmodSync(tmp, 384);
+      } catch {
+      }
+    }
+    fs.renameSync(tmp, file);
+  } catch (err) {
     try {
-      fs.chmodSync(file, 384);
+      fs.unlinkSync(tmp);
     } catch {
     }
+    throw err;
   }
 }
 
@@ -394,7 +404,7 @@ var TokenRegistryDataSchema = import_zod2.z.object({
   // process operate the workflow builder across multiple clients' GHL accounts.
   firebaseByCompany: import_zod2.z.record(CompanyFirebaseSchema).optional()
 });
-var TokenRegistry = class {
+var TokenRegistry = class _TokenRegistry {
   data;
   filePath;
   constructor(filePath) {
@@ -568,26 +578,36 @@ var TokenRegistry = class {
       this.save();
     }
   }
+  /**
+   * Normalize a company id used as a firebaseByCompany key. Trims whitespace so
+   * a stray copy/paste space can't fork one company into two registry entries
+   * (one stored, a different one looked up). Keys are otherwise case-sensitive
+   * because GHL company ids are case-sensitive Mongo-style ids.
+   */
+  static normalizeCompanyId(companyId) {
+    return companyId.trim();
+  }
   /**
    * Get a specific company's Firebase config (multi-tenant routing).
    */
   getCompanyFirebase(companyId) {
-    return this.data.firebaseByCompany?.[companyId];
+    return this.data.firebaseByCompany?.[_TokenRegistry.normalizeCompanyId(companyId)];
   }
   /**
    * Store (or replace) a company's Firebase config.
    */
   setCompanyFirebase(companyId, config3) {
     if (!this.data.firebaseByCompany) this.data.firebaseByCompany = {};
-    this.data.firebaseByCompany[companyId] = config3;
+    this.data.firebaseByCompany[_TokenRegistry.normalizeCompanyId(companyId)] = config3;
     this.save();
   }
   /**
    * Remove a company's Firebase config. Returns true if one existed.
    */
   removeCompanyFirebase(companyId) {
-    if (this.data.firebaseByCompany?.[companyId]) {
-      delete this.data.firebaseByCompany[companyId];
+    const key = _TokenRegistry.normalizeCompanyId(companyId);
+    if (this.data.firebaseByCompany?.[key]) {
+      delete this.data.firebaseByCompany[key];
       this.save();
       return true;
     }
@@ -609,7 +629,7 @@ var TokenRegistry = class {
    * company is the active one). No-op if the company isn't registered.
    */
   updateCompanyFirebaseRefreshToken(companyId, newToken) {
-    const cfg = this.data.firebaseByCompany?.[companyId];
+    const cfg = this.data.firebaseByCompany?.[_TokenRegistry.normalizeCompanyId(companyId)];
     if (cfg) {
       cfg.refreshToken = newToken;
       this.save();
@@ -629,6 +649,24 @@ var path3 = __toESM(require("path"));
 var dotenv = __toESM(require("dotenv"));
 var import_zod4 = require("zod");
 
+// src/firebase-claims.ts
+function decodeFirebaseClaims(idToken) {
+  try {
+    const seg = idToken.split(".")[1];
+    if (!seg) return {};
+    const json = Buffer.from(seg.replace(/-/g, "+").replace(/_/g, "/"), "base64").toString("utf-8");
+    const claims = JSON.parse(json);
+    return {
+      companyId: typeof claims.company_id === "string" ? claims.company_id : void 0,
+      userId: typeof claims.user_id === "string" ? claims.user_id : void 0,
+      type: typeof claims.type === "string" ? claims.type : void 0,
+      role: typeof claims.role === "string" ? claims.role : void 0
+    };
+  } catch {
+    return {};
+  }
+}
+
 // src/trigger-schemas.ts
 var import_zod3 = require("zod");
 var TriggerActionSchema = import_zod3.z.object({
@@ -1163,6 +1201,20 @@ var WorkflowBuilderClient = class _WorkflowBuilderClient {
   cachedIdToken = null;
   tokenExpiry = 0;
   tokenRefreshPromise = null;
+  // The company_id claim from the most recently minted ID token. Lets
+  // health_check report the company we're ACTUALLY authenticated as (vs. the
+  // one we intended), and backs PIT/Firebase mismatch detection.
+  tokenCompanyId;
+  // The company that OWNS the location we're operating on, as resolved by
+  // switch_location from /locations/{id}.companyId. This is the company the
+  // Firebase token MUST authenticate as. It is distinct from currentCompanyId
+  // (the Firebase auth company): when routing falls back to home auth, the two
+  // diverge and that IS the binding bug. undefined for home-only installs or
+  // before any switch_location call.
+  intendedCompanyId;
+  // Mismatch warnings already emitted (keyed `intended->token`). Append-only so
+  // we warn once per distinct mismatch for the life of the process.
+  mismatchWarnedFor = /* @__PURE__ */ new Set();
   constructor(config3) {
     this.firebaseApiKey = config3.firebaseApiKey;
     this.refreshToken = config3.refreshToken;
@@ -1204,6 +1256,27 @@ var WorkflowBuilderClient = class _WorkflowBuilderClient {
   getCurrentCompanyId() {
     return this.currentCompanyId;
   }
+  /**
+   * The company_id claim from the most recently minted ID token — the company we
+   * are ACTUALLY authenticated as. undefined until the first token mint. When this
+   * differs from getIntendedCompanyId() the binding is wrong (see performTokenRefresh).
+   */
+  getTokenCompanyId() {
+    return this.tokenCompanyId;
+  }
+  /**
+   * Record the company that owns the location we're operating on (resolved by
+   * switch_location). The Firebase token MUST authenticate as this company; a
+   * divergence is the binding bug. Set on every switch regardless of whether
+   * Firebase routing found a matching credential, so health_check and the
+   * mismatch detector can flag a silent fall-back to home auth.
+   */
+  setIntendedCompanyId(companyId) {
+    this.intendedCompanyId = companyId;
+  }
+  getIntendedCompanyId() {
+    return this.intendedCompanyId;
+  }
   /**
    * Swap in a specific company's Firebase auth (multi-tenant). Used by
    * switch_location so the workflow builder authenticates against the company
@@ -1337,6 +1410,18 @@ var WorkflowBuilderClient = class _WorkflowBuilderClient {
     const data = FirebaseTokenSchema.parse(await response.json());
     this.cachedIdToken = data.id_token;
     this.tokenExpiry = Date.now() + 55 * 60 * 1e3;
+    this.tokenCompanyId = decodeFirebaseClaims(data.id_token).companyId;
+    const expectedCompanyId = this.intendedCompanyId ?? this.currentCompanyId;
+    if (expectedCompanyId && this.tokenCompanyId && expectedCompanyId !== this.tokenCompanyId) {
+      const warnKey = `${expectedCompanyId}->${this.tokenCompanyId}`;
+      if (!this.mismatchWarnedFor.has(warnKey)) {
+        this.mismatchWarnedFor.add(warnKey);
+        process.stderr.write(
+          `[ghl-mcp] WARNING: Firebase/company mismatch. Operating on company ${expectedCompanyId} but the Firebase token authenticates as ${this.tokenCompanyId}. Workflow-builder writes will 401 or hit the wrong account. The company Firebase is missing or registered under the wrong ID \u2014 run register_company_firebase with a token captured from that sub-account's session.
+`
+        );
+      }
+    }
     if (data.refresh_token && data.refresh_token !== this.refreshToken) {
       this.refreshToken = data.refresh_token;
       this.persistRotatedToken(data.refresh_token);
@@ -2398,14 +2483,14 @@ var TeamMemberLocationConfigSchema = import_zod9.z.object({
   kind: import_zod9.z.string().describe("Meeting location kind. Common values: 'custom', 'zoom_conference', 'google_meet'."),
   position: import_zod9.z.number().int().nonnegative().describe("Position index for ordering (0-based)."),
   location: import_zod9.z.string().optional().describe("Display string for the meeting location (URL or address). Optional for kind='custom'.")
-});
+}).strict();
 var CalendarTeamMemberSchema = import_zod9.z.object({
   userId: import_zod9.z.string().describe("GHL user ID to assign. Must exist in this sub-account."),
   priority: import_zod9.z.union([import_zod9.z.literal(0), import_zod9.z.literal(0.5), import_zod9.z.literal(1)]).describe("Booking priority. Exactly 0, 0.5, or 1 (anything else 422s from GHL). Higher = preferred for round-robin."),
   isPrimary: import_zod9.z.boolean().describe("Whether this user is the primary assignee."),
   selected: import_zod9.z.boolean().describe("Whether this user is currently active on the calendar (true to enable)."),
   locationConfigurations: import_zod9.z.array(TeamMemberLocationConfigSchema).min(1).describe("At least one meeting-location config. Typical shape: [{kind:'custom', position:0, location:''}].")
-});
+}).strict();
 function registerCalendarTools(server2, client) {
   safeTool(
     server2,
@@ -5844,25 +5929,35 @@ var FIREBASE_CAPTURE_SCRIPT = `(async () => {
       r.onsuccess = () => res(r.result);
       r.onerror = () => rej(r.error);
     });
-    const row = rows.find(r => typeof r?.fbase_key === 'string' && r.fbase_key.startsWith('firebase:authUser:AIza'));
-    if (!row) {
+    const candidates = rows.filter(r => typeof r?.fbase_key === 'string' && r.fbase_key.startsWith('firebase:authUser:AIza') && r?.value?.apiKey && r?.value?.uid && r?.value?.stsTokenManager?.refreshToken);
+    if (!candidates.length) {
       console.log('%cGHL Command: no Firebase login found.', 'color:red;font-weight:bold');
       console.log('Open a tab logged into your GHL account, then run this again in that tab.');
       return;
     }
-    const v = row.value || {};
+    // Multi-account safety (v3.26.0): if the browser has more than one
+    // GHL Firebase login cached, show the buyer which one we're using and
+    // how to pick a different one. The first matching row is the freshest
+    // login per Firebase's storage order, but it isn't always the buyer's
+    // CURRENT account if they recently switched.
+    if (candidates.length > 1) {
+      console.log('%cGHL Command: ' + candidates.length + ' Firebase logins found in this browser:', 'color:orange;font-weight:bold');
+      candidates.forEach((c, i) => {
+        const v = c.value || {};
+        const lastLogin = v.lastLoginAt ? new Date(Number(v.lastLoginAt)).toISOString() : '(no timestamp)';
+        console.log('  [' + i + '] ' + (v.email || '(no email)') + ' \u2014 uid ' + (v.uid || '').slice(0, 8) + '\u2026 \u2014 last login ' + lastLogin);
+      });
+      console.log('Using [0] (most recently active). If that is the wrong account, log out of the others in their GHL tabs and re-run this script.');
+    }
+    const v = candidates[0].value;
     const out = {
       ghl_firebase_api_key: v.apiKey,
       ghl_user_id: v.uid,
-      ghl_firebase_refresh_token: v.stsTokenManager?.refreshToken,
+      ghl_firebase_refresh_token: v.stsTokenManager.refreshToken,
     };
-    if (!out.ghl_firebase_api_key || !out.ghl_user_id || !out.ghl_firebase_refresh_token) {
-      console.log('%cGHL Command: found Firebase login but a field was missing.', 'color:red;font-weight:bold');
-      console.log('Try logging out of GHL and back in, then run this again.');
-      return;
-    }
     const json = JSON.stringify(out, null, 2);
     console.log('%cGHL Command: paste this into setup_ghl_mcp (firebase_paste field):', 'color:green;font-weight:bold');
+    if (v.email) console.log('Account: ' + v.email);
     console.log(json);
     try {
       await navigator.clipboard.writeText(json);
@@ -5914,8 +6009,9 @@ function deviceFingerprint() {
   return crypto2.createHash("sha256").update(raw).digest("hex").slice(0, 16);
 }
 async function validateLicense(email, licenseKey) {
+  let res;
   try {
-    const res = await fetch(LICENSE_API, {
+    res = await fetch(LICENSE_API, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -5925,19 +6021,28 @@ async function validateLicense(email, licenseKey) {
       }),
       signal: AbortSignal.timeout(1e4)
     });
-    const data = await res.json().catch(() => ({}));
-    if (res.ok && data.valid) {
-      return {
-        ok: true,
-        installs: `${data.installs_used}/${data.installs_max}`,
-        signedAttestation: typeof data.signed_attestation === "string" ? data.signed_attestation : void 0
-      };
-    }
-    return { ok: false, error: data.error || data.message || `License validation failed (HTTP ${res.status})` };
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
-    return { ok: false, error: `Could not reach license server: ${msg}` };
+    return { ok: false, error: `Could not reach license server: ${msg}`, reason: "unreachable" };
+  }
+  if (res.status >= 500) {
+    return { ok: false, error: `License server returned HTTP ${res.status}`, reason: "unreachable" };
+  }
+  const data = await res.json().catch(() => ({}));
+  if (res.ok && data.valid) {
+    return {
+      ok: true,
+      installs: `${data.installs_used}/${data.installs_max}`,
+      signedAttestation: typeof data.signed_attestation === "string" ? data.signed_attestation : void 0
+    };
   }
+  const errorText = String(data.error || data.message || "").toLowerCase();
+  const looksCancelled = res.status === 403 || errorText.includes("cancel") || errorText.includes("install limit");
+  return {
+    ok: false,
+    error: data.error || data.message || `License validation failed (HTTP ${res.status})`,
+    reason: looksCancelled ? "cancelled" : "unauthorized"
+  };
 }
 async function validateGhl(apiKey2, locationId2) {
   try {
@@ -5969,7 +6074,9 @@ async function validateFirebase(firebaseKey, refreshToken) {
       signal: AbortSignal.timeout(1e4)
     });
     if (!res.ok) return { ok: false, error: "Firebase credentials rejected. Re-extract them from your GHL browser tab." };
-    return { ok: true };
+    const data = await res.json().catch(() => ({}));
+    const claims = data.id_token ? decodeFirebaseClaims(data.id_token) : {};
+    return { ok: true, companyId: claims.companyId, userId: claims.userId };
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     return { ok: false, error: `Could not reach Firebase: ${msg}` };
@@ -6164,13 +6271,13 @@ DevTools steps: https://elitedcs.com/ghl-mcp-firebase`
           text: [
             "Workflow Builder enabled!",
             "",
-            "Firebase credentials verified and saved.",
+            "Firebase credentials verified and saved to credentials.json.",
             "",
-            "**Restart Claude (quit fully and reopen) to load the workflow builder + funnel builder + pipeline builder + form builder + workflow cloner tools (212 total).**",
+            "**You MUST restart Claude before using any workflow-builder tool.** Quit Claude completely (Cmd+Q on Mac, full exit on Windows) and reopen. Without a restart, the workflow builder tools will keep using the OLD Firebase auth from before this call and fail with 401 errors \u2014 even though this tool reported success.",
             "",
-            'After restart, try: "List my workflows in full detail" or "Validate workflow <id>".',
+            'After restart, all 212 tools load. Try: "List my workflows in full detail" or "Validate workflow <id>".',
             "",
-            "Note: Firebase refresh tokens rotate every few weeks. If workflow tools stop working, re-run enable_workflow_builder with fresh values from a current GHL browser session."
+            "Note: Firebase refresh tokens rotate every few weeks. If workflow tools stop working in a few weeks (run `health_check` to confirm Firebase auth: FAIL), run `auto_capture_firebase_script` for fresh values and re-run this tool with the new firebase_paste."
           ].join("\n")
         }]
       };
@@ -6276,12 +6383,18 @@ Firebase: using ${cfg.name || `company ${companyId}`} credentials \u2014 workflo
   }
   builderClient.resetToHomeFirebase();
   const homeCompanyId = builderClient.getCurrentCompanyId();
-  if (homeCompanyId === void 0) {
-    return "\nFirebase: using home credentials. Home company id isn't configured (set GHL_COMPANY_ID), so if this is a client account its workflow-builder tools will 401 until you run register_company_firebase.";
-  }
   if (homeCompanyId === companyId) {
     return "\nFirebase: home company \u2014 workflow builder enabled.";
   }
+  const registeredCompanies = registry2?.listCompanyFirebases?.() ?? [];
+  if (registeredCompanies.length > 0) {
+    const keys = registeredCompanies.map((c) => c.companyId).join(", ");
+    return `
+Firebase: this sub-account's company is ${companyId}, but your registered company Firebase key(s) are [${keys}] \u2014 none match, so workflow-builder tools will 401 here. This is usually a company-ID mismatch: GHL's agency-URL ID differs from the internal company_id used for sub-accounts. Re-run register_company_firebase with a token captured from THIS sub-account's session (v3.27.0+ auto-stores it under the correct internal ID), or check list_registered_locations.`;
+  }
+  if (homeCompanyId === void 0) {
+    return "\nFirebase: using home credentials. Home company id isn't configured (set GHL_COMPANY_ID), so if this is a client account its workflow-builder tools will 401 until you run register_company_firebase.";
+  }
   return `
 Firebase: NOT configured for company ${companyId}. Workflow builder, funnels, forms, pipelines, smart lists, reputation, email campaigns and memberships will fail here (401) until you run register_company_firebase for this company. Public-API tools (contacts, opportunities, calendars, etc.) still work.`;
 }
@@ -6363,6 +6476,9 @@ Token registry: ${registeredCount} location(s) registered${versionLine}`
         if (targetCompanyId && registry2?.getToken(locationId2)) {
           registry2.setLocationCompanyId(locationId2, targetCompanyId);
         }
+        if (builderClient) {
+          builderClient.setIntendedCompanyId(targetCompanyId);
+        }
         const firebaseStatus = routeFirebaseForCompany(builderClient, registry2, targetCompanyId);
         const keyStatus = keySwapped ? `API key swapped: ${previousKeyPrefix} \u2192 ${client.getApiKeyPrefix()}` : `API key unchanged (${client.getApiKeyPrefix()})${!registry2?.getToken(locationId2) ? " \u2014 consider using register_location to add this location's key" : ""}`;
         return {
@@ -6486,9 +6602,9 @@ The API key could not access location ${locationId2}. Make sure:
   );
   server2.tool(
     "register_company_firebase",
-    "Register a GHL company's Firebase credentials so the workflow builder and all Firebase-gated tools work when you switch into THAT company's sub-accounts. Firebase refresh tokens are company-scoped, so managing a client's GHL (e.g. an account where you're an admin user) requires that company's own token. Capture the values from a browser session logged into the client's account and register them keyed by the client's companyId. After this, switch_location to any of that company's locations authenticates the workflow builder correctly. DevTools capture steps: elitedcs.com/ghl-mcp-firebase.",
+    "Register a GHL company's Firebase credentials so the workflow builder and all Firebase-gated tools work when you switch into THAT company's sub-accounts. Firebase refresh tokens are company-scoped, so managing a client's GHL (e.g. an account where you're an admin user) requires that company's own token. Capture the values from a browser session logged into the client's account. The tool stores them under the company ID the Firebase token itself authenticates as (decoded from the token), so you do NOT need to hunt down the exact internal company ID \u2014 pass whatever ID you have and it self-corrects. After this, switch_location to any of that company's locations authenticates the workflow builder correctly. DevTools capture steps: elitedcs.com/ghl-mcp-firebase.",
     {
-      companyId: import_zod38.z.string().describe("The GHL company/agency ID that owns the client's sub-accounts. Surfaced in switch_location and register_location output, or the GHL URL when viewing the agency."),
+      companyId: import_zod38.z.string().describe("A GHL company/agency ID for this client (from switch_location/register_location output, or the GHL agency URL). Best-effort only: the tool re-keys the entry to the company ID the Firebase token actually authenticates as, which can differ from the ID shown in the agency URL. Just pass what you have."),
       name: import_zod38.z.string().describe("Friendly name for this client/company (e.g. 'Nathan \u2014 Acme Health')."),
       ghl_firebase_refresh_token: import_zod38.z.string().min(10).describe("Firebase refresh token captured from a browser session logged into THIS company's GHL. value.stsTokenManager.refreshToken in the firebase:authUser IndexedDB row."),
       ghl_user_id: import_zod38.z.string().min(5).describe("Firebase User ID (uid) from the same session. value.uid in the firebase:authUser row."),
@@ -6511,6 +6627,7 @@ The API key could not access location ${locationId2}. Make sure:
       }
       const refreshToken = args.ghl_firebase_refresh_token.trim();
       const userId = args.ghl_user_id.trim();
+      const typedCompanyId = args.companyId.trim();
       const fb = await validateFirebase(apiKey2, refreshToken);
       if (!fb.ok) {
         return {
@@ -6520,7 +6637,14 @@ Capture fresh values from a browser session logged into THIS company's GHL. Step
           isError: true
         };
       }
-      registry2.setCompanyFirebase(args.companyId, { apiKey: apiKey2, refreshToken, userId, name: args.name });
+      const canonicalCompanyId = fb.companyId || typedCompanyId;
+      let keyNote = "";
+      if (fb.companyId && fb.companyId !== typedCompanyId) {
+        keyNote = `
+
+Note: stored under the company ID the Firebase token actually uses (${fb.companyId}), not the value you entered (${typedCompanyId}). The ID in the GHL agency URL differs from the one GHL uses internally for sub-accounts; switch_location matches on the internal one, so this is what makes it work.`;
+      }
+      registry2.setCompanyFirebase(canonicalCompanyId, { apiKey: apiKey2, refreshToken, userId, name: args.name });
       let testLine = "";
       if (args.test_location_id) {
         const token = registry2.getToken(args.test_location_id);
@@ -6529,33 +6653,57 @@ Capture fresh values from a browser session logged into THIS company's GHL. Step
 
 Skipped end-to-end test: location ${args.test_location_id} isn't registered. Run register_location for it, then switch_location to confirm.`;
         } else {
-          const probe = new WorkflowBuilderClient({
-            firebaseApiKey: apiKey2,
-            refreshToken,
-            apiKey: token.apiKey,
-            locationId: args.test_location_id,
-            userId,
-            companyId: args.companyId,
-            registry: null
-          });
-          try {
-            await probe.listWorkflows(1, 0);
+          let resolvedCompanyId = token.companyId;
+          let lookupFailed = false;
+          if (!resolvedCompanyId) {
+            try {
+              const locClient = new GHLClient({ apiKey: token.apiKey, locationId: args.test_location_id });
+              const locResp = await locClient.get(`/locations/${args.test_location_id}`);
+              resolvedCompanyId = locResp?.location?.companyId ?? locResp?.companyId;
+            } catch {
+              lookupFailed = true;
+            }
+          }
+          if (!resolvedCompanyId) {
             testLine = `
 
-Verified: the workflow-builder API responded for "${token.name}" (${args.test_location_id}). These credentials work for this company.`;
-          } catch (error) {
-            const message = error instanceof Error ? error.message : String(error);
-            testLine = `
+Registered under ${canonicalCompanyId}, but couldn't confirm the test location's company${lookupFailed ? " (its PIT may be missing or invalid \u2014 re-run register_location for it)" : ""}. switch_location still resolves the company live at switch time, so this is non-blocking \u2014 switch into the account to confirm.`;
+          } else {
+            const foundViaRealPath = registry2.getCompanyFirebase(resolvedCompanyId);
+            if (!foundViaRealPath) {
+              testLine = `
+
+WARNING: saved under ${canonicalCompanyId}, but switch_location resolves ${args.test_location_id} to company ${resolvedCompanyId ?? "(unknown)"} \u2014 these do not match, so the workflow builder would fall back to home and 401. Re-capture the Firebase token from a session inside THIS sub-account's company, or pass a test_location_id that belongs to the same company as the token.`;
+            } else {
+              const probe = new WorkflowBuilderClient({
+                firebaseApiKey: foundViaRealPath.apiKey,
+                refreshToken: foundViaRealPath.refreshToken,
+                apiKey: token.apiKey,
+                locationId: args.test_location_id,
+                userId: foundViaRealPath.userId,
+                companyId: resolvedCompanyId,
+                registry: null
+              });
+              try {
+                await probe.listWorkflows(1, 0);
+                testLine = `
+
+Verified end-to-end via the real lookup path: switch_location resolves ${args.test_location_id} \u2192 company ${resolvedCompanyId}, the registry has matching Firebase, and the workflow-builder API responded for "${token.name}". This will work.`;
+              } catch (error) {
+                const message = error instanceof Error ? error.message : String(error);
+                testLine = `
 
-WARNING: saved, but the end-to-end test FAILED for ${args.test_location_id}:
+WARNING: key resolution matched but the workflow-builder API call FAILED for ${args.test_location_id}:
 ${message}
 
-Likely causes: the refresh token was captured from a DIFFERENT company's session, or that location's PIT key lacks access. Re-capture from a session inside THIS company's GHL.`;
+Likely cause: that location's PIT key (registered via register_location) belongs to a different company than the Firebase token, or the token rotated. Re-capture from a session inside THIS company's GHL.`;
+              }
+            }
           }
         }
       }
       return {
-        content: [{ type: "text", text: `Registered Firebase for ${args.name} (company ${args.companyId}).${testLine}
+        content: [{ type: "text", text: `Registered Firebase for ${args.name} (company ${canonicalCompanyId}).${keyNote}${testLine}
 
 Now run switch_location to any of this company's sub-accounts \u2014 the workflow builder will authenticate against it automatically.` }]
       };
@@ -8354,10 +8502,19 @@ function registerDiagnosticTools(server2, installedVersion, client, builderClien
           return { name: "Firebase auth (workflow builder)", status: "skip", detail: "Not configured. The 49 Firebase-gated tools need Firebase credentials. The other 163 tools work fine without. To add it: run enable_workflow_builder with the three Firebase values from your GHL browser session (see elitedcs.com/ghl-mcp-firebase for DevTools steps). Do NOT put Firebase values as env vars in your Claude Desktop config \u2014 that path is unreliable and is the usual reason this still shows skip after a restart. enable_workflow_builder saves and verifies them for you." };
         }
         const result = await builderClient.checkAuth();
-        const activeCompany = builderClient.getCurrentCompanyId();
-        const companyNote = activeCompany ? ` Active company: ${activeCompany}.` : "";
+        const tokenCompany = builderClient.getTokenCompanyId();
+        const intendedCompany = builderClient.getIntendedCompanyId() ?? builderClient.getCurrentCompanyId();
+        const companyNote = intendedCompany ? ` Active location's company: ${intendedCompany}.` : "";
+        if (result.ok && intendedCompany && tokenCompany && intendedCompany !== tokenCompany) {
+          return {
+            name: "Firebase auth (workflow builder)",
+            status: "fail",
+            detail: `Company mismatch: the active location belongs to company ${intendedCompany}, but the Firebase token authenticates as ${tokenCompany}. Workflow-builder writes will 401 or hit the wrong account. This company's Firebase is missing or registered under the wrong ID. Run register_company_firebase with a token captured from that sub-account's GHL session (v3.27.0+ stores it under the correct internal ID automatically).`
+          };
+        }
         if (result.ok) {
-          return { name: "Firebase auth (workflow builder)", status: "pass", detail: `ID token refresh succeeded. Workflow builder tools are usable.${companyNote}` };
+          const idNote = tokenCompany ? ` Authenticated as company ${tokenCompany}.` : "";
+          return { name: "Firebase auth (workflow builder)", status: "pass", detail: `ID token refresh succeeded. Workflow builder tools are usable.${companyNote}${idNote}` };
         }
         return { name: "Firebase auth (workflow builder)", status: "fail", detail: `Token refresh failed: ${result.error}.${companyNote} If you're in a client's account, register its Firebase with register_company_firebase. Otherwise re-capture your Firebase values from GHL DevTools and re-run enable_workflow_builder.` };
       })();
@@ -8544,12 +8701,6 @@ async function verifyAttestation(token, bindings, now = /* @__PURE__ */ new Date
   }
   return { ok: false, reason: "expired" };
 }
-function shouldRenew(payload, now = /* @__PURE__ */ new Date()) {
-  const expiry = Date.parse(payload.expires_at);
-  if (!Number.isFinite(expiry)) return true;
-  const remainingMs = expiry - now.getTime();
-  return remainingMs < 7 * 24 * 60 * 60 * 1e3;
-}
 
 // src/tools/meta.ts
 function registerMetaTools(server2, installedVersion) {
@@ -8633,15 +8784,16 @@ var server = new import_mcp.McpServer({
 });
 registerMetaTools(server, pkg.version);
 var inBootstrapMode = true;
+var TRANSITIONAL_ATTESTATION_DEADLINE = Date.parse("2026-06-15T00:00:00.000Z");
 async function renewAttestation(creds) {
-  if (!creds.email || !creds.license_key) return false;
+  if (!creds.email || !creds.license_key) return "unauthorized";
+  let lic;
   try {
-    const lic = await validateLicense(creds.email, creds.license_key);
-    if (!lic.ok) {
-      process.stderr.write(`[ghl-mcp] Re-validate failed: ${lic.error}
-`);
-      return false;
-    }
+    lic = await validateLicense(creds.email, creds.license_key);
+  } catch {
+    return "unreachable";
+  }
+  if (lic.ok) {
     try {
       writeCredentials({
         ...creds,
@@ -8651,12 +8803,23 @@ async function renewAttestation(creds) {
     } catch {
     }
     if (!lic.signedAttestation) {
-      process.stderr.write("[ghl-mcp] License re-validated, but the license server did not return a signed attestation. Falling back to legacy trust for this session.\n");
+      process.stderr.write("[ghl-mcp] License re-validated, but the license server did not return a signed attestation. This path closes on " + new Date(TRANSITIONAL_ATTESTATION_DEADLINE).toISOString().slice(0, 10) + ".\n");
+      return "renewed-unsigned";
     }
-    return true;
-  } catch {
-    return false;
+    return "renewed";
+  }
+  if (lic.reason === "cancelled" || lic.reason === "unauthorized") {
+    try {
+      writeCredentials({ ...creds, signed_attestation: void 0 });
+      process.stderr.write(`[ghl-mcp] Server rejected license (${lic.reason}). Dropping to bootstrap mode.
+`);
+    } catch {
+    }
+    return lic.reason;
   }
+  process.stderr.write(`[ghl-mcp] License re-validate unreachable: ${lic.error}
+`);
+  return "unreachable";
 }
 function renewAttestationInBackground(creds) {
   return renewAttestation(creds).then(() => void 0, () => void 0);
@@ -8672,14 +8835,15 @@ async function resolveAccessAndRegister() {
     if (verify.ok) {
       licenseVerified = true;
       attestationStatus = verify.reason;
-      if (verify.reason === "in-grace" || shouldRenew(verify.payload)) {
-        void renewAttestationInBackground(fileCreds);
-      }
+      void renewAttestationInBackground(fileCreds);
     } else {
       process.stderr.write(`[ghl-mcp] Stored attestation rejected: ${verify.reason}. Re-validating online.
 `);
       const renewed = await renewAttestation(fileCreds);
-      if (renewed) {
+      if (renewed === "renewed") {
+        licenseVerified = true;
+        attestationStatus = "renewed-after-tamper";
+      } else if (renewed === "renewed-unsigned" && Date.now() < TRANSITIONAL_ATTESTATION_DEADLINE) {
         licenseVerified = true;
         attestationStatus = "renewed-after-tamper";
       } else {
@@ -8689,12 +8853,22 @@ async function resolveAccessAndRegister() {
   } else if (fileCreds?.email && fileCreds?.license_key) {
     process.stderr.write("[ghl-mcp] Upgrading legacy credentials.json to signed attestation.\n");
     const renewed = await renewAttestation(fileCreds);
-    if (renewed) {
+    if (renewed === "renewed") {
+      licenseVerified = true;
+      attestationStatus = "renewed-from-legacy";
+    } else if (renewed === "renewed-unsigned" && Date.now() < TRANSITIONAL_ATTESTATION_DEADLINE) {
       licenseVerified = true;
       attestationStatus = "renewed-from-legacy";
     } else {
       attestationStatus = "needs-reset";
-      process.stderr.write("[ghl-mcp] Could not re-validate. Run setup_ghl_mcp again.\n");
+      if (renewed === "cancelled" || renewed === "unauthorized") {
+        process.stderr.write(`[ghl-mcp] Server says license is ${renewed}. Bootstrap mode.
+`);
+      } else if (renewed === "renewed-unsigned") {
+        process.stderr.write("[ghl-mcp] Server is in unsigned-attestation mode past the transition deadline. Bootstrap mode.\n");
+      } else {
+        process.stderr.write("[ghl-mcp] Could not re-validate. Run setup_ghl_mcp again.\n");
+      }
     }
   }
   if (!licenseVerified && apiKey && locationId) {
@@ -8702,7 +8876,8 @@ async function resolveAccessAndRegister() {
     const licKey = (process.env.GHL_LICENSE_KEY || fileCreds?.license_key)?.trim();
     if (licEmail && licKey) {
       const lic = await validateLicense(licEmail, licKey);
-      if (lic.ok) {
+      const acceptUnsigned = !lic.ok ? false : lic.signedAttestation || Date.now() < TRANSITIONAL_ATTESTATION_DEADLINE;
+      if (lic.ok && acceptUnsigned) {
         licenseVerified = true;
         attestationStatus = "renewed";
         try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elitedcs/ghl-mcp",
-  "version": "3.25.0",
+  "version": "3.27.0",
   "mcpName": "io.github.drjerryrelth/ghl-command",
   "description": "GoHighLevel MCP Server for Claude. 212 tools — full CRM, automation, marketing control, and the only programmatic GHL workflow builder, now multi-tenant across client accounts.",
   "main": "dist/index.js",