@elitedcs/ghl-mcp 3.26.0 → 3.27.0

package/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## 3.27.0 — Multi-tenant Firebase binding fix
+
+**Fixes the bug that blocked workflow-builder tools in client sub-accounts even after a successful `register_company_firebase`.**
+
+**Root cause.** GHL uses two different company identifiers. The ID shown in the agency dashboard URL is NOT the `companyId` that `/locations/{id}` returns or that the Firebase token carries in its `company_id` claim. `register_company_firebase` stored the credentials under the human-typed (agency-URL) ID, but `switch_location` resolves a sub-account's owner from `/locations/{id}.companyId` — the internal ID. The two never matched, so the lookup missed, the workflow builder fell back to home auth, and every Firebase-gated call 401'd. The warning even told the user to run `register_company_firebase` again — which they already had.
+
+**Fixes:**
+
+- **Store under the token's real company.** `register_company_firebase` now decodes the Firebase ID token's `company_id` claim and keys the registry entry on THAT value, not the typed one. Pass any company ID you have; it self-corrects. A note tells you when the stored ID differs from what you entered.
+- **Verification now exercises the real path.** The optional end-to-end test resolves the test location's company the same way `switch_location` does, confirms the registry lookup actually hits, then makes a live workflow-builder call. The old probe used an inline client that bypassed the lookup, so it passed even when the stored key would never be found.
+- **PIT/Firebase mismatch detection.** Every time the client mints an ID token, it compares the token's `company_id` claim against the company we intend to act on. A mismatch (the exact signature of this bug, or any future regression) writes a loud one-time stderr warning instead of failing silently. Direct Firebase-gated tool calls bypass `switch_location`'s routing, so this lives at the token-mint layer.
+- **Honest `health_check`.** Firebase auth now reports the company the token ACTUALLY authenticates as, and returns `fail` (not a bare `pass`) when that disagrees with the active company.
+- **Registry key normalization.** Company IDs are trimmed on store/lookup so a stray pasted space can't fork one company into two entries.
+- **Misleading warning fixed.** When a sub-account's company has no matching key, `switch_location` now distinguishes "nothing registered" from "registered under a different ID" and names the mismatch, instead of blindly telling the user to re-register.
+- **Updated `register_company_firebase` description + DevTools doc** so we stop telling users to copy the company ID from the agency URL.
+
+**Known behavior (by design):** after an MCP restart you must `switch_location` once into a client account before its workflow-builder tools work — the active company resets to home on launch. `health_check` and the mismatch warning now make this obvious.
+
+**Tests:** new `workflow-builder-mismatch.test.ts` covers claim decoding, registry key normalization, mismatch warn/no-warn, and warn-once dedup. Full suite green (163 passing).
+
 ## 3.26.0 — Codex adversarial audit fixes
 
 **Tool count unchanged (213). No new features — closes a set of silent bugs Codex flagged in a third-party adversarial review of the v3.21.0–v3.25.0 release arc.**

package/README.md

@@ -185,12 +185,13 @@ To unlock full builder access across multiple clients from one install:
 3. **Register the client's company Firebase:**
    ```
    register_company_firebase
-     companyId: CLIENT_COMPANY_ID         (shown in register_location's output)
+     companyId: CLIENT_COMPANY_ID         (best-effort — see note)
      name: "Client Name"
      ghl_firebase_refresh_token: FROM_STEP_7
      ghl_user_id: FROM_STEP_6
      test_location_id: CLIENT_LOCATION_ID  (optional — runs a live check that it works)
    ```
+   > **`companyId` is best-effort.** GHL's agency-URL company ID is a *different* identifier than the internal one used for sub-accounts. The tool decodes the company ID the Firebase token itself authenticates as and stores the entry under that, so you don't have to track down the exact internal ID — pass whatever you have (e.g. from `register_location`'s output) and it self-corrects.
 
 4. **Switch and build:** `switch_location CLIENT_LOCATION_ID` swaps both the API key *and* the Firebase auth automatically. The workflow builder now operates in the client's account. Switching back to your own location restores your home Firebase.
 

package/dist/index.js

@@ -31,7 +31,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@elitedcs/ghl-mcp",
-      version: "3.26.0",
+      version: "3.27.0",
       mcpName: "io.github.drjerryrelth/ghl-command",
       description: "GoHighLevel MCP Server for Claude. 212 tools \u2014 full CRM, automation, marketing control, and the only programmatic GHL workflow builder, now multi-tenant across client accounts.",
       main: "dist/index.js",
@@ -404,7 +404,7 @@ var TokenRegistryDataSchema = import_zod2.z.object({
   // process operate the workflow builder across multiple clients' GHL accounts.
   firebaseByCompany: import_zod2.z.record(CompanyFirebaseSchema).optional()
 });
-var TokenRegistry = class {
+var TokenRegistry = class _TokenRegistry {
   data;
   filePath;
   constructor(filePath) {
@@ -578,26 +578,36 @@ var TokenRegistry = class {
       this.save();
     }
   }
+  /**
+   * Normalize a company id used as a firebaseByCompany key. Trims whitespace so
+   * a stray copy/paste space can't fork one company into two registry entries
+   * (one stored, a different one looked up). Keys are otherwise case-sensitive
+   * because GHL company ids are case-sensitive Mongo-style ids.
+   */
+  static normalizeCompanyId(companyId) {
+    return companyId.trim();
+  }
   /**
    * Get a specific company's Firebase config (multi-tenant routing).
    */
   getCompanyFirebase(companyId) {
-    return this.data.firebaseByCompany?.[companyId];
+    return this.data.firebaseByCompany?.[_TokenRegistry.normalizeCompanyId(companyId)];
   }
   /**
    * Store (or replace) a company's Firebase config.
    */
   setCompanyFirebase(companyId, config3) {
     if (!this.data.firebaseByCompany) this.data.firebaseByCompany = {};
-    this.data.firebaseByCompany[companyId] = config3;
+    this.data.firebaseByCompany[_TokenRegistry.normalizeCompanyId(companyId)] = config3;
     this.save();
   }
   /**
    * Remove a company's Firebase config. Returns true if one existed.
    */
   removeCompanyFirebase(companyId) {
-    if (this.data.firebaseByCompany?.[companyId]) {
-      delete this.data.firebaseByCompany[companyId];
+    const key = _TokenRegistry.normalizeCompanyId(companyId);
+    if (this.data.firebaseByCompany?.[key]) {
+      delete this.data.firebaseByCompany[key];
       this.save();
       return true;
     }
@@ -619,7 +629,7 @@ var TokenRegistry = class {
    * company is the active one). No-op if the company isn't registered.
    */
   updateCompanyFirebaseRefreshToken(companyId, newToken) {
-    const cfg = this.data.firebaseByCompany?.[companyId];
+    const cfg = this.data.firebaseByCompany?.[_TokenRegistry.normalizeCompanyId(companyId)];
     if (cfg) {
       cfg.refreshToken = newToken;
       this.save();
@@ -639,6 +649,24 @@ var path3 = __toESM(require("path"));
 var dotenv = __toESM(require("dotenv"));
 var import_zod4 = require("zod");
 
+// src/firebase-claims.ts
+function decodeFirebaseClaims(idToken) {
+  try {
+    const seg = idToken.split(".")[1];
+    if (!seg) return {};
+    const json = Buffer.from(seg.replace(/-/g, "+").replace(/_/g, "/"), "base64").toString("utf-8");
+    const claims = JSON.parse(json);
+    return {
+      companyId: typeof claims.company_id === "string" ? claims.company_id : void 0,
+      userId: typeof claims.user_id === "string" ? claims.user_id : void 0,
+      type: typeof claims.type === "string" ? claims.type : void 0,
+      role: typeof claims.role === "string" ? claims.role : void 0
+    };
+  } catch {
+    return {};
+  }
+}
+
 // src/trigger-schemas.ts
 var import_zod3 = require("zod");
 var TriggerActionSchema = import_zod3.z.object({
@@ -1173,6 +1201,20 @@ var WorkflowBuilderClient = class _WorkflowBuilderClient {
   cachedIdToken = null;
   tokenExpiry = 0;
   tokenRefreshPromise = null;
+  // The company_id claim from the most recently minted ID token. Lets
+  // health_check report the company we're ACTUALLY authenticated as (vs. the
+  // one we intended), and backs PIT/Firebase mismatch detection.
+  tokenCompanyId;
+  // The company that OWNS the location we're operating on, as resolved by
+  // switch_location from /locations/{id}.companyId. This is the company the
+  // Firebase token MUST authenticate as. It is distinct from currentCompanyId
+  // (the Firebase auth company): when routing falls back to home auth, the two
+  // diverge and that IS the binding bug. undefined for home-only installs or
+  // before any switch_location call.
+  intendedCompanyId;
+  // Mismatch warnings already emitted (keyed `intended->token`). Append-only so
+  // we warn once per distinct mismatch for the life of the process.
+  mismatchWarnedFor = /* @__PURE__ */ new Set();
   constructor(config3) {
     this.firebaseApiKey = config3.firebaseApiKey;
     this.refreshToken = config3.refreshToken;
@@ -1214,6 +1256,27 @@ var WorkflowBuilderClient = class _WorkflowBuilderClient {
   getCurrentCompanyId() {
     return this.currentCompanyId;
   }
+  /**
+   * The company_id claim from the most recently minted ID token — the company we
+   * are ACTUALLY authenticated as. undefined until the first token mint. When this
+   * differs from getIntendedCompanyId() the binding is wrong (see performTokenRefresh).
+   */
+  getTokenCompanyId() {
+    return this.tokenCompanyId;
+  }
+  /**
+   * Record the company that owns the location we're operating on (resolved by
+   * switch_location). The Firebase token MUST authenticate as this company; a
+   * divergence is the binding bug. Set on every switch regardless of whether
+   * Firebase routing found a matching credential, so health_check and the
+   * mismatch detector can flag a silent fall-back to home auth.
+   */
+  setIntendedCompanyId(companyId) {
+    this.intendedCompanyId = companyId;
+  }
+  getIntendedCompanyId() {
+    return this.intendedCompanyId;
+  }
   /**
    * Swap in a specific company's Firebase auth (multi-tenant). Used by
    * switch_location so the workflow builder authenticates against the company
@@ -1347,6 +1410,18 @@ var WorkflowBuilderClient = class _WorkflowBuilderClient {
     const data = FirebaseTokenSchema.parse(await response.json());
     this.cachedIdToken = data.id_token;
     this.tokenExpiry = Date.now() + 55 * 60 * 1e3;
+    this.tokenCompanyId = decodeFirebaseClaims(data.id_token).companyId;
+    const expectedCompanyId = this.intendedCompanyId ?? this.currentCompanyId;
+    if (expectedCompanyId && this.tokenCompanyId && expectedCompanyId !== this.tokenCompanyId) {
+      const warnKey = `${expectedCompanyId}->${this.tokenCompanyId}`;
+      if (!this.mismatchWarnedFor.has(warnKey)) {
+        this.mismatchWarnedFor.add(warnKey);
+        process.stderr.write(
+          `[ghl-mcp] WARNING: Firebase/company mismatch. Operating on company ${expectedCompanyId} but the Firebase token authenticates as ${this.tokenCompanyId}. Workflow-builder writes will 401 or hit the wrong account. The company Firebase is missing or registered under the wrong ID \u2014 run register_company_firebase with a token captured from that sub-account's session.
+`
+        );
+      }
+    }
     if (data.refresh_token && data.refresh_token !== this.refreshToken) {
       this.refreshToken = data.refresh_token;
       this.persistRotatedToken(data.refresh_token);
@@ -5999,7 +6074,9 @@ async function validateFirebase(firebaseKey, refreshToken) {
       signal: AbortSignal.timeout(1e4)
     });
     if (!res.ok) return { ok: false, error: "Firebase credentials rejected. Re-extract them from your GHL browser tab." };
-    return { ok: true };
+    const data = await res.json().catch(() => ({}));
+    const claims = data.id_token ? decodeFirebaseClaims(data.id_token) : {};
+    return { ok: true, companyId: claims.companyId, userId: claims.userId };
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     return { ok: false, error: `Could not reach Firebase: ${msg}` };
@@ -6306,12 +6383,18 @@ Firebase: using ${cfg.name || `company ${companyId}`} credentials \u2014 workflo
   }
   builderClient.resetToHomeFirebase();
   const homeCompanyId = builderClient.getCurrentCompanyId();
-  if (homeCompanyId === void 0) {
-    return "\nFirebase: using home credentials. Home company id isn't configured (set GHL_COMPANY_ID), so if this is a client account its workflow-builder tools will 401 until you run register_company_firebase.";
-  }
   if (homeCompanyId === companyId) {
     return "\nFirebase: home company \u2014 workflow builder enabled.";
   }
+  const registeredCompanies = registry2?.listCompanyFirebases?.() ?? [];
+  if (registeredCompanies.length > 0) {
+    const keys = registeredCompanies.map((c) => c.companyId).join(", ");
+    return `
+Firebase: this sub-account's company is ${companyId}, but your registered company Firebase key(s) are [${keys}] \u2014 none match, so workflow-builder tools will 401 here. This is usually a company-ID mismatch: GHL's agency-URL ID differs from the internal company_id used for sub-accounts. Re-run register_company_firebase with a token captured from THIS sub-account's session (v3.27.0+ auto-stores it under the correct internal ID), or check list_registered_locations.`;
+  }
+  if (homeCompanyId === void 0) {
+    return "\nFirebase: using home credentials. Home company id isn't configured (set GHL_COMPANY_ID), so if this is a client account its workflow-builder tools will 401 until you run register_company_firebase.";
+  }
   return `
 Firebase: NOT configured for company ${companyId}. Workflow builder, funnels, forms, pipelines, smart lists, reputation, email campaigns and memberships will fail here (401) until you run register_company_firebase for this company. Public-API tools (contacts, opportunities, calendars, etc.) still work.`;
 }
@@ -6393,6 +6476,9 @@ Token registry: ${registeredCount} location(s) registered${versionLine}`
         if (targetCompanyId && registry2?.getToken(locationId2)) {
           registry2.setLocationCompanyId(locationId2, targetCompanyId);
         }
+        if (builderClient) {
+          builderClient.setIntendedCompanyId(targetCompanyId);
+        }
         const firebaseStatus = routeFirebaseForCompany(builderClient, registry2, targetCompanyId);
         const keyStatus = keySwapped ? `API key swapped: ${previousKeyPrefix} \u2192 ${client.getApiKeyPrefix()}` : `API key unchanged (${client.getApiKeyPrefix()})${!registry2?.getToken(locationId2) ? " \u2014 consider using register_location to add this location's key" : ""}`;
         return {
@@ -6516,9 +6602,9 @@ The API key could not access location ${locationId2}. Make sure:
   );
   server2.tool(
     "register_company_firebase",
-    "Register a GHL company's Firebase credentials so the workflow builder and all Firebase-gated tools work when you switch into THAT company's sub-accounts. Firebase refresh tokens are company-scoped, so managing a client's GHL (e.g. an account where you're an admin user) requires that company's own token. Capture the values from a browser session logged into the client's account and register them keyed by the client's companyId. After this, switch_location to any of that company's locations authenticates the workflow builder correctly. DevTools capture steps: elitedcs.com/ghl-mcp-firebase.",
+    "Register a GHL company's Firebase credentials so the workflow builder and all Firebase-gated tools work when you switch into THAT company's sub-accounts. Firebase refresh tokens are company-scoped, so managing a client's GHL (e.g. an account where you're an admin user) requires that company's own token. Capture the values from a browser session logged into the client's account. The tool stores them under the company ID the Firebase token itself authenticates as (decoded from the token), so you do NOT need to hunt down the exact internal company ID \u2014 pass whatever ID you have and it self-corrects. After this, switch_location to any of that company's locations authenticates the workflow builder correctly. DevTools capture steps: elitedcs.com/ghl-mcp-firebase.",
     {
-      companyId: import_zod38.z.string().describe("The GHL company/agency ID that owns the client's sub-accounts. Surfaced in switch_location and register_location output, or the GHL URL when viewing the agency."),
+      companyId: import_zod38.z.string().describe("A GHL company/agency ID for this client (from switch_location/register_location output, or the GHL agency URL). Best-effort only: the tool re-keys the entry to the company ID the Firebase token actually authenticates as, which can differ from the ID shown in the agency URL. Just pass what you have."),
       name: import_zod38.z.string().describe("Friendly name for this client/company (e.g. 'Nathan \u2014 Acme Health')."),
       ghl_firebase_refresh_token: import_zod38.z.string().min(10).describe("Firebase refresh token captured from a browser session logged into THIS company's GHL. value.stsTokenManager.refreshToken in the firebase:authUser IndexedDB row."),
       ghl_user_id: import_zod38.z.string().min(5).describe("Firebase User ID (uid) from the same session. value.uid in the firebase:authUser row."),
@@ -6541,6 +6627,7 @@ The API key could not access location ${locationId2}. Make sure:
       }
       const refreshToken = args.ghl_firebase_refresh_token.trim();
       const userId = args.ghl_user_id.trim();
+      const typedCompanyId = args.companyId.trim();
       const fb = await validateFirebase(apiKey2, refreshToken);
       if (!fb.ok) {
         return {
@@ -6550,7 +6637,14 @@ Capture fresh values from a browser session logged into THIS company's GHL. Step
           isError: true
         };
       }
-      registry2.setCompanyFirebase(args.companyId, { apiKey: apiKey2, refreshToken, userId, name: args.name });
+      const canonicalCompanyId = fb.companyId || typedCompanyId;
+      let keyNote = "";
+      if (fb.companyId && fb.companyId !== typedCompanyId) {
+        keyNote = `
+
+Note: stored under the company ID the Firebase token actually uses (${fb.companyId}), not the value you entered (${typedCompanyId}). The ID in the GHL agency URL differs from the one GHL uses internally for sub-accounts; switch_location matches on the internal one, so this is what makes it work.`;
+      }
+      registry2.setCompanyFirebase(canonicalCompanyId, { apiKey: apiKey2, refreshToken, userId, name: args.name });
       let testLine = "";
       if (args.test_location_id) {
         const token = registry2.getToken(args.test_location_id);
@@ -6559,33 +6653,57 @@ Capture fresh values from a browser session logged into THIS company's GHL. Step
 
 Skipped end-to-end test: location ${args.test_location_id} isn't registered. Run register_location for it, then switch_location to confirm.`;
         } else {
-          const probe = new WorkflowBuilderClient({
-            firebaseApiKey: apiKey2,
-            refreshToken,
-            apiKey: token.apiKey,
-            locationId: args.test_location_id,
-            userId,
-            companyId: args.companyId,
-            registry: null
-          });
-          try {
-            await probe.listWorkflows(1, 0);
+          let resolvedCompanyId = token.companyId;
+          let lookupFailed = false;
+          if (!resolvedCompanyId) {
+            try {
+              const locClient = new GHLClient({ apiKey: token.apiKey, locationId: args.test_location_id });
+              const locResp = await locClient.get(`/locations/${args.test_location_id}`);
+              resolvedCompanyId = locResp?.location?.companyId ?? locResp?.companyId;
+            } catch {
+              lookupFailed = true;
+            }
+          }
+          if (!resolvedCompanyId) {
             testLine = `
 
-Verified: the workflow-builder API responded for "${token.name}" (${args.test_location_id}). These credentials work for this company.`;
-          } catch (error) {
-            const message = error instanceof Error ? error.message : String(error);
-            testLine = `
+Registered under ${canonicalCompanyId}, but couldn't confirm the test location's company${lookupFailed ? " (its PIT may be missing or invalid \u2014 re-run register_location for it)" : ""}. switch_location still resolves the company live at switch time, so this is non-blocking \u2014 switch into the account to confirm.`;
+          } else {
+            const foundViaRealPath = registry2.getCompanyFirebase(resolvedCompanyId);
+            if (!foundViaRealPath) {
+              testLine = `
+
+WARNING: saved under ${canonicalCompanyId}, but switch_location resolves ${args.test_location_id} to company ${resolvedCompanyId ?? "(unknown)"} \u2014 these do not match, so the workflow builder would fall back to home and 401. Re-capture the Firebase token from a session inside THIS sub-account's company, or pass a test_location_id that belongs to the same company as the token.`;
+            } else {
+              const probe = new WorkflowBuilderClient({
+                firebaseApiKey: foundViaRealPath.apiKey,
+                refreshToken: foundViaRealPath.refreshToken,
+                apiKey: token.apiKey,
+                locationId: args.test_location_id,
+                userId: foundViaRealPath.userId,
+                companyId: resolvedCompanyId,
+                registry: null
+              });
+              try {
+                await probe.listWorkflows(1, 0);
+                testLine = `
 
-WARNING: saved, but the end-to-end test FAILED for ${args.test_location_id}:
+Verified end-to-end via the real lookup path: switch_location resolves ${args.test_location_id} \u2192 company ${resolvedCompanyId}, the registry has matching Firebase, and the workflow-builder API responded for "${token.name}". This will work.`;
+              } catch (error) {
+                const message = error instanceof Error ? error.message : String(error);
+                testLine = `
+
+WARNING: key resolution matched but the workflow-builder API call FAILED for ${args.test_location_id}:
 ${message}
 
-Likely causes: the refresh token was captured from a DIFFERENT company's session, or that location's PIT key lacks access. Re-capture from a session inside THIS company's GHL.`;
+Likely cause: that location's PIT key (registered via register_location) belongs to a different company than the Firebase token, or the token rotated. Re-capture from a session inside THIS company's GHL.`;
+              }
+            }
           }
         }
       }
       return {
-        content: [{ type: "text", text: `Registered Firebase for ${args.name} (company ${args.companyId}).${testLine}
+        content: [{ type: "text", text: `Registered Firebase for ${args.name} (company ${canonicalCompanyId}).${keyNote}${testLine}
 
 Now run switch_location to any of this company's sub-accounts \u2014 the workflow builder will authenticate against it automatically.` }]
       };
@@ -8384,10 +8502,19 @@ function registerDiagnosticTools(server2, installedVersion, client, builderClien
           return { name: "Firebase auth (workflow builder)", status: "skip", detail: "Not configured. The 49 Firebase-gated tools need Firebase credentials. The other 163 tools work fine without. To add it: run enable_workflow_builder with the three Firebase values from your GHL browser session (see elitedcs.com/ghl-mcp-firebase for DevTools steps). Do NOT put Firebase values as env vars in your Claude Desktop config \u2014 that path is unreliable and is the usual reason this still shows skip after a restart. enable_workflow_builder saves and verifies them for you." };
         }
         const result = await builderClient.checkAuth();
-        const activeCompany = builderClient.getCurrentCompanyId();
-        const companyNote = activeCompany ? ` Active company: ${activeCompany}.` : "";
+        const tokenCompany = builderClient.getTokenCompanyId();
+        const intendedCompany = builderClient.getIntendedCompanyId() ?? builderClient.getCurrentCompanyId();
+        const companyNote = intendedCompany ? ` Active location's company: ${intendedCompany}.` : "";
+        if (result.ok && intendedCompany && tokenCompany && intendedCompany !== tokenCompany) {
+          return {
+            name: "Firebase auth (workflow builder)",
+            status: "fail",
+            detail: `Company mismatch: the active location belongs to company ${intendedCompany}, but the Firebase token authenticates as ${tokenCompany}. Workflow-builder writes will 401 or hit the wrong account. This company's Firebase is missing or registered under the wrong ID. Run register_company_firebase with a token captured from that sub-account's GHL session (v3.27.0+ stores it under the correct internal ID automatically).`
+          };
+        }
         if (result.ok) {
-          return { name: "Firebase auth (workflow builder)", status: "pass", detail: `ID token refresh succeeded. Workflow builder tools are usable.${companyNote}` };
+          const idNote = tokenCompany ? ` Authenticated as company ${tokenCompany}.` : "";
+          return { name: "Firebase auth (workflow builder)", status: "pass", detail: `ID token refresh succeeded. Workflow builder tools are usable.${companyNote}${idNote}` };
         }
         return { name: "Firebase auth (workflow builder)", status: "fail", detail: `Token refresh failed: ${result.error}.${companyNote} If you're in a client's account, register its Firebase with register_company_firebase. Otherwise re-capture your Firebase values from GHL DevTools and re-run enable_workflow_builder.` };
       })();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elitedcs/ghl-mcp",
-  "version": "3.26.0",
+  "version": "3.27.0",
   "mcpName": "io.github.drjerryrelth/ghl-command",
   "description": "GoHighLevel MCP Server for Claude. 212 tools — full CRM, automation, marketing control, and the only programmatic GHL workflow builder, now multi-tenant across client accounts.",
   "main": "dist/index.js",