fullstackgtm 0.10.0

package/dist/types.d.ts

@@ -0,0 +1,294 @@
+/**
+ * Canonical GTM data model.
+ *
+ * Amounts are expressed in major currency units (e.g. dollars), matching what
+ * CRM providers return natively. Adapters that store minor units (cents) must
+ * convert at their own boundary.
+ */
+export type CrmProvider = "salesforce" | "hubspot" | "mock" | "unknown" | (string & {});
+export type RiskLevel = "low" | "medium" | "high";
+export type ApprovalStatus = "draft" | "needs_approval" | "approved" | "rejected" | "applied";
+export type GtmObjectType = "account" | "contact" | "deal" | "user" | "activity";
+export type GtmEvidenceSourceSystem = "salesforce" | "hubspot" | "gong" | "chorus" | "fathom" | "manual" | "csv" | "mock" | "unknown";
+export type PatchOperationType = "set_field" | "clear_field" | "link_record" | "archive_record" | "create_task";
+export type AuditFindingSeverity = "info" | "warning" | "critical";
+/**
+ * One claim that a canonical record exists in an external system. A record
+ * merged from several providers carries one identity per provider.
+ */
+export type ProviderIdentity = {
+    provider: CrmProvider;
+    externalId: string;
+};
+export type PipelineFindingType = "call_next_step_not_reflected_in_crm" | "deal_missing_next_step" | "deal_stale_activity" | "deal_past_close_date" | "deal_missing_owner" | "deal_missing_account";
+export type PipelineFindingStatus = "open" | "planned" | "approved" | "applied" | "verified" | "dismissed" | "stale";
+export type SourceFreshness = {
+    state: "fresh" | "stale" | "unknown";
+    checkedAt: string;
+    sourceUpdatedAt?: string;
+    ageDays?: number;
+};
+export type GtmEvidence = {
+    id: string;
+    sourceSystem: GtmEvidenceSourceSystem;
+    sourceObjectType: string;
+    sourceObjectId: string;
+    objectType?: GtmObjectType;
+    objectId?: string;
+    title?: string;
+    text: string;
+    observedAt?: string;
+    capturedAt?: string;
+    freshness?: SourceFreshness;
+    metadata?: Record<string, unknown>;
+};
+export type PipelineFinding = {
+    id: string;
+    type: PipelineFindingType;
+    objectType: GtmObjectType;
+    objectId: string;
+    severity: AuditFindingSeverity;
+    status: PipelineFindingStatus;
+    title: string;
+    summary: string;
+    recommendation: string;
+    evidenceIds: string[];
+    currentCrmValue?: unknown;
+    proposedValue?: unknown;
+    freshness: SourceFreshness;
+    patchEligibility: {
+        eligible: boolean;
+        operation?: PatchOperationType | "none";
+        field?: string;
+        reason: string;
+        approvalRequired: boolean;
+    };
+};
+export type PatchVerification = {
+    status: "not_started" | "pending" | "verified" | "failed" | "skipped";
+    checkedAt?: string;
+    sourceSystem?: GtmEvidenceSourceSystem;
+    expectedValue?: unknown;
+    observedValue?: unknown;
+    providerResult?: unknown;
+    auditText?: string;
+};
+export type CanonicalUser = {
+    id: string;
+    provider?: CrmProvider;
+    crmId?: string;
+    identities?: ProviderIdentity[];
+    name: string;
+    email?: string;
+    title?: string;
+    active?: boolean;
+};
+export type CanonicalAccount = {
+    id: string;
+    provider?: CrmProvider;
+    crmId?: string;
+    identities?: ProviderIdentity[];
+    name: string;
+    domain?: string;
+    industry?: string;
+    ownerId?: string;
+    employeeCount?: number;
+    annualRevenue?: number;
+    lastActivityAt?: string;
+    lastSyncAt?: string;
+    /** Provider-native payload escape hatch. Never read by audit rules. */
+    raw?: unknown;
+};
+export type CanonicalContact = {
+    id: string;
+    provider?: CrmProvider;
+    crmId?: string;
+    identities?: ProviderIdentity[];
+    accountId?: string;
+    firstName?: string;
+    lastName?: string;
+    email?: string;
+    phone?: string;
+    title?: string;
+    ownerId?: string;
+    lastActivityAt?: string;
+    lastSyncAt?: string;
+    /** Provider-native payload escape hatch. Never read by audit rules. */
+    raw?: unknown;
+};
+export type CanonicalDeal = {
+    id: string;
+    provider?: CrmProvider;
+    crmId?: string;
+    identities?: ProviderIdentity[];
+    accountId?: string;
+    ownerId?: string;
+    name: string;
+    amount?: number;
+    currency?: string;
+    stage?: string;
+    closeDate?: string;
+    /** Provider-native deal type string (e.g. HubSpot `dealtype`), unmapped. */
+    dealType?: string;
+    forecastCategory?: string;
+    nextStep?: string;
+    probability?: number;
+    isClosed?: boolean;
+    isWon?: boolean;
+    lastActivityAt?: string;
+    lastSyncAt?: string;
+    /** Provider-native payload escape hatch. Never read by audit rules. */
+    raw?: unknown;
+};
+export type CanonicalActivity = {
+    id: string;
+    provider?: CrmProvider;
+    crmId?: string;
+    identities?: ProviderIdentity[];
+    accountId?: string;
+    contactId?: string;
+    dealId?: string;
+    ownerId?: string;
+    type: "call" | "email" | "meeting" | "note" | "task" | "other";
+    occurredAt: string;
+    subject?: string;
+};
+export type CanonicalGtmSnapshot = {
+    generatedAt: string;
+    provider: CrmProvider;
+    users: CanonicalUser[];
+    accounts: CanonicalAccount[];
+    contacts: CanonicalContact[];
+    deals: CanonicalDeal[];
+    activities: CanonicalActivity[];
+};
+export type GtmPolicy = {
+    staleDealDays: number;
+    requireDealOwner: boolean;
+    requireAccountForDeal: boolean;
+    today: string;
+    /** Flag open deals without an amount (default true). */
+    requireDealAmount?: boolean;
+    /** Window ahead of today that counts as "closing soon" (default 14 days). */
+    closingSoonDays?: number;
+    /** Idle days that make a closing-soon deal a finding (default 7). */
+    closingSoonIdleDays?: number;
+};
+export type AuditFinding = {
+    id: string;
+    objectType: GtmObjectType;
+    objectId: string;
+    ruleId: string;
+    title: string;
+    severity: AuditFindingSeverity;
+    summary: string;
+    recommendation: string;
+    type?: PipelineFindingType;
+    evidenceIds?: string[];
+    currentCrmValue?: unknown;
+    proposedValue?: unknown;
+    freshness?: SourceFreshness;
+    patchEligible?: boolean;
+};
+export type PatchOperation = {
+    id: string;
+    objectType: GtmObjectType;
+    objectId: string;
+    operation: PatchOperationType;
+    field?: string;
+    beforeValue?: unknown;
+    afterValue?: unknown;
+    reason: string;
+    riskLevel: RiskLevel;
+    approvalRequired: boolean;
+    sourceRuleOrPolicy?: string;
+    rollback?: string;
+    evidenceIds?: string[];
+    findingIds?: string[];
+    verification?: PatchVerification;
+};
+/**
+ * A patch plan is always a dry-run proposal. Applying a plan never mutates
+ * the plan itself; the outcome is recorded separately as a `PatchPlanRun`.
+ */
+export type PatchPlan = {
+    id: string;
+    title: string;
+    createdAt: string;
+    status: ApprovalStatus;
+    dryRun: true;
+    summary: string;
+    findings: AuditFinding[];
+    pipelineFindings?: PipelineFinding[];
+    evidence?: GtmEvidence[];
+    operations: PatchOperation[];
+};
+/** Pre-computed lookups shared by all rules so each rule stays O(n). */
+export type GtmSnapshotIndex = {
+    usersById: Map<string, CanonicalUser>;
+    accountsById: Map<string, CanonicalAccount>;
+    contactsByAccountId: Map<string, CanonicalContact[]>;
+    dealsByAccountId: Map<string, CanonicalDeal[]>;
+    activitiesByDealId: Map<string, CanonicalActivity[]>;
+};
+export type GtmRuleContext = {
+    snapshot: CanonicalGtmSnapshot;
+    policy: GtmPolicy;
+    index: GtmSnapshotIndex;
+};
+export type GtmRuleResult = {
+    findings: AuditFinding[];
+    operations: PatchOperation[];
+};
+/**
+ * A deterministic audit rule. Rules read the snapshot through the context and
+ * return findings plus dry-run patch operations; they never perform writes.
+ */
+export type GtmAuditRule = {
+    id: string;
+    title: string;
+    description: string;
+    /** Grouping for docs and discovery, e.g. "hygiene", "forecast", "coverage". */
+    category?: string;
+    evaluate: (context: GtmRuleContext) => GtmRuleResult;
+};
+export type PatchOperationResult = {
+    operationId: string;
+    /** `conflict`: the provider value drifted since the plan was proposed; nothing was written. */
+    status: "applied" | "failed" | "skipped" | "conflict";
+    detail?: string;
+    providerData?: unknown;
+};
+export type PatchPlanRunStatus = "applied" | "partial" | "failed" | "rejected";
+/** The record of one attempt to apply an approved patch plan. */
+export type PatchPlanRun = {
+    planId: string;
+    provider: CrmProvider;
+    startedAt: string;
+    finishedAt: string;
+    status: PatchPlanRunStatus;
+    results: PatchOperationResult[];
+};
+/**
+ * The provider contract. Reads produce a canonical snapshot; writes accept a
+ * single patch operation and report the outcome. Connectors without
+ * `applyOperation` are read-only.
+ */
+export type GtmConnector = {
+    provider: CrmProvider;
+    fetchSnapshot: () => Promise<CanonicalGtmSnapshot>;
+    applyOperation?: (operation: PatchOperation) => Promise<PatchOperationResult>;
+    /**
+     * Read the live value of one canonical field, used for compare-and-set:
+     * apply orchestration refuses to write over values that drifted since the
+     * plan was proposed.
+     */
+    readField?: (objectType: GtmObjectType, objectId: string, field: string) => Promise<unknown>;
+    /**
+     * Records modified since the given ISO timestamp, as a partial snapshot —
+     * the incremental alternative to `fetchSnapshot` for frequent syncs.
+     * Provider change feeds may omit cross-record associations; consumers
+     * merging deltas must preserve associations from the last full snapshot.
+     */
+    fetchChanges?: (sinceIso: string) => Promise<CanonicalGtmSnapshot>;
+};

package/dist/types.js

@@ -0,0 +1,8 @@
+/**
+ * Canonical GTM data model.
+ *
+ * Amounts are expressed in major currency units (e.g. dollars), matching what
+ * CRM providers return natively. Adapters that store minor units (cents) must
+ * convert at their own boundary.
+ */
+export {};

package/docs/api.md

@@ -0,0 +1,72 @@
+# fullstackgtm — API surface (1.0 contract candidate)
+
+Everything listed here is the intended 1.0 contract. While the package is in
+beta (0.x), these surfaces are settling and breaking changes may still land
+in minor releases — each one is called out in the CHANGELOG. At 1.0 they
+freeze: breaking changes will require a major version. Anything *not* listed
+(internal helpers, file layouts, exact message strings) may change in any
+release.
+
+## Canonical data model (`types.ts`)
+
+- `CanonicalGtmSnapshot` — `{ generatedAt, provider, users, accounts, contacts, deals, activities }`
+- `CanonicalUser`, `CanonicalAccount`, `CanonicalContact`, `CanonicalDeal`, `CanonicalActivity`
+  - Amounts are **major currency units**; adapters storing minor units convert at their boundary.
+  - `identities: ProviderIdentity[]` — `(provider, externalId)` claims; one per source system.
+  - `raw` — provider payload escape hatch; never read by audit rules.
+- `GtmPolicy` — thresholds with optional extensions (`requireDealAmount`, `closingSoonDays`, `closingSoonIdleDays`).
+
+## Audit engine
+
+- `GtmAuditRule` — `{ id, title, description, category?, evaluate(context) }`; the public extension point.
+- `GtmRuleContext` — `{ snapshot, policy, index }` with the prebuilt O(n) `GtmSnapshotIndex`.
+- `auditSnapshot(snapshot, policy?, rules?)` → `PatchPlan`.
+- `builtinAuditRules` (11 rules) plus each rule exported individually.
+- **Determinism guarantee**: identical inputs produce identical findings and operations with identical ids (`auditFindingId`, `patchOperationId` are stable hashes of rule + record).
+
+## Patch plans and application
+
+- `PatchPlan` — immutable dry-run proposal (`dryRun: true` always).
+- `PatchOperation` — typed write: objectType, objectId, operation kind, field, before/after, reason, riskLevel, approvalRequired.
+- `applyPatchPlan(connector, plan, options)` → `PatchPlanRun`. The safety contract:
+  1. only operation ids in `approvedOperationIds` are written;
+  2. `requires_human_*` placeholder values are never written without a `valueOverrides` entry;
+  3. compare-and-set: with `readField` support, drifted values produce `conflict` results instead of writes (`checkConflicts: false` opts out);
+  4. every operation yields a `PatchOperationResult` (`applied | failed | skipped | conflict`).
+- `PlanStore` / `createFilePlanStore` — durable lifecycle: save → approve operations (+ value overrides) → record runs.
+
+## Connectors
+
+- `GtmConnector` — `{ provider, fetchSnapshot(), applyOperation?, readField?, fetchChanges? }`.
+  - Connectors never silently drop unresolvable records; audits surface them.
+  - `fetchChanges(sinceIso)` returns a partial snapshot; change feeds may omit associations.
+- `createHubspotConnector(options)` — read/write/readField/fetchChanges. `applyOperation` implements every `PatchOperationType`: `set_field`, `clear_field`, `link_record`, `create_task`, `archive_record`.
+- `createSalesforceConnector(options)` — read/write/readField/fetchChanges; probabilities normalized to 0..1; `applyOperation` implements every operation type.
+- `createStripeConnector(options)` — read-only billing by design (`applyOperation` returns `skipped`); email domains are the cross-system merge keys. Implements `fetchChanges` (incremental via `created[gte]`).
+
+## Multi-system operations
+
+- `mergeSnapshots(snapshots)` → `{ snapshot, report }` — entity resolution on email/domain/name keys; identities accumulate; first source wins on conflicts and every conflict is reported.
+- `diffSnapshots(before, after)` → record/field-level changes; `diffFindings(beforePlan, afterPlan)` → hygiene drift on stable ids.
+
+## Configuration
+
+- `fullstackgtm.config.json`: `{ policy?, rules?: { enabled?, disabled? }, rulePackages? }`.
+- Rule packages export `rules: GtmAuditRule[]`.
+- Precedence: CLI flags > config file > defaults.
+
+## CLI
+
+Commands: `login` / `logout`, `snapshot`, `audit`, `diff`, `merge`, `plans`, `apply`, `rules`.
+Exit codes: `0` success · `1` error · `2` findings/regressions at the requested gate
+(`--fail-on`, `--fail-on-new-findings`). `--json` everywhere; JSON output shapes are stable.
+
+Credential resolution ladder: explicit `--token-env` → ambient env
+(`HUBSPOT_ACCESS_TOKEN`, `SALESFORCE_ACCESS_TOKEN`+`SALESFORCE_INSTANCE_URL`,
+`STRIPE_SECRET_KEY`) → stored login (`~/.fullstackgtm`, `FSGTM_HOME` override)
+→ broker pairing (`login --via`).
+
+## MCP
+
+Tools: `fullstackgtm_audit`, `fullstackgtm_rules`, `fullstackgtm_apply`
+(requires explicit `approvedOperationIds`). Input schemas are stable.

package/docs/roadmap-to-1.0.md

@@ -0,0 +1,121 @@
+# fullstackgtm: 0.1 → 1.0
+
+The planned, versioned path from first publish to a stable 1.0. Each milestone
+is shippable on its own, ordered so that every step consolidates the
+architecture before the next step expands it. The invariants that hold at
+every version:
+
+1. **The package is the product; the app is an adapter.** Anything the app
+   needs from a provider goes through the package connector. New capability
+   lands in the package first.
+2. **Reads are free, writes are patch plans.** No code path may mutate a
+   provider except `applyPatchPlan` / `applyOperation` with explicit approval.
+3. **Deterministic and diffable.** Same inputs produce the same findings with
+   the same ids. Golden tests over the demo dataset enforce this.
+4. **Zero-dependency core.** Connectors use `fetch`; optional integrations
+   (MCP) stay optional peers.
+
+## 0.1.0 — The loop exists (done)
+
+Canonical model, pluggable rule engine, patch plans, safe apply, HubSpot
+connector, CLI/MCP, demo dataset, CLI auth (private app token, loopback
+OAuth), broker pairing against a hosted deployment, CI + tag-publish
+automation.
+
+## 0.2.0 — Provider parity and operational trust (done)
+
+- **Salesforce connector** behind the same `GtmConnector` contract: SOQL with
+  cursor pagination, PATCH write-back, probabilities normalized to canonical
+  0..1, never drops unresolvable records.
+- **Salesforce CLI auth**: native device flow (code on any device, no client
+  secret, silent refresh) plus manual token + instance URL.
+- **Broker mint for Salesforce**: paired CLIs receive `accessToken +
+  instanceUrl + fieldMappings` from the org's stored credentials.
+- **CLI token observability**: paired-CLI list with last-used timestamps and
+  one-click revoke in the dashboard.
+- App consolidation: `convex/salesforceActions.ts` collapses onto the package
+  connector like the HubSpot path did.
+
+## 0.3.0 — One patch-plan vocabulary (done)
+
+The last internal duplication: the app's durable `patchPlans` tables speak
+`verb`/`operation` strings while the package speaks typed `PatchOperation`s.
+
+- Package: add a `PlanStore` interface (persist plan → approve operations →
+  record runs) so durable workflows are a first-class framework concern, not
+  an app concern.
+- App: migrate `patchPlans`/`patchOperations` rows to the package types
+  (schema migration with a compatibility window), route
+  `patchPlanActions.apply` through `applyPatchPlan`.
+- Exit criterion: the dashboard review queue and `fullstackgtm apply` operate
+  on byte-identical plan documents.
+
+## 0.4.0 — Policy as config, rules as packages (done)
+
+Make the rule engine the community surface.
+
+- `fullstackgtm.config.json` (or `.ts`): policy thresholds, enabled rules,
+  per-rule severity overrides, custom rule module paths.
+- Rule metadata: category, default severity, docs URL; `fullstackgtm rules`
+  becomes generated documentation.
+- 10–15 additional built-in rules drawn from real RevOps pain: duplicate
+  accounts by domain, contacts without owners, deals closing this quarter
+  with no activity in 14 days, stage/probability drift, currency mismatches.
+- Exit criterion: a third party can publish an npm package of rules and a
+  user can enable it from config without forking.
+
+## 0.5.0 — Time: snapshot history and drift (done)
+
+- Snapshot archive conventions (local directory or any mounted/S3-backed
+  path) with `fullstackgtm snapshot --archive`.
+- `fullstackgtm diff <a> <b>`: what changed between snapshots — records,
+  fields, and *findings* (hygiene drift), built on the stable-id property.
+- Audit trends in the hosted app (the observability layer earns its keep).
+- Exit criterion: a nightly CI job can fail on hygiene regression, not just
+  hygiene presence.
+
+## 0.6.0 — Many systems, one entity (done — Stripe is the first non-CRM connector)
+
+The original thesis: GTM data disagrees across systems.
+
+- Entity resolution over `identities` claims: merge canonical records from
+  multiple snapshots (CRM + marketing + billing) by domain/email/external-id
+  heuristics, with explicit confidence and human-reviewable merge plans (the
+  patch-plan safety model applied to identity).
+- Cross-system audit rules: "account exists in billing but not CRM",
+  "marketing-qualified contact has no CRM owner".
+- First non-CRM connector (likely billing — Stripe — or marketing) to prove
+  the contract generalizes.
+- Exit criterion: one audit over a merged snapshot from two live systems.
+
+## 0.7.0 — Sync maturity (done)
+
+- Incremental fetch: provider cursors (HubSpot `updatedAfter` search,
+  Salesforce `SystemModstamp` filters) behind an optional
+  `fetchChanges(since)` connector capability.
+- Conflict surfacing: when a provider value changed under an unapplied patch
+  operation, the plan flags it instead of writing blind (compare-and-set).
+- Exit criterion: hourly sync of a 100k-record org without full re-pulls.
+
+## 0.8–0.9 — Hardening and freeze (done)
+
+- API review and freeze of `types.ts`, connector contract, CLI flags, MCP
+  schemas; deprecations resolved.
+- Security review of the auth surfaces (credential store, broker endpoints,
+  token lifecycle); rate limiting on the device-flow endpoints.
+- Docs site with the operating-model registry as browsable reference.
+- Performance pass: streaming snapshots for very large orgs.
+
+## 1.0.0 — The contract (reached)
+
+Semver stability commitment on the canonical model, rule interface, connector
+contract, plan format, CLI, and MCP tools. From here, new providers and new
+rules are minor releases; the model only breaks at 2.0.
+
+## Deliberately out of scope until after 1.0
+
+- Hosted multi-org analytics across customers
+- Non-deterministic (LLM-scored) rules — they can *propose*, but the
+  deterministic engine stays the system of record for findings
+- Workflow orchestration (sequences, cadences) — adjacent product, not
+  framework

package/llms.txt

@@ -0,0 +1,25 @@
+# fullstackgtm
+
+> Plan/apply for your GTM stack: canonical CRM/GTM data model, deterministic
+> hygiene audits, reviewable dry-run patch plans, and approval-gated
+> write-back to HubSpot, Salesforce, and Stripe (read-only). Think
+> `terraform plan` for your CRM. Apache-2.0.
+
+CLI quick check: `fullstackgtm doctor --json`. Zero-credential demo:
+`fullstackgtm audit --demo --json`. Audits are read-only; `apply` writes only
+explicitly approved operation ids. Exit codes: 0 success, 1 error, 2 findings
+at/above `--fail-on`.
+
+## Docs
+
+- [README](https://github.com/fullstackgtm/core/blob/main/README.md): install, five-minute loop, auth ladder, MCP setup, programmatic use
+- [INSTALL_FOR_AGENTS](https://github.com/fullstackgtm/core/blob/main/INSTALL_FOR_AGENTS.md): deterministic install-and-verify steps with expected outputs
+- [API reference](https://github.com/fullstackgtm/core/blob/main/docs/api.md): semver-covered surfaces — canonical model, rule interface, plan/apply contract, connector contract, config, CLI, MCP tools
+- [CHANGELOG](https://github.com/fullstackgtm/core/blob/main/CHANGELOG.md): release history
+
+## Key invariants
+
+- Reads are safe by default; nothing is written without explicit `--approve`
+- `requires_human_*` placeholder values are refused without a `--value` override
+- Finding/operation ids are stable hashes of rule + record (diffable across runs)
+- Secrets are never accepted as argv flags; stdin or env only

package/package.json

@@ -0,0 +1,76 @@
+{
+  "name": "fullstackgtm",
+  "version": "0.10.0",
+  "description": "Open-source agentic GTM ops framework: canonical GTM data model, pluggable deterministic audits, reviewable dry-run patch plans, approval-gated write-back with conflict detection, and cross-system entity resolution. HubSpot, Salesforce, and Stripe connectors included.",
+  "license": "Apache-2.0",
+  "author": "Full Stack GTM",
+  "homepage": "https://github.com/fullstackgtm/core#readme",
+  "bugs": {
+    "url": "https://github.com/fullstackgtm/core/issues"
+  },
+  "type": "module",
+  "sideEffects": false,
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "bin": {
+    "fullstackgtm": "dist/bin.js",
+    "fullstackgtm-mcp": "dist/mcp-bin.js"
+  },
+  "files": [
+    "dist",
+    "src",
+    "docs",
+    "README.md",
+    "CHANGELOG.md",
+    "INSTALL_FOR_AGENTS.md",
+    "llms.txt",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "test": "node --experimental-strip-types --test tests/*.test.ts",
+    "prepublishOnly": "npm run build"
+  },
+  "devDependencies": {
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "@types/node": "^22.0.0",
+    "typescript": "^5.9.0",
+    "zod": "^4.4.2"
+  },
+  "keywords": [
+    "gtm",
+    "revops",
+    "crm",
+    "salesforce",
+    "hubspot",
+    "audit",
+    "agent",
+    "mcp",
+    "patch-plan"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/fullstackgtm/core.git"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "peerDependencies": {
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "zod": "^4.4.2"
+  },
+  "peerDependenciesMeta": {
+    "@modelcontextprotocol/sdk": {
+      "optional": true
+    },
+    "zod": {
+      "optional": true
+    }
+  }
+}