fullstackgtm 0.10.0

package/src/planStore.ts

@@ -0,0 +1,155 @@
+import { chmodSync, mkdirSync, readdirSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { credentialsDir, ensureSecureHomeDir, writeSecureFile } from "./credentials.ts";
+import type { ApprovalStatus, PatchPlan, PatchPlanRun } from "./types.ts";
+
+/**
+ * Durable patch-plan workflow. A plan is an immutable proposal; the store
+ * tracks the mutable lifecycle around it — which operations a human approved,
+ * the concrete values they supplied, and every apply run. The hosted app's
+ * Convex tables and this file store are two implementations of the same
+ * contract.
+ */
+
+export type StoredPlan = {
+  plan: PatchPlan;
+  status: ApprovalStatus;
+  approvedOperationIds: string[];
+  valueOverrides: Record<string, unknown>;
+  runs: PatchPlanRun[];
+  createdAt: string;
+  updatedAt: string;
+};
+
+export interface PlanStore {
+  save(plan: PatchPlan): Promise<StoredPlan>;
+  get(planId: string): Promise<StoredPlan | null>;
+  list(status?: ApprovalStatus): Promise<StoredPlan[]>;
+  approveOperations(
+    planId: string,
+    operationIds: string[],
+    valueOverrides?: Record<string, unknown>,
+  ): Promise<StoredPlan>;
+  reject(planId: string): Promise<StoredPlan>;
+  recordRun(planId: string, run: PatchPlanRun): Promise<StoredPlan>;
+}
+
+/**
+ * Plans as JSON files in a directory (default `$FSGTM_HOME/plans`), one file
+ * per plan id. Filesystem-shaped on purpose: greppable, diffable, and any
+ * file-based tooling composes with it.
+ */
+export function createFilePlanStore(directory?: string): PlanStore {
+  const dir = directory ?? join(credentialsDir(), "plans");
+
+  function pathFor(planId: string) {
+    if (!/^[\w.-]+$/.test(planId)) throw new Error(`Invalid plan id: ${planId}`);
+    return join(dir, `${planId}.json`);
+  }
+
+  function read(planId: string): StoredPlan | null {
+    try {
+      return JSON.parse(readFileSync(pathFor(planId), "utf8")) as StoredPlan;
+    } catch {
+      return null;
+    }
+  }
+
+  function write(stored: StoredPlan): StoredPlan {
+    // Plan files contain real CRM before/after values; keep them owner-only.
+    // When the store lives under the default home, lock that down too —
+    // otherwise an `audit --save` before any `login` would create the home
+    // directory world-readable.
+    if (!directory) ensureSecureHomeDir();
+    mkdirSync(dir, { recursive: true, mode: 0o700 });
+    try {
+      chmodSync(dir, 0o700);
+    } catch {
+      // Non-POSIX filesystems ignore chmod.
+    }
+    const next = { ...stored, updatedAt: new Date().toISOString() };
+    writeSecureFile(pathFor(stored.plan.id), `${JSON.stringify(next, null, 2)}\n`);
+    return next;
+  }
+
+  function mustRead(planId: string): StoredPlan {
+    const stored = read(planId);
+    if (!stored) throw new Error(`No stored plan with id ${planId}.`);
+    return stored;
+  }
+
+  return {
+    async save(plan) {
+      const now = new Date().toISOString();
+      return write({
+        plan,
+        status: plan.status,
+        approvedOperationIds: [],
+        valueOverrides: {},
+        runs: [],
+        createdAt: now,
+        updatedAt: now,
+      });
+    },
+
+    async get(planId) {
+      return read(planId);
+    },
+
+    async list(status) {
+      let entries: string[] = [];
+      try {
+        entries = readdirSync(dir);
+      } catch {
+        return [];
+      }
+      const plans = entries
+        .filter((entry) => entry.endsWith(".json"))
+        .map((entry) => read(entry.slice(0, -".json".length)))
+        .filter((stored): stored is StoredPlan => stored !== null)
+        .sort((a, b) => b.createdAt.localeCompare(a.createdAt));
+      return status ? plans.filter((stored) => stored.status === status) : plans;
+    },
+
+    async approveOperations(planId, operationIds, valueOverrides = {}) {
+      const stored = mustRead(planId);
+      if (stored.status === "applied") {
+        throw new Error(`Plan ${planId} has already been applied.`);
+      }
+      if (stored.status === "rejected") {
+        throw new Error(`Plan ${planId} was rejected; re-run the audit for a fresh plan.`);
+      }
+      const known = new Set(stored.plan.operations.map((operation) => operation.id));
+      for (const operationId of operationIds) {
+        if (!known.has(operationId)) {
+          throw new Error(`Plan ${planId} has no operation ${operationId}.`);
+        }
+      }
+      return write({
+        ...stored,
+        status: "approved",
+        approvedOperationIds: Array.from(
+          new Set([...stored.approvedOperationIds, ...operationIds]),
+        ),
+        valueOverrides: { ...stored.valueOverrides, ...valueOverrides },
+      });
+    },
+
+    async reject(planId) {
+      const stored = mustRead(planId);
+      if (stored.status === "applied") {
+        throw new Error(`Plan ${planId} has already been applied.`);
+      }
+      return write({ ...stored, status: "rejected", approvedOperationIds: [] });
+    },
+
+    async recordRun(planId, run) {
+      const stored = mustRead(planId);
+      return write({
+        ...stored,
+        status: run.status === "applied" || run.status === "partial" ? "applied" : stored.status,
+        runs: [...stored.runs, run],
+      });
+    },
+  };
+}

package/src/rules.ts

@@ -0,0 +1,539 @@
+import type {
+  AuditFinding,
+  CanonicalActivity,
+  CanonicalContact,
+  CanonicalDeal,
+  CanonicalGtmSnapshot,
+  GtmAuditRule,
+  GtmSnapshotIndex,
+  RiskLevel,
+} from "./types.ts";
+
+/**
+ * Placeholder used as `afterValue` when the right value is a human decision
+ * (e.g. which owner to assign). Apply orchestration refuses to write these
+ * unless an explicit override value is supplied at approval time.
+ */
+export const REQUIRES_HUMAN_PREFIX = "requires_human_";
+
+export function requiresHumanInput(value: unknown): boolean {
+  return typeof value === "string" && value.startsWith(REQUIRES_HUMAN_PREFIX);
+}
+
+export function auditFindingId(ruleId: string, objectId: string) {
+  return `finding_${stableHash(`${ruleId}:${objectId}`)}`;
+}
+
+export function patchOperationId(ruleId: string, objectId: string) {
+  return `op_${stableHash(`${ruleId}:${objectId}`)}`;
+}
+
+export function stableHash(value: string) {
+  let hash = 0;
+  for (let index = 0; index < value.length; index += 1) {
+    hash = (hash * 31 + value.charCodeAt(index)) >>> 0;
+  }
+  return hash.toString(36);
+}
+
+export function buildSnapshotIndex(snapshot: CanonicalGtmSnapshot): GtmSnapshotIndex {
+  const contactsByAccountId = new Map<string, CanonicalContact[]>();
+  const dealsByAccountId = new Map<string, CanonicalDeal[]>();
+  const activitiesByDealId = new Map<string, CanonicalActivity[]>();
+
+  for (const contact of snapshot.contacts) {
+    if (!contact.accountId) continue;
+    const existing = contactsByAccountId.get(contact.accountId) ?? [];
+    existing.push(contact);
+    contactsByAccountId.set(contact.accountId, existing);
+  }
+  for (const deal of snapshot.deals) {
+    if (!deal.accountId) continue;
+    const existing = dealsByAccountId.get(deal.accountId) ?? [];
+    existing.push(deal);
+    dealsByAccountId.set(deal.accountId, existing);
+  }
+  for (const activity of snapshot.activities) {
+    if (!activity.dealId) continue;
+    const existing = activitiesByDealId.get(activity.dealId) ?? [];
+    existing.push(activity);
+    activitiesByDealId.set(activity.dealId, existing);
+  }
+
+  return {
+    usersById: new Map(snapshot.users.map((user) => [user.id, user])),
+    accountsById: new Map(snapshot.accounts.map((account) => [account.id, account])),
+    contactsByAccountId,
+    dealsByAccountId,
+    activitiesByDealId,
+  };
+}
+
+function isOpen(deal: CanonicalDeal) {
+  return deal.isClosed !== true && deal.isWon !== true;
+}
+
+function dealFinding(deal: CanonicalDeal, ruleId: string, title: string): AuditFinding {
+  return {
+    id: auditFindingId(ruleId, deal.id),
+    objectType: "deal",
+    objectId: deal.id,
+    ruleId,
+    title,
+    severity: "warning",
+    summary: `${deal.name} violates ${ruleId.replace(/-/g, " ")} policy.`,
+    recommendation: "Review the proposed patch operation and approve an explicit CRM update.",
+  };
+}
+
+function staleDays(deal: CanonicalDeal, today: string) {
+  const reference = deal.lastActivityAt ?? deal.lastSyncAt ?? deal.closeDate;
+  if (!reference) return 0;
+  return Math.max(0, daysBetween(reference, today));
+}
+
+function daysBetween(start: string, end: string) {
+  const startMs = Date.parse(start);
+  const endMs = Date.parse(end);
+  if (!Number.isFinite(startMs) || !Number.isFinite(endMs)) return 0;
+  return Math.floor((endMs - startMs) / 86_400_000);
+}
+
+function compareDate(left: string, right: string) {
+  return Date.parse(left) - Date.parse(right);
+}
+
+function riskForStaleness(days: number): RiskLevel {
+  if (days >= 90) return "high";
+  if (days >= 45) return "medium";
+  return "low";
+}
+
+export const orphanAccountRule: GtmAuditRule = {
+  id: "orphan-account",
+  title: "Account has no contacts or deals",
+  description:
+    "Flags accounts not connected to any contact or opportunity so someone owns the next action.",
+  category: "hygiene",
+  evaluate: ({ snapshot, index }) => {
+    const findings: AuditFinding[] = [];
+    const operations = [];
+    for (const account of snapshot.accounts) {
+      const contacts = index.contactsByAccountId.get(account.id) ?? [];
+      const deals = index.dealsByAccountId.get(account.id) ?? [];
+      if (contacts.length > 0 || deals.length > 0) continue;
+      findings.push({
+        id: auditFindingId("orphan-account", account.id),
+        objectType: "account",
+        objectId: account.id,
+        ruleId: "orphan-account",
+        title: "Account has no contacts or deals",
+        severity: "warning",
+        summary: `${account.name} is not connected to any contact or open opportunity.`,
+        recommendation:
+          "Review whether the account should be enriched, assigned for research, or archived.",
+      });
+      operations.push({
+        id: patchOperationId("orphan-account", account.id),
+        objectType: "account" as const,
+        objectId: account.id,
+        operation: "create_task" as const,
+        field: "follow_up_task",
+        beforeValue: null,
+        afterValue: "Research account fit and decide whether to archive or enrich",
+        reason: "Orphan accounts add CRM noise unless someone owns the next action.",
+        riskLevel: "low" as const,
+        approvalRequired: true,
+      });
+    }
+    return { findings, operations };
+  },
+};
+
+export const missingDealOwnerRule: GtmAuditRule = {
+  id: "missing-deal-owner",
+  title: "Deal has no valid owner",
+  description: "Flags deals whose owner is missing or not a known user.",
+  category: "hygiene",
+  evaluate: ({ snapshot, policy, index }) => {
+    if (!policy.requireDealOwner) return { findings: [], operations: [] };
+    const findings: AuditFinding[] = [];
+    const operations = [];
+    for (const deal of snapshot.deals) {
+      if (deal.ownerId && index.usersById.has(deal.ownerId)) continue;
+      findings.push(dealFinding(deal, "missing-deal-owner", "Deal has no valid owner"));
+      operations.push({
+        id: patchOperationId("missing-deal-owner", deal.id),
+        objectType: "deal" as const,
+        objectId: deal.id,
+        operation: "set_field" as const,
+        field: "ownerId",
+        beforeValue: deal.ownerId ?? null,
+        afterValue: "requires_human_owner_selection",
+        reason:
+          "Every open opportunity needs a human owner before the agent can suggest routing.",
+        riskLevel: "medium" as const,
+        approvalRequired: true,
+      });
+    }
+    return { findings, operations };
+  },
+};
+
+export const missingDealAccountRule: GtmAuditRule = {
+  id: "missing-deal-account",
+  title: "Deal is not linked to an account",
+  description: "Flags deals that are not associated with a known account.",
+  category: "hygiene",
+  evaluate: ({ snapshot, policy, index }) => {
+    if (!policy.requireAccountForDeal) return { findings: [], operations: [] };
+    const findings: AuditFinding[] = [];
+    const operations = [];
+    for (const deal of snapshot.deals) {
+      if (deal.accountId && index.accountsById.has(deal.accountId)) continue;
+      findings.push(dealFinding(deal, "missing-deal-account", "Deal is not linked to an account"));
+      operations.push({
+        id: patchOperationId("missing-deal-account", deal.id),
+        objectType: "deal" as const,
+        objectId: deal.id,
+        operation: "link_record" as const,
+        field: "accountId",
+        beforeValue: deal.accountId ?? null,
+        afterValue: "requires_human_account_selection",
+        reason: "Opportunity reporting, ABM, attribution, and forecasting need account context.",
+        riskLevel: "medium" as const,
+        approvalRequired: true,
+      });
+    }
+    return { findings, operations };
+  },
+};
+
+export const pastCloseDateRule: GtmAuditRule = {
+  id: "past-close-date",
+  title: "Open deal has a past close date",
+  description: "Flags open deals whose close date is already behind today.",
+  category: "hygiene",
+  evaluate: ({ snapshot, policy }) => {
+    const findings: AuditFinding[] = [];
+    const operations = [];
+    for (const deal of snapshot.deals) {
+      if (!isOpen(deal) || !deal.closeDate) continue;
+      if (compareDate(deal.closeDate, policy.today) >= 0) continue;
+      findings.push(dealFinding(deal, "past-close-date", "Open deal has a past close date"));
+      operations.push({
+        id: patchOperationId("past-close-date", deal.id),
+        objectType: "deal" as const,
+        objectId: deal.id,
+        operation: "set_field" as const,
+        field: "closeDate",
+        beforeValue: deal.closeDate,
+        afterValue: "requires_human_close_date_selection",
+        reason: "Past close dates make forecast and pipeline aging unreliable.",
+        riskLevel: "medium" as const,
+        approvalRequired: true,
+      });
+    }
+    return { findings, operations };
+  },
+};
+
+export const staleDealRule: GtmAuditRule = {
+  id: "stale-deal",
+  title: "Deal has stale activity",
+  description:
+    "Flags open deals with no recorded activity for longer than the policy's stale window.",
+  category: "hygiene",
+  evaluate: ({ snapshot, policy }) => {
+    const findings: AuditFinding[] = [];
+    const operations = [];
+    for (const deal of snapshot.deals) {
+      if (!isOpen(deal)) continue;
+      const days = staleDays(deal, policy.today);
+      if (days <= policy.staleDealDays) continue;
+      findings.push({
+        id: auditFindingId("stale-deal", deal.id),
+        objectType: "deal",
+        objectId: deal.id,
+        ruleId: "stale-deal",
+        title: "Deal has stale activity",
+        severity: "warning",
+        summary: `${deal.name} has had no recorded activity for ${days} days.`,
+        recommendation:
+          "Ask the owner to confirm next step, close lost, or update the forecast category.",
+      });
+      operations.push({
+        id: patchOperationId("stale-deal", deal.id),
+        objectType: "deal" as const,
+        objectId: deal.id,
+        operation: "create_task" as const,
+        field: "next_step_task",
+        beforeValue: null,
+        afterValue: "Confirm next step or close out stale opportunity",
+        reason: "Stale open pipeline inflates forecast coverage and hides execution risk.",
+        riskLevel: riskForStaleness(days),
+        approvalRequired: true,
+      });
+    }
+    return { findings, operations };
+  },
+};
+
+export const missingDealAmountRule: GtmAuditRule = {
+  id: "missing-deal-amount",
+  title: "Open deal has no amount",
+  description: "Flags open deals without an amount; they make forecast coverage meaningless.",
+  category: "forecast",
+  evaluate: ({ snapshot, policy }) => {
+    if (policy.requireDealAmount === false) return { findings: [], operations: [] };
+    const findings: AuditFinding[] = [];
+    const operations = [];
+    for (const deal of snapshot.deals) {
+      if (!isOpen(deal)) continue;
+      if (deal.amount !== undefined && deal.amount !== 0) continue;
+      findings.push(dealFinding(deal, "missing-deal-amount", "Open deal has no amount"));
+      operations.push({
+        id: patchOperationId("missing-deal-amount", deal.id),
+        objectType: "deal" as const,
+        objectId: deal.id,
+        operation: "set_field" as const,
+        field: "amount",
+        beforeValue: deal.amount ?? null,
+        afterValue: "requires_human_amount_selection",
+        reason: "Amountless open pipeline understates coverage and breaks weighted forecasts.",
+        riskLevel: "medium" as const,
+        approvalRequired: true,
+      });
+    }
+    return { findings, operations };
+  },
+};
+
+function duplicateGroups<T>(items: T[], keyOf: (item: T) => string | undefined): Map<string, T[]> {
+  const groups = new Map<string, T[]>();
+  for (const item of items) {
+    const key = keyOf(item)?.trim().toLowerCase();
+    if (!key) continue;
+    const existing = groups.get(key) ?? [];
+    existing.push(item);
+    groups.set(key, existing);
+  }
+  for (const [key, members] of Array.from(groups.entries())) {
+    if (members.length < 2) groups.delete(key);
+  }
+  return groups;
+}
+
+export const duplicateAccountDomainRule: GtmAuditRule = {
+  id: "duplicate-account-domain",
+  title: "Accounts share the same domain",
+  description:
+    "Flags accounts with identical domains — usually duplicates splitting activity, deals, and attribution.",
+  category: "data-quality",
+  evaluate: ({ snapshot }) => {
+    const findings: AuditFinding[] = [];
+    const operations = [];
+    for (const [domain, accounts] of duplicateGroups(snapshot.accounts, (account) => account.domain)) {
+      const anchor = accounts[0];
+      findings.push({
+        id: auditFindingId("duplicate-account-domain", anchor.id),
+        objectType: "account",
+        objectId: anchor.id,
+        ruleId: "duplicate-account-domain",
+        title: "Accounts share the same domain",
+        severity: "warning",
+        summary: `${accounts.length} accounts share ${domain}: ${accounts.map((account) => account.name).join(", ")}.`,
+        recommendation: "Review the group and merge duplicates so activity and deals roll up once.",
+      });
+      operations.push({
+        id: patchOperationId("duplicate-account-domain", anchor.id),
+        objectType: "account" as const,
+        objectId: anchor.id,
+        operation: "create_task" as const,
+        field: "merge_review_task",
+        beforeValue: null,
+        afterValue: `Review ${accounts.length} accounts sharing ${domain} and merge duplicates`,
+        reason: "Duplicate accounts split pipeline, attribution, and ownership.",
+        riskLevel: "medium" as const,
+        approvalRequired: true,
+      });
+    }
+    return { findings, operations };
+  },
+};
+
+export const duplicateContactEmailRule: GtmAuditRule = {
+  id: "duplicate-contact-email",
+  title: "Contacts share the same email",
+  description:
+    "Flags contacts with identical emails — duplicates that fragment engagement history and routing.",
+  category: "data-quality",
+  evaluate: ({ snapshot }) => {
+    const findings: AuditFinding[] = [];
+    const operations = [];
+    for (const [email, contacts] of duplicateGroups(snapshot.contacts, (contact) => contact.email)) {
+      const anchor = contacts[0];
+      findings.push({
+        id: auditFindingId("duplicate-contact-email", anchor.id),
+        objectType: "contact",
+        objectId: anchor.id,
+        ruleId: "duplicate-contact-email",
+        title: "Contacts share the same email",
+        severity: "warning",
+        summary: `${contacts.length} contacts share ${email}.`,
+        recommendation: "Merge the duplicates so engagement history and routing stay coherent.",
+      });
+      operations.push({
+        id: patchOperationId("duplicate-contact-email", anchor.id),
+        objectType: "contact" as const,
+        objectId: anchor.id,
+        operation: "create_task" as const,
+        field: "merge_review_task",
+        beforeValue: null,
+        afterValue: `Review ${contacts.length} contacts sharing ${email} and merge duplicates`,
+        reason: "Duplicate contacts fragment engagement history and double-route outreach.",
+        riskLevel: "low" as const,
+        approvalRequired: true,
+      });
+    }
+    return { findings, operations };
+  },
+};
+
+export const activeDealAccountWithoutContactsRule: GtmAuditRule = {
+  id: "active-deal-account-without-contacts",
+  title: "Account with open pipeline has no contacts",
+  description:
+    "Flags accounts carrying open deals without a single contact — pipeline with nobody to talk to.",
+  category: "coverage",
+  evaluate: ({ index }) => {
+    const findings: AuditFinding[] = [];
+    const operations = [];
+    for (const [accountId, deals] of index.dealsByAccountId) {
+      if (!deals.some(isOpen)) continue;
+      if ((index.contactsByAccountId.get(accountId) ?? []).length > 0) continue;
+      const account = index.accountsById.get(accountId);
+      if (!account) continue;
+      findings.push({
+        id: auditFindingId("active-deal-account-without-contacts", account.id),
+        objectType: "account",
+        objectId: account.id,
+        ruleId: "active-deal-account-without-contacts",
+        title: "Account with open pipeline has no contacts",
+        severity: "warning",
+        summary: `${account.name} has open deals but no contacts on record.`,
+        recommendation: "Add the champion and buying-committee contacts before the deal advances.",
+      });
+      operations.push({
+        id: patchOperationId("active-deal-account-without-contacts", account.id),
+        objectType: "account" as const,
+        objectId: account.id,
+        operation: "create_task" as const,
+        field: "add_contacts_task",
+        beforeValue: null,
+        afterValue: "Add champion and buying-committee contacts for the open opportunities",
+        reason: "Open pipeline without contacts cannot be advanced, routed, or marketed to.",
+        riskLevel: "low" as const,
+        approvalRequired: true,
+      });
+    }
+    return { findings, operations };
+  },
+};
+
+export const closingSoonInactiveRule: GtmAuditRule = {
+  id: "closing-soon-inactive",
+  title: "Deal closing soon with no recent activity",
+  description:
+    "Flags open deals inside the closing-soon window whose last activity is older than the idle threshold.",
+  category: "forecast",
+  evaluate: ({ snapshot, policy }) => {
+    const windowDays = policy.closingSoonDays ?? 14;
+    const idleDays = policy.closingSoonIdleDays ?? 7;
+    const findings: AuditFinding[] = [];
+    const operations = [];
+    for (const deal of snapshot.deals) {
+      if (!isOpen(deal) || !deal.closeDate) continue;
+      const daysToClose = daysBetween(policy.today, deal.closeDate);
+      if (daysToClose < 0 || daysToClose > windowDays) continue;
+      const idle = staleDays(deal, policy.today);
+      if (idle <= idleDays) continue;
+      findings.push({
+        id: auditFindingId("closing-soon-inactive", deal.id),
+        objectType: "deal",
+        objectId: deal.id,
+        ruleId: "closing-soon-inactive",
+        title: "Deal closing soon with no recent activity",
+        severity: "critical",
+        summary: `${deal.name} closes in ${daysToClose} days but has had no activity for ${idle} days.`,
+        recommendation:
+          "Confirm the close plan with the owner today, or move the close date and forecast category.",
+      });
+      operations.push({
+        id: patchOperationId("closing-soon-inactive", deal.id),
+        objectType: "deal" as const,
+        objectId: deal.id,
+        operation: "create_task" as const,
+        field: "close_plan_task",
+        beforeValue: null,
+        afterValue: "Confirm close plan or update close date and forecast category",
+        reason: "Deals forecast to close imminently without engagement are silent slip risk.",
+        riskLevel: "high" as const,
+        approvalRequired: true,
+      });
+    }
+    return { findings, operations };
+  },
+};
+
+export const accountSingleSourceRule: GtmAuditRule = {
+  id: "account-single-source",
+  title: "Account exists in only one connected system",
+  description:
+    "On merged multi-system snapshots, flags accounts known to just one source — the seams where GTM systems disagree.",
+  category: "cross-system",
+  evaluate: ({ snapshot }) => {
+    const providersSeen = new Set(
+      snapshot.accounts.flatMap((account) =>
+        (account.identities ?? []).map((identity) => String(identity.provider)),
+      ),
+    );
+    // Only meaningful when the snapshot actually spans systems.
+    if (providersSeen.size < 2) return { findings: [], operations: [] };
+
+    const findings: AuditFinding[] = [];
+    for (const account of snapshot.accounts) {
+      const sources = new Set(
+        (account.identities ?? []).map((identity) => String(identity.provider)),
+      );
+      if (sources.size !== 1) continue;
+      const source = Array.from(sources)[0];
+      findings.push({
+        id: auditFindingId("account-single-source", account.id),
+        objectType: "account",
+        objectId: account.id,
+        ruleId: "account-single-source",
+        title: "Account exists in only one connected system",
+        severity: "info",
+        summary: `${account.name} exists only in ${source} (${providersSeen.size} systems connected).`,
+        recommendation:
+          "Check whether the account is missing from the other systems or matched under a different domain/name.",
+      });
+    }
+    return { findings, operations: [] };
+  },
+};
+
+export const builtinAuditRules: GtmAuditRule[] = [
+  orphanAccountRule,
+  missingDealOwnerRule,
+  missingDealAccountRule,
+  pastCloseDateRule,
+  staleDealRule,
+  missingDealAmountRule,
+  duplicateAccountDomainRule,
+  duplicateContactEmailRule,
+  activeDealAccountWithoutContactsRule,
+  closingSoonInactiveRule,
+  accountSingleSourceRule,
+];