fullstackgtm 0.10.1 → 0.11.1

package/dist/connectors/hubspot.js

@@ -22,6 +22,10 @@ export function createHubspotConnector(options) {
     const baseUrl = (options.apiBaseUrl ?? DEFAULT_API_BASE_URL).replace(/\/$/, "");
     const fetchImpl = options.fetchImpl ?? fetch;
     const mappings = options.fieldMappings;
+    // create:<Name> dedup within one connector lifetime (one apply run): the
+    // search API is eventually consistent, so a just-created company is
+    // invisible to search — this map is the authoritative same-run record.
+    const createdCompaniesByName = new Map();
     async function request(path, init = {}) {
         const token = await options.getAccessToken();
         let response;
@@ -282,18 +286,77 @@ export function createHubspotConnector(options) {
                 detail: "link_record is supported for deals and contacts (to a company).",
             };
         }
-        const companyId = String(operation.afterValue ?? "");
+        let companyId = String(operation.afterValue ?? "");
         if (!companyId) {
             return { operationId: operation.id, status: "skipped", detail: "link_record needs a target company id." };
         }
+        // `create:<Name>` is resolve-first: link to an existing company when one
+        // unambiguously matches, refuse on ambiguity, create only on a confirmed
+        // miss — and never create the same name twice within one apply run
+        // (HubSpot's search API is eventually consistent, so a just-created
+        // record is invisible to search for several seconds).
+        let createdCompanyName = null;
+        let resolvedExisting = false;
+        if (companyId.startsWith("create:")) {
+            const name = companyId.slice("create:".length).trim();
+            if (!name) {
+                return { operationId: operation.id, status: "skipped", detail: "create: needs a company name (create:<Name>)." };
+            }
+            const nameKey = name.toLowerCase();
+            const alreadyCreated = createdCompaniesByName.get(nameKey);
+            if (alreadyCreated) {
+                companyId = alreadyCreated;
+                resolvedExisting = true;
+            }
+            else {
+                const matches = await searchCompaniesByName(name);
+                if (matches.length > 1) {
+                    return {
+                        operationId: operation.id,
+                        status: "skipped",
+                        detail: `create:${name} is ambiguous — ${matches.length} companies already named "${name}" (ids ${matches.join(", ")}). Link an explicit company id instead.`,
+                    };
+                }
+                if (matches.length === 1) {
+                    companyId = matches[0];
+                    resolvedExisting = true;
+                    createdCompaniesByName.set(nameKey, companyId);
+                }
+                else {
+                    const created = await request(`/crm/v3/objects/companies`, {
+                        method: "POST",
+                        body: JSON.stringify({ properties: { name } }),
+                    });
+                    companyId = String(created.id);
+                    createdCompanyName = name;
+                    createdCompaniesByName.set(nameKey, companyId);
+                }
+            }
+        }
         await request(`/crm/v4/objects/${fromPath}/${encodeURIComponent(operation.objectId)}/associations/default/companies/${encodeURIComponent(companyId)}`, { method: "PUT" });
         return {
             operationId: operation.id,
             status: "applied",
-            detail: `Linked ${fromPath}/${operation.objectId} to company ${companyId}.`,
-            providerData: { companyId },
+            detail: createdCompanyName
+                ? `Created company "${createdCompanyName}" (${companyId}) and linked ${fromPath}/${operation.objectId} to it.`
+                : resolvedExisting
+                    ? `Linked ${fromPath}/${operation.objectId} to existing company ${companyId} (resolved by name, nothing created).`
+                    : `Linked ${fromPath}/${operation.objectId} to company ${companyId}.`,
+            providerData: { companyId, ...(createdCompanyName ? { createdCompany: true } : {}) },
         };
     }
+    /** Exact-name company lookup for resolve-first creates. Returns matching ids (max 3 fetched). */
+    async function searchCompaniesByName(name) {
+        const data = await request(`/crm/v3/objects/companies/search`, {
+            method: "POST",
+            body: JSON.stringify({
+                filterGroups: [{ filters: [{ propertyName: "name", operator: "EQ", value: name }] }],
+                properties: ["name"],
+                limit: 3,
+            }),
+        });
+        return (data?.results ?? []).map((row) => String(row.id));
+    }
     async function createTask(operation) {
         const associationTypeId = TASK_ASSOCIATION_TYPE_IDS[operation.objectType];
         if (associationTypeId === undefined) {
@@ -304,7 +367,34 @@ export function createHubspotConnector(options) {
             };
         }
         const subject = operation.field ? humanizeField(operation.field) : "Follow up";
-        const body = String(operation.afterValue ?? operation.reason ?? "");
+        // The operation id doubles as an idempotency token: it is stamped into
+        // the task body and pre-checked so a replayed plan does not create the
+        // same task twice. Fail-open — a search hiccup must not block the apply.
+        const token = `fsgtm ${operation.id.replace(/^op_/, "")}`;
+        try {
+            const existing = await request(`/crm/v3/objects/tasks/search`, {
+                method: "POST",
+                body: JSON.stringify({
+                    filterGroups: [
+                        { filters: [{ propertyName: "hs_task_body", operator: "CONTAINS_TOKEN", value: token.split(" ")[1] }] },
+                    ],
+                    limit: 1,
+                }),
+            });
+            const hit = (existing?.results ?? [])[0];
+            if (hit?.id) {
+                return {
+                    operationId: operation.id,
+                    status: "skipped",
+                    detail: `Task for this operation already exists (task ${hit.id}); not creating a duplicate.`,
+                    providerData: { id: hit.id, existing: true },
+                };
+            }
+        }
+        catch {
+            // fall through to create
+        }
+        const body = `${String(operation.afterValue ?? operation.reason ?? "")}\n\n[${token}]`;
         const response = await request(`/crm/v3/objects/tasks`, {
             method: "POST",
             body: JSON.stringify({
@@ -387,6 +477,13 @@ export function createHubspotConnector(options) {
         if (!objectPath || !mappingType) {
             throw new Error(`Field reads are only supported for accounts, contacts, and deals.`);
         }
+        // accountId is an association in HubSpot, not a property — without this
+        // branch the compare-and-set on link_record reads null and passes blind.
+        if (field === "accountId" && (objectType === "deal" || objectType === "contact")) {
+            const data = await request(`/crm/v4/objects/${objectPath}/${encodeURIComponent(objectId)}/associations/companies?limit=1`);
+            const first = (data?.results ?? [])[0];
+            return first?.toObjectId !== undefined ? String(first.toObjectId) : null;
+        }
         const defaults = HUBSPOT_DEFAULT_FIELD_MAPPINGS[mappingType] ?? {};
         const property = mappedField(mappings, mappingType, field, defaults[field] ?? field);
         const data = await request(`/crm/v3/objects/${objectPath}/${encodeURIComponent(objectId)}?properties=${encodeURIComponent(property)}`);

package/dist/connectors/hubspotAuth.js

@@ -49,8 +49,12 @@ export async function validateHubspotToken(token, fetchImpl = fetch) {
     if (response.ok) {
         return { ok: true, detail: "Token accepted by the HubSpot CRM API." };
     }
-    const body = await response.text();
-    return { ok: false, detail: `HubSpot rejected the token (${response.status}): ${body}` };
+    // Never echo the response body: provider error payloads can reflect request
+    // details and end up in logs or shell scrollback.
+    return {
+        ok: false,
+        detail: `HubSpot rejected the token: HTTP ${response.status} ${response.statusText}`.trim(),
+    };
 }
 async function tokenRequest(params, fetchImpl) {
     const response = await fetchImpl(HS_TOKEN_URL, {

package/dist/connectors/salesforce.js

@@ -23,6 +23,8 @@ export function createSalesforceConnector(options) {
     const apiVersion = options.apiVersion ?? DEFAULT_API_VERSION;
     const fetchImpl = options.fetchImpl ?? fetch;
     const mappings = options.fieldMappings;
+    // create:<Name> dedup within one connector lifetime (one apply run).
+    const createdAccountsByName = new Map();
     async function request(path, init = {}) {
         const connection = await options.getConnection();
         const url = path.startsWith("http")
@@ -228,11 +230,28 @@ export function createSalesforceConnector(options) {
                 detail: "Tasks can be attached to accounts, contacts, and deals.",
             };
         }
+        // Idempotency: the operation id is stamped into the Description and
+        // pre-checked, so replaying a plan does not duplicate tasks. Fail-open.
+        const token = `fsgtm:${operation.id}`;
+        try {
+            const existing = await query(`SELECT Id FROM Task WHERE Description LIKE '%${token.replace(/'/g, "\\'")}%' LIMIT 1`);
+            if (existing.length > 0) {
+                return {
+                    operationId: operation.id,
+                    status: "skipped",
+                    detail: `Task for this operation already exists (task ${existing[0].Id}); not creating a duplicate.`,
+                    providerData: { id: String(existing[0].Id), existing: true },
+                };
+            }
+        }
+        catch {
+            // fall through to create
+        }
         const response = await request(`/services/data/${apiVersion}/sobjects/Task`, {
             method: "POST",
             body: JSON.stringify({
                 Subject: operation.field ? humanizeField(operation.field) : "Follow up",
-                Description: String(operation.afterValue ?? operation.reason ?? ""),
+                Description: `${String(operation.afterValue ?? operation.reason ?? "")}\n\n[${token}]`,
                 Status: "Not Started",
                 Priority: "Normal",
                 ...reference,
@@ -268,8 +287,55 @@ export function createSalesforceConnector(options) {
                 case "clear_field":
                     // link_record on a deal is just setting AccountId in Salesforce.
                     return await setField(operation);
-                case "link_record":
+                case "link_record": {
+                    // `create:<Name>` is resolve-first: link to an unambiguous existing
+                    // Account, refuse on ambiguity, create only on a confirmed miss —
+                    // and never create the same name twice within one apply run.
+                    const value = String(operation.afterValue ?? "");
+                    if (value.startsWith("create:")) {
+                        const name = value.slice("create:".length).trim();
+                        if (!name) {
+                            return { operationId: operation.id, status: "skipped", detail: "create: needs an account name (create:<Name>)." };
+                        }
+                        const nameKey = name.toLowerCase();
+                        let accountId = createdAccountsByName.get(nameKey);
+                        let createdNew = false;
+                        if (!accountId) {
+                            const soqlName = name.replace(/\\/g, "\\\\").replace(/'/g, "\\'");
+                            const matches = await query(`SELECT Id FROM Account WHERE Name = '${soqlName}' LIMIT 3`);
+                            if (matches.length > 1) {
+                                return {
+                                    operationId: operation.id,
+                                    status: "skipped",
+                                    detail: `create:${name} is ambiguous — ${matches.length} accounts already named "${name}". Link an explicit account id instead.`,
+                                };
+                            }
+                            if (matches.length === 1) {
+                                accountId = String(matches[0].Id);
+                            }
+                            else {
+                                const created = await request(`/services/data/${apiVersion}/sobjects/Account`, {
+                                    method: "POST",
+                                    body: JSON.stringify({ Name: name }),
+                                });
+                                accountId = String(created.id);
+                                createdNew = true;
+                            }
+                            createdAccountsByName.set(nameKey, accountId);
+                        }
+                        const result = await setField({ ...operation, operation: "set_field", afterValue: accountId });
+                        return result.status === "applied"
+                            ? {
+                                ...result,
+                                detail: createdNew
+                                    ? `Created account "${name}" (${accountId}) and linked ${operation.objectType}/${operation.objectId} to it.`
+                                    : `Linked ${operation.objectType}/${operation.objectId} to existing account ${accountId} (resolved by name, nothing created).`,
+                                providerData: { accountId, ...(createdNew ? { createdAccount: true } : {}) },
+                            }
+                            : result;
+                    }
                     return await setField({ ...operation, operation: "set_field" });
+                }
                 case "create_task":
                     return await createTask(operation);
                 case "archive_record":

package/dist/connectors/salesforceAuth.js

@@ -111,10 +111,24 @@ export async function refreshSalesforceToken(options) {
     };
 }
 export async function validateSalesforceToken(accessToken, instanceUrl, fetchImpl = fetch) {
-    const response = await fetchImpl(`${instanceUrl.replace(/\/$/, "")}/services/oauth2/userinfo`, { headers: { Authorization: `Bearer ${accessToken}` } });
+    let response;
+    try {
+        response = await fetchImpl(`${instanceUrl.replace(/\/$/, "")}/services/oauth2/userinfo`, { headers: { Authorization: `Bearer ${accessToken}` } });
+    }
+    catch (error) {
+        const cause = error instanceof Error && error.cause instanceof Error ? `: ${error.cause.message}` : "";
+        return {
+            ok: false,
+            detail: `Cannot reach Salesforce at ${instanceUrl}${cause}. Check the --instance-url (your My Domain URL, e.g. https://yourco.my.salesforce.com) and network access.`,
+        };
+    }
     if (response.ok) {
         return { ok: true, detail: "Token accepted by the Salesforce API." };
     }
-    const body = await response.text();
-    return { ok: false, detail: `Salesforce rejected the token (${response.status}): ${body}` };
+    // Never echo the response body: provider error payloads can reflect request
+    // details and end up in logs or shell scrollback.
+    return {
+        ok: false,
+        detail: `Salesforce rejected the token: HTTP ${response.status} ${response.statusText}`.trim(),
+    };
 }

package/dist/credentials.d.ts

@@ -2,7 +2,26 @@
  * Local CLI credential store: ~/.fullstackgtm/credentials.json (0600), or
  * $FSGTM_HOME/credentials.json when set. Environment tokens always win over
  * stored credentials so CI and agent sandboxes never touch the filesystem.
+ *
+ * Profiles let one operator hold credentials for several organizations at
+ * once (a consultant working across client CRMs). The default profile keeps
+ * the historical layout; a named profile scopes the entire home — credentials
+ * AND stored plans — under `profiles/<name>/`, so a patch plan proposed
+ * against one client's CRM can never be applied through another client's
+ * credentials.
  */
+export declare const DEFAULT_PROFILE = "default";
+export declare function validateProfileName(name: string): string;
+/** Select the profile for this process; wins over $FULLSTACKGTM_PROFILE. */
+export declare function setActiveProfile(name: string): void;
+export declare function activeProfile(): string;
+/** Base home directory, shared by every profile. */
+export declare function baseHomeDir(): string;
+/**
+ * Profiles that exist on disk (have a directory), always including the
+ * default profile. Existence does not imply stored credentials.
+ */
+export declare function listProfiles(): string[];
 export type StoredCredential = {
     kind: "private_app" | "oauth" | "broker";
     accessToken: string;

package/dist/credentials.js

@@ -1,11 +1,66 @@
-import { chmodSync, existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync, } from "node:fs";
+import { chmodSync, existsSync, mkdirSync, readdirSync, readFileSync, unlinkSync, writeFileSync, } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
 import { refreshHubspotToken } from "./connectors/hubspotAuth.js";
 import { refreshSalesforceToken } from "./connectors/salesforceAuth.js";
-export function credentialsDir() {
+/**
+ * Local CLI credential store: ~/.fullstackgtm/credentials.json (0600), or
+ * $FSGTM_HOME/credentials.json when set. Environment tokens always win over
+ * stored credentials so CI and agent sandboxes never touch the filesystem.
+ *
+ * Profiles let one operator hold credentials for several organizations at
+ * once (a consultant working across client CRMs). The default profile keeps
+ * the historical layout; a named profile scopes the entire home — credentials
+ * AND stored plans — under `profiles/<name>/`, so a patch plan proposed
+ * against one client's CRM can never be applied through another client's
+ * credentials.
+ */
+export const DEFAULT_PROFILE = "default";
+const PROFILE_NAME_PATTERN = /^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$/;
+let explicitProfile = null;
+export function validateProfileName(name) {
+    if (!PROFILE_NAME_PATTERN.test(name) || name === "." || name === "..") {
+        throw new Error(`Invalid profile name: ${JSON.stringify(name)}. Use letters, numbers, dots, dashes, ` +
+            "or underscores (must start with a letter or number, max 64 characters).");
+    }
+    return name;
+}
+/** Select the profile for this process; wins over $FULLSTACKGTM_PROFILE. */
+export function setActiveProfile(name) {
+    explicitProfile = validateProfileName(name);
+}
+export function activeProfile() {
+    if (explicitProfile)
+        return explicitProfile;
+    const fromEnv = process.env.FULLSTACKGTM_PROFILE;
+    return fromEnv ? validateProfileName(fromEnv) : DEFAULT_PROFILE;
+}
+/** Base home directory, shared by every profile. */
+export function baseHomeDir() {
     return process.env.FSGTM_HOME ?? join(homedir(), ".fullstackgtm");
 }
+/**
+ * Profiles that exist on disk (have a directory), always including the
+ * default profile. Existence does not imply stored credentials.
+ */
+export function listProfiles() {
+    const names = new Set([DEFAULT_PROFILE]);
+    try {
+        for (const entry of readdirSync(join(baseHomeDir(), "profiles"), { withFileTypes: true })) {
+            if (entry.isDirectory() && PROFILE_NAME_PATTERN.test(entry.name))
+                names.add(entry.name);
+        }
+    }
+    catch {
+        // No profiles directory yet.
+    }
+    return Array.from(names).sort();
+}
+export function credentialsDir() {
+    const base = baseHomeDir();
+    const profile = activeProfile();
+    return profile === DEFAULT_PROFILE ? base : join(base, "profiles", profile);
+}
 export function credentialsPath() {
     return join(credentialsDir(), "credentials.json");
 }
@@ -18,12 +73,18 @@ export function credentialsPath() {
  */
 export function ensureSecureHomeDir() {
     const dir = credentialsDir();
-    mkdirSync(dir, { recursive: true, mode: 0o700 });
-    try {
-        chmodSync(dir, 0o700);
-    }
-    catch {
-        // Non-POSIX filesystems (e.g. Windows) ignore chmod; nothing to enforce.
+    // A named profile nests under base/profiles/<name>; lock down every level
+    // we create, not just the leaf — recursive mkdir applies `mode` (less
+    // umask) only to directories it creates, and never to pre-existing ones.
+    const levels = dir === baseHomeDir() ? [dir] : [baseHomeDir(), join(baseHomeDir(), "profiles"), dir];
+    for (const level of levels) {
+        mkdirSync(level, { recursive: true, mode: 0o700 });
+        try {
+            chmodSync(level, 0o700);
+        }
+        catch {
+            // Non-POSIX filesystems (e.g. Windows) ignore chmod; nothing to enforce.
+        }
     }
     return dir;
 }

package/dist/index.d.ts

@@ -6,13 +6,15 @@ export { DEFAULT_LOOPBACK_PORT, DEFAULT_OAUTH_SCOPES, exchangeHubspotCode, refre
 export { createSalesforceConnector, type SalesforceConnection, type SalesforceConnectorOptions, } from "./connectors/salesforce.ts";
 export { pollSalesforceDeviceLogin, refreshSalesforceToken, startSalesforceDeviceLogin, validateSalesforceToken, type SalesforceDeviceAuthorization, type SalesforceTokenSet, } from "./connectors/salesforceAuth.ts";
 export { createStripeConnector, type StripeConnectorOptions } from "./connectors/stripe.ts";
-export { credentialsDir, credentialsPath, deleteCredential, getCredential, resolveHubspotAccessToken, resolveHubspotConnection, storeCredential, type HubspotConnection, type StoredCredential, } from "./credentials.ts";
+export { activeProfile, credentialsDir, credentialsPath, DEFAULT_PROFILE, deleteCredential, getCredential, listProfiles, resolveHubspotAccessToken, resolveHubspotConnection, setActiveProfile, storeCredential, type HubspotConnection, type StoredCredential, } from "./credentials.ts";
 export { generateDemoSnapshot, type DemoSnapshotOptions } from "./demo.ts";
 export { diffFindings, diffSnapshots, diffToMarkdown, type CollectionDiff, type FieldChange, type FindingsDrift, type RecordChange, type SnapshotDiff, } from "./diff.ts";
 export { mergeSnapshots, type MergeConflict, type MergeMatch, type MergeReport, type MergeSuggestion, } from "./merge.ts";
 export { createFilePlanStore, type PlanStore, type StoredPlan } from "./planStore.ts";
 export { formatPatchPlanRun, patchPlanToMarkdown } from "./format.ts";
+export { auditReportToHtml, auditReportToMarkdown, type ReportOptions } from "./report.ts";
 export { HUBSPOT_DEFAULT_FIELD_MAPPINGS, SALESFORCE_DEFAULT_FIELD_MAPPINGS, mappedField, mappedFields, normalizeFieldMappings, readMappedValue, type CrmObjectType, type FieldMappings, } from "./mappings.ts";
-export { accountSingleSourceRule, activeDealAccountWithoutContactsRule, auditFindingId, buildSnapshotIndex, builtinAuditRules, closingSoonInactiveRule, duplicateAccountDomainRule, duplicateContactEmailRule, missingDealAccountRule, missingDealAmountRule, missingDealOwnerRule, orphanAccountRule, pastCloseDateRule, patchOperationId, requiresHumanInput, staleDealRule, } from "./rules.ts";
+export { accountSingleSourceRule, activeDealAccountWithoutContactsRule, auditFindingId, buildSnapshotIndex, builtinAuditRules, closingSoonInactiveRule, duplicateAccountDomainRule, duplicateContactEmailRule, duplicateOpenDealRule, missingDealAccountRule, missingDealAmountRule, missingDealOwnerRule, orphanAccountRule, pastCloseDateRule, patchOperationId, requiresHumanInput, staleDealRule, } from "./rules.ts";
 export { sampleSnapshot } from "./sampleData.ts";
+export { suggestValues, type SuggestionConfidence, type ValueSuggestion } from "./suggest.ts";
 export type { ApprovalStatus, AuditFinding, AuditFindingSeverity, CanonicalAccount, CanonicalActivity, CanonicalContact, CanonicalDeal, CanonicalGtmSnapshot, CanonicalUser, CrmProvider, GtmAuditRule, GtmConnector, GtmEvidence, GtmEvidenceSourceSystem, GtmObjectType, GtmPolicy, GtmRuleContext, GtmRuleResult, GtmSnapshotIndex, PatchOperation, PatchOperationResult, PatchOperationType, PatchPlan, PatchPlanRun, PatchPlanRunStatus, PatchVerification, PipelineFinding, PipelineFindingStatus, PipelineFindingType, ProviderIdentity, RiskLevel, SourceFreshness, } from "./types.ts";

package/dist/index.js

@@ -6,12 +6,14 @@ export { DEFAULT_LOOPBACK_PORT, DEFAULT_OAUTH_SCOPES, exchangeHubspotCode, refre
 export { createSalesforceConnector, } from "./connectors/salesforce.js";
 export { pollSalesforceDeviceLogin, refreshSalesforceToken, startSalesforceDeviceLogin, validateSalesforceToken, } from "./connectors/salesforceAuth.js";
 export { createStripeConnector } from "./connectors/stripe.js";
-export { credentialsDir, credentialsPath, deleteCredential, getCredential, resolveHubspotAccessToken, resolveHubspotConnection, storeCredential, } from "./credentials.js";
+export { activeProfile, credentialsDir, credentialsPath, DEFAULT_PROFILE, deleteCredential, getCredential, listProfiles, resolveHubspotAccessToken, resolveHubspotConnection, setActiveProfile, storeCredential, } from "./credentials.js";
 export { generateDemoSnapshot } from "./demo.js";
 export { diffFindings, diffSnapshots, diffToMarkdown, } from "./diff.js";
 export { mergeSnapshots, } from "./merge.js";
 export { createFilePlanStore } from "./planStore.js";
 export { formatPatchPlanRun, patchPlanToMarkdown } from "./format.js";
+export { auditReportToHtml, auditReportToMarkdown } from "./report.js";
 export { HUBSPOT_DEFAULT_FIELD_MAPPINGS, SALESFORCE_DEFAULT_FIELD_MAPPINGS, mappedField, mappedFields, normalizeFieldMappings, readMappedValue, } from "./mappings.js";
-export { accountSingleSourceRule, activeDealAccountWithoutContactsRule, auditFindingId, buildSnapshotIndex, builtinAuditRules, closingSoonInactiveRule, duplicateAccountDomainRule, duplicateContactEmailRule, missingDealAccountRule, missingDealAmountRule, missingDealOwnerRule, orphanAccountRule, pastCloseDateRule, patchOperationId, requiresHumanInput, staleDealRule, } from "./rules.js";
+export { accountSingleSourceRule, activeDealAccountWithoutContactsRule, auditFindingId, buildSnapshotIndex, builtinAuditRules, closingSoonInactiveRule, duplicateAccountDomainRule, duplicateContactEmailRule, duplicateOpenDealRule, missingDealAccountRule, missingDealAmountRule, missingDealOwnerRule, orphanAccountRule, pastCloseDateRule, patchOperationId, requiresHumanInput, staleDealRule, } from "./rules.js";
 export { sampleSnapshot } from "./sampleData.js";
+export { suggestValues } from "./suggest.js";

package/dist/mcp.js

@@ -45,6 +45,7 @@ import { generateDemoSnapshot } from "./demo.js";
 import { formatPatchPlanRun, patchPlanToMarkdown } from "./format.js";
 import { builtinAuditRules } from "./rules.js";
 import { sampleSnapshot } from "./sampleData.js";
+import { suggestValues } from "./suggest.js";
 function content(value) {
     return {
         content: [
@@ -140,6 +141,21 @@ export async function startMcpServer() {
         const plan = auditSnapshot(await readSnapshot(provider, inputPath), policy, selected);
         return content(output === "markdown" ? patchPlanToMarkdown(plan) : plan);
     });
+    server.registerTool("fullstackgtm_suggest", {
+        title: "Suggest Placeholder Values",
+        description: "Derive values for a plan's requires_human_* placeholder operations from snapshot " +
+            "evidence (account-name matching, contact associations), with confidence levels and " +
+            "reasons. Read-only; feed accepted values into fullstackgtm_apply's valueOverrides.",
+        inputSchema: {
+            planPath: z.string(),
+            provider: z.enum(["sample", "demo", "hubspot", "salesforce", "stripe"]).optional(),
+            inputPath: z.string().optional(),
+        },
+    }, async ({ planPath, provider, inputPath }) => {
+        const plan = JSON.parse(readFileSync(resolve(process.cwd(), planPath), "utf8"));
+        const snapshot = await readSnapshot(provider, inputPath);
+        return content({ suggestions: suggestValues(plan, snapshot) });
+    });
     server.registerTool("fullstackgtm_rules", {
         title: "List Audit Rules",
         description: "List the built-in deterministic audit rules with ids and descriptions.",

package/dist/merge.d.ts

@@ -42,6 +42,7 @@ export type MergeReport = {
     conflicts: MergeConflict[];
     suggestions: MergeSuggestion[];
 };
+export declare function normalizeDomain(domain?: string): string | undefined;
 export declare function mergeSnapshots(snapshots: CanonicalGtmSnapshot[]): {
     snapshot: CanonicalGtmSnapshot;
     report: MergeReport;

package/dist/merge.js

@@ -1,7 +1,7 @@
 const CONFLICT_IGNORED_FIELDS = new Set([
     "id", "provider", "crmId", "identities", "raw", "lastSyncAt", "lastActivityAt", "ownerId", "accountId",
 ]);
-function normalizeDomain(domain) {
+export function normalizeDomain(domain) {
     if (!domain)
         return undefined;
     return domain.trim().toLowerCase().replace(/^https?:\/\//, "").replace(/^www\./, "").replace(/\/.*$/, "") || undefined;

package/dist/report.d.ts

@@ -0,0 +1,61 @@
+import type { AuditFinding, AuditFindingSeverity, CanonicalGtmSnapshot, GtmAuditRule, PatchPlan } from "./types.ts";
+/**
+ * Client-ready rendering of an audit patch plan: the same findings the CLI
+ * prints for operators, reshaped for the person who owns the CRM — counts up
+ * front, prose summary, per-rule detail with capped examples, and next steps.
+ * Deterministic: identical plan + options produce identical output, so a
+ * report can be regenerated and diffed across engagements.
+ */
+export type ReportOptions = {
+    /** Report heading (default "GTM Data Health Report"). */
+    title?: string;
+    /** Organization the report is about; shown in the heading and summary. */
+    clientName?: string;
+    /** Attribution line in the footer (e.g. a consultancy or team name). */
+    preparedBy?: string;
+    /** Report date (YYYY-MM-DD); defaults to the plan's creation date (UTC). */
+    date?: string;
+    /** Example records listed per rule before truncating (default 10). */
+    maxExamplesPerRule?: number;
+    /** Rule metadata used for section titles, descriptions, and categories. */
+    rules?: GtmAuditRule[];
+    /** Snapshot the plan was generated from; enables record counts and rates. */
+    snapshot?: CanonicalGtmSnapshot;
+};
+type RuleSection = {
+    ruleId: string;
+    title: string;
+    description?: string;
+    category: string;
+    severity: AuditFindingSeverity;
+    findings: AuditFinding[];
+};
+type ReportModel = {
+    title: string;
+    clientName?: string;
+    preparedBy?: string;
+    date: string;
+    provider?: string;
+    recordCounts?: {
+        label: string;
+        count: number;
+    }[];
+    totalRecords?: number;
+    severityCounts: Record<AuditFindingSeverity, number>;
+    affectedRecords: number;
+    sections: RuleSection[];
+    maxExamplesPerRule: number;
+    operationCount: number;
+    humanInputOperationCount: number;
+    recordLabels: Map<string, string>;
+    summaryText: string;
+};
+export declare function buildReportModel(plan: PatchPlan, options?: ReportOptions): ReportModel;
+export declare function auditReportToMarkdown(plan: PatchPlan, options?: ReportOptions): string;
+/**
+ * Self-contained HTML (inline styles, no external assets) so the file can be
+ * emailed or dropped into a shared drive and render anywhere, including
+ * print-to-PDF.
+ */
+export declare function auditReportToHtml(plan: PatchPlan, options?: ReportOptions): string;
+export {};