fullstackgtm 0.13.1 → 0.14.1

package/CHANGELOG.md

@@ -5,6 +5,61 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and the project adheres to [Semantic Versioning](https://semver.org/).
 The path to 1.0 is planned in [docs/roadmap-to-1.0.md](./docs/roadmap-to-1.0.md).
 
+## [0.14.1] — 2026-06-11
+
+Fixes from the 0.14.0 journey verification (4 agents, 21 checks).
+
+### Fixed
+
+- **`call score` no longer suggests a flag it rejects**: the keyless error
+  said "pass --deterministic" but score has no non-LLM mode — its error now
+  says exactly that. Rubric files are also validated *before* the
+  credential check (keyless users see rubric errors), and a non-JSON rubric
+  names the file and the expected shape instead of a raw parse error.
+- **NDJSON rows carry `extractor`** — LLM and deterministic rows were
+  per-row indistinguishable in warehouse loads, contradicting the
+  provenance claim. (Docs wording was right at the parse-result and
+  evidence level; now it is true per-row too.)
+- **`call … --help` prints help** instead of being shadowed by argument
+  and credential checks.
+- `login anthropic|openai` gets the same explicit argv-secret rejection
+  (`--token`/`--key`/`--api-key`) as the CRM providers.
+
+## [0.14.0] — 2026-06-11
+
+LLM-powered call intelligence, bring-your-own-key. The dry-run replications
+of two real client pipelines proved the deterministic baseline is an
+analytics floor, not what call workflows actually run on — so the no-LLM
+guardrail is consciously retired for the `call` commands (and only there).
+
+### Added
+
+- **LLM extraction is the default for `call parse`** — constrained tool
+  calls against Anthropic (default claude-haiku-4-5) or OpenAI (default
+  gpt-4o-mini) via raw fetch, no SDK dependency. Mandatory verbatim-quote
+  evidence; next steps carry owner/deadline/commitment; every insight is
+  provenance-marked (`extractor: "llm:<provider>:<model>"` vs
+  `"deterministic"`). `--deterministic` keeps the free keyword baseline.
+- **First-touch key onboarding**: the first LLM command without a key (TTY)
+  explains, captures the key via muted prompt/stdin, auto-detects the
+  provider from the prefix, validates it against the provider's API, and
+  stores it 0600 in the credential store. Non-interactive contexts get an
+  actionable error, never a prompt. Also: `fullstackgtm login anthropic|openai`
+  and `logout`, and a `doctor` row showing LLM key status.
+- **`fullstackgtm call score`**: rubric-driven coaching scorecards —
+  built-in five-dimension rubric or `--rubric rubric.json`
+  ({ scale, dimensions: [{ name, weight, rubric }] }); per-dimension
+  verbatim evidence + coaching notes; the weighted overall is computed
+  deterministically client-side. Markdown table or `--json`.
+- **MCP `fullstackgtm_call_parse` gains `extractor: auto|llm|deterministic`**
+  (auto uses a key when the server has one, else the baseline) and `--model`.
+
+### Security
+
+- LLM keys follow the same discipline as CRM secrets: stdin/prompt only,
+  never argv; 0600 store; provider error bodies never echoed (status line
+  only); keys go directly to api.anthropic.com / api.openai.com.
+
 ## [0.13.1] — 2026-06-11
 
 ### Fixed

package/INSTALL_FOR_AGENTS.md

@@ -49,6 +49,12 @@ In an agent sandbox, prefer rung 1 or 2. Never echo tokens into argv —
 environments — login flows then print verification URLs instead of opening
 the OS browser.
 
+LLM calls (`call parse`, `call score`): set `ANTHROPIC_API_KEY` or
+`OPENAI_API_KEY` in the environment, or have the human run
+`echo "$KEY" | fullstackgtm login anthropic` once. Without a key, use
+`call parse --deterministic` (free keyword baseline, no prompt). In
+non-interactive contexts the CLI never prompts — it fails with this guidance.
+
 Provider prerequisites (what the human must create, and which scopes) are in
 the README's **"Connect your CRM"** section: HubSpot needs a private app with
 four `crm.objects.*.read` scopes (plus write scopes only for `apply`);

package/README.md

@@ -49,22 +49,30 @@ Nothing is ever written without an explicit `--approve`. Operations whose value
 
 ## Call workflows: calls become governed evidence
 
-Calls are where pipeline truth lives. `call parse` normalizes any transcript dialect — `Speaker: text` lines (Fathom, Gong exports), `[Speaker]:` labels, or raw Granola utterance JSON — into canonical segments, deterministic keyword-derived insights (next steps, objections, pricing, risks, competitor mentions…), and `GtmEvidence` records, all LLM-free and byte-stable per transcript. `call link` answers "which deal was this call about" from attendee domains (account domain or contact emails → open deals, most recent activity first, with confidence + reason). `call plan` turns next-step insights into the same governed plan lifecycle as everything else.
+Calls are where pipeline truth lives. `call parse` normalizes any transcript dialect — `Speaker: text` lines (Fathom, Gong exports), `[Speaker]:` labels, or raw Granola utterance JSON — into canonical segments, insights, and `GtmEvidence` records.
+
+**Extraction is LLM-powered by default, with your own key.** The first time you run `call parse` or `call score`, the CLI asks for an Anthropic or OpenAI API key (auto-detected from the prefix), validates it against the provider, and stores it in the 0600 credential store — same treatment as CRM logins. Or skip the prompt: set `ANTHROPIC_API_KEY`/`OPENAI_API_KEY`, or `echo "$KEY" | fullstackgtm login anthropic` (or `openai`). The key talks directly to your provider — raw fetch, no SDK, no middleman. `--model` overrides the defaults (claude-haiku-4-5 / gpt-4o-mini). LLM insights carry verbatim-quote evidence and, for next steps, owner/deadline/commitment. Pass `--deterministic` for the free, instant, byte-stable keyword baseline (no key needed — right for CI and warehouse bulk loads). Every insight is provenance-marked (`extractor: "llm:anthropic:…"` vs `"deterministic"`).
+
+**`call score`** rates the call against a coaching rubric — five built-in dimensions (discovery, next steps, stakeholders, value, objections) or your own via `--rubric rubric.json` (`{ scale, dimensions: [{ name, weight, rubric }] }`); the weighted overall is computed deterministically client-side, every dimension score is evidence-quoted, and the rubric file is where your client-specific coaching framework lives.
+
+`call link` answers "which deal was this call about" from attendee domains (account domain or contact emails → open deals, most recent activity first, with confidence + reason). `call plan` turns next-step insights into the same governed plan lifecycle as everything else.
 
 ```bash
-# Coaching/score pipeline (Slack + CRM): parse → link → govern the writeback
-fullstackgtm call parse --transcript call.txt --title "Acme disco" --out parsed.json
-fullstackgtm call link --attendees jane@acme.com --provider hubspot          # → deal id + reason
+# Coaching pipeline (Slack + CRM): parse → score → link → govern the writeback
+fullstackgtm call parse --transcript call.txt --title "Acme disco" --out parsed.json   # LLM extraction
+fullstackgtm call score --call parsed.json --rubric team-rubric.json                   # evidence-quoted scorecard
+fullstackgtm call link --attendees jane@acme.com --provider hubspot                    # → deal id + reason
 fullstackgtm call plan --call parsed.json --deal 123 --provider hubspot --save
 # review → plans approve → apply: deal.next_step + follow-up tasks, compare-and-set protected
-# (LLM scoring/extraction stays in your own pipeline; pipe parsed.json into it and into Slack)
+# (pipe the parse/score JSON into Slack/Notion however you like)
 
 # Analytics pipeline (warehouse): one flat NDJSON row per insight
-for t in transcripts/*; do fullstackgtm call parse --transcript "$t" --ndjson; done > insights.ndjson
+for t in transcripts/*; do fullstackgtm call parse --transcript "$t" --ndjson --deterministic; done > insights.ndjson
+# free keyword baseline for bulk loads; drop --deterministic for LLM-quality rows
 # COPY into your warehouse (stable call/evidence ids make reloads idempotent)
 ```
 
-The deliberate boundary: parsing, linking, and governed writeback are deterministic CLI primitives; LLM scoring, rubric extraction, and Slack/Notion/warehouse sinks are *your* pipeline, composed around the JSON.
+The boundary that remains: Slack/Notion/warehouse sinks are *your* pipeline, composed around the JSON — and your rubrics and keys stay yours.
 
 ## From findings to fixes: the suggest chain
 

package/dist/calls.d.ts

@@ -36,6 +36,8 @@ export type ParsedCall = {
     id: string;
     title?: string;
     sourceSystem: GtmEvidenceSourceSystem;
+    /** What produced the insights: "deterministic" or "llm:<provider>:<model>". */
+    extractor: string;
     segments: ParsedTranscriptSegment[];
     insights: ExtractedCallInsight[];
     evidence: GtmEvidence[];
@@ -52,6 +54,9 @@ export declare function parseCall(raw: string, options?: {
     title?: string;
     sourceSystem?: GtmEvidenceSourceSystem;
     capturedAt?: string;
+    /** Pre-extracted insights (e.g. LLM); skips the deterministic extractor. */
+    insights?: ExtractedCallInsight[];
+    extractor?: string;
 }): ParsedCall;
 export type CallDealSuggestion = {
     dealId: string | null;

package/dist/calls.js

@@ -246,7 +246,7 @@ export function normalizeTranscript(raw) {
 export function parseCall(raw, options = {}) {
     const normalized = normalizeTranscript(raw);
     const segments = parseTranscript(normalized);
-    const insights = extractCallInsights(normalized, segments);
+    const insights = options.insights ?? extractCallInsights(normalized, segments);
     const sourceSystem = options.sourceSystem ?? "manual";
     const id = `call_${callHash(normalized)}`;
     const evidence = insights.map((insight, index) => ({
@@ -258,6 +258,7 @@ export function parseCall(raw, options = {}) {
         text: insight.evidence,
         capturedAt: options.capturedAt,
         metadata: {
+            extractor: options.extractor ?? "deterministic",
             insightType: insight.type,
             speaker: insight.speaker,
             confidence: insight.confidence,
@@ -269,6 +270,7 @@ export function parseCall(raw, options = {}) {
         id,
         title: options.title,
         sourceSystem,
+        extractor: options.extractor ?? "deterministic",
         segments,
         insights,
         evidence,

package/dist/cli.d.ts

@@ -1,3 +1,4 @@
+import { type LlmProvider } from "./llm.ts";
 type ProviderDoctorStatus = {
     source: "env" | "stored" | "broker" | "none";
     detail: string;
@@ -29,6 +30,17 @@ export declare function doctorReport(env?: Record<string, string | undefined>):
         paired: boolean;
         baseUrl?: undefined;
     };
+    llm: {
+        configured: boolean;
+        provider: LlmProvider;
+        source: "env" | "stored";
+        detail?: undefined;
+    } | {
+        configured: boolean;
+        detail: string;
+        provider?: undefined;
+        source?: undefined;
+    };
     mcp: {
         peersInstalled: boolean;
         missing: string[];

package/dist/cli.js

@@ -17,7 +17,8 @@ import { createFilePlanStore } from "./planStore.js";
 import { auditReportToHtml, auditReportToMarkdown } from "./report.js";
 import { builtinAuditRules } from "./rules.js";
 import { sampleSnapshot } from "./sampleData.js";
-import { parseCall, suggestCallDeal } from "./calls.js";
+import { normalizeTranscript, parseCall, suggestCallDeal } from "./calls.js";
+import { DEFAULT_RUBRIC, detectProviderFromKey, extractInsightsLlm, parseRubric, resolveLlmCredential, scoreCallLlm, validateLlmKey, } from "./llm.js";
 import { suggestValues } from "./suggest.js";
 function usage() {
     return `FullStackGTM — audit GTM data across providers, propose reviewable patch plans,
@@ -30,7 +31,7 @@ Usage:
   fullstackgtm login salesforce --device --client-id <consumer key> [--login-url <url>]
   fullstackgtm login salesforce --instance-url <url> [--no-validate]
   fullstackgtm login stripe [--no-validate]
-  fullstackgtm logout <hubspot|salesforce|stripe|broker>
+  fullstackgtm login anthropic | openai        store an LLM API key for call parse/score\n  fullstackgtm logout <hubspot|salesforce|stripe|anthropic|openai|broker>
 
   Secrets (tokens, client secrets) are NEVER passed as flags — they leak via
   the process list and shell history. Pipe them on stdin or enter them at the
@@ -41,11 +42,15 @@ Usage:
   fullstackgtm report [source options] [audit options] [report options]
   fullstackgtm diff --before <a.json> --after <b.json> [--json] [--fail-on-new-findings]
   fullstackgtm merge --input <a.json> --input <b.json> [...] --out <merged.json> [--json]
-  fullstackgtm call parse --transcript <file> [--title t] [--source fathom|granola|...] [--json|--ndjson] [--out <path>]
+  fullstackgtm call parse --transcript <file> [--title t] [--source fathom|granola|...] [--model m] [--deterministic] [--json|--ndjson] [--out <path>]
+  fullstackgtm call score --transcript <file>|--call <parsed.json> [--rubric <rubric.json>] [--model m] [--json|--out <path>]
   fullstackgtm call link --attendees <a@x.com,...> | --domain <x.com>  [source options] [--json]
   fullstackgtm call plan --transcript <file>|--call <parsed.json> --deal <id> [source options] [--save|--json]
-                                               calls become evidence: parse dialects (Speaker:/[Me]/Granola JSON),
-                                               link to the right deal, and propose governed next-step writes
+                                               calls become evidence: LLM extraction by default (bring your own
+                                               Anthropic or OpenAI key — captured once on first use, or
+                                               ANTHROPIC_API_KEY/OPENAI_API_KEY, or \`login anthropic|openai\`);
+                                               --deterministic uses the free keyword baseline. Then link the call
+                                               to its deal and propose governed next-step writes.
   fullstackgtm suggest --plan-id <id> | --plan <path>  [source options] [--json] [--out <path>]
                                                derive values for requires_human_* placeholders
                                                from snapshot evidence, with confidence + reasons
@@ -413,7 +418,18 @@ function parseValueOverrides(args) {
 }
 async function callCommand(args) {
     const [subcommand, ...rest] = args;
-    const loadParsedCall = () => {
+    if (args.includes("--help") || args.includes("-h")) {
+        console.log(`call parse --transcript <file> [--title t] [--source s] [--model m] [--deterministic] [--json|--ndjson] [--out <path>]
+call score --transcript <file>|--call <parsed.json> [--rubric <rubric.json>] [--model m] [--json|--out <path>]
+call link --attendees <a@x.com,...> | --domain <x.com>  [source options] [--json]
+call plan --transcript <file>|--call <parsed.json> --deal <id> [source options] [--save|--json]
+
+parse/score default to LLM extraction (Anthropic or OpenAI key via env,
+\`login anthropic|openai\`, or a one-time prompt). parse --deterministic is
+the free keyword baseline; score always needs a key (scoring is LLM work).`);
+        return;
+    }
+    const loadParsedCall = async () => {
         const callPath = option(rest, "--call");
         if (callPath) {
             return JSON.parse(readFileSync(resolve(process.cwd(), callPath), "utf8"));
@@ -423,14 +439,30 @@ async function callCommand(args) {
             throw new Error(`call ${subcommand} requires --transcript <file> or --call <parsed.json>`);
         const raw = readFileSync(resolve(process.cwd(), transcriptPath), "utf8");
         const source = option(rest, "--source");
-        return parseCall(raw, {
+        const base = {
             title: option(rest, "--title") ?? undefined,
             sourceSystem: source,
             capturedAt: new Date().toISOString(),
+        };
+        if (rest.includes("--deterministic")) {
+            return parseCall(raw, base);
+        }
+        // LLM extraction is the default: bring-your-own-key (Anthropic or OpenAI).
+        const credential = await requireLlmCredential();
+        const normalized = normalizeTranscript(raw);
+        const { insights, model } = await extractInsightsLlm(normalized, {
+            ...credential,
+            model: option(rest, "--model") ?? undefined,
+            title: base.title,
+        });
+        return parseCall(raw, {
+            ...base,
+            insights,
+            extractor: `llm:${credential.provider}:${model}`,
         });
     };
     if (subcommand === "parse") {
-        const parsed = loadParsedCall();
+        const parsed = await loadParsedCall();
         const outPath = option(rest, "--out");
         if (outPath)
             writeFileSync(resolve(process.cwd(), outPath), `${JSON.stringify(parsed, null, 2)}\n`);
@@ -441,6 +473,7 @@ async function callCommand(args) {
                     call_id: parsed.id,
                     call_title: parsed.title ?? null,
                     source_system: parsed.sourceSystem,
+                    extractor: parsed.extractor,
                     type: insight.type,
                     title: insight.title,
                     text: insight.text,
@@ -490,7 +523,7 @@ async function callCommand(args) {
         const dealId = option(rest, "--deal");
         if (!dealId)
             throw new Error("call plan requires --deal <dealId> (use `call link` to find it)");
-        const parsed = loadParsedCall();
+        const parsed = await loadParsedCall();
         const snapshot = await readSnapshot(rest);
         const deal = snapshot.deals.find((row) => row.id === dealId);
         if (!deal)
@@ -512,7 +545,105 @@ async function callCommand(args) {
         console.log(rest.includes("--json") ? JSON.stringify(plan, null, 2) : patchPlanToMarkdown(plan));
         return;
     }
-    throw new Error(`call supports: parse, link, plan (got ${subcommand ?? "nothing"})`);
+    if (subcommand === "score") {
+        // Rubric problems surface before any credential or API work.
+        const rubricPath = option(rest, "--rubric");
+        let rubric = DEFAULT_RUBRIC;
+        if (rubricPath) {
+            const rubricRaw = readFileSync(resolve(process.cwd(), rubricPath), "utf8");
+            try {
+                rubric = parseRubric(rubricRaw);
+            }
+            catch (error) {
+                throw new Error(`${rubricPath} is not a valid rubric: ${error instanceof Error ? error.message : String(error)} Expected JSON like { "scale": 5, "dimensions": [{ "name": "...", "weight": 1, "rubric": "..." }] }.`);
+            }
+        }
+        const credential = await requireLlmCredential("score");
+        const transcriptPath = option(rest, "--transcript");
+        let transcriptText;
+        let title = option(rest, "--title") ?? undefined;
+        if (transcriptPath) {
+            transcriptText = normalizeTranscript(readFileSync(resolve(process.cwd(), transcriptPath), "utf8"));
+        }
+        else {
+            const callPath = option(rest, "--call");
+            if (!callPath)
+                throw new Error("call score requires --transcript <file> or --call <parsed.json>");
+            const parsed = JSON.parse(readFileSync(resolve(process.cwd(), callPath), "utf8"));
+            transcriptText = parsed.segments
+                .map((segment) => (segment.speaker ? `${segment.speaker}: ${segment.text}` : segment.text))
+                .join("\n");
+            title = title ?? parsed.title;
+        }
+        const scorecard = await scoreCallLlm(transcriptText, rubric, {
+            ...credential,
+            model: option(rest, "--model") ?? undefined,
+            title,
+        });
+        const outPath = option(rest, "--out");
+        if (outPath)
+            writeFileSync(resolve(process.cwd(), outPath), `${JSON.stringify(scorecard, null, 2)}\n`);
+        if (rest.includes("--json")) {
+            console.log(JSON.stringify(scorecard, null, 2));
+            return;
+        }
+        console.log(renderScorecard(scorecard, title));
+        return;
+    }
+    throw new Error(`call supports: parse, link, plan, score (got ${subcommand ?? "nothing"})`);
+}
+/**
+ * First-touch key onboarding: env vars win, then the credential store; on a
+ * TTY a missing key is captured once (validated, stored 0600 like provider
+ * logins). Non-interactive contexts get an actionable error instead.
+ */
+async function requireLlmCredential(command = "parse") {
+    const resolved = resolveLlmCredential();
+    if (resolved)
+        return resolved;
+    // Scoring is inherently LLM work — there is no keyword fallback to suggest.
+    const fallbackHint = command === "parse" ? ", or pass --deterministic for the free keyword baseline" : " (call score has no non-LLM mode)";
+    if (!process.stdin.isTTY) {
+        throw new Error(`LLM ${command === "score" ? "scoring" : "extraction"} needs an API key. Set ANTHROPIC_API_KEY or OPENAI_API_KEY, or run \`echo "$KEY" | fullstackgtm login anthropic\` (or \`login openai\`) once${fallbackHint}.`);
+    }
+    console.error("LLM parsing needs an API key (Anthropic or OpenAI) — yours, used directly with the provider.");
+    console.error(`Paste it once; it is validated and stored at ${credentialsPath()} (file mode 0600), like CRM logins.`);
+    console.error("(Alternatives: set ANTHROPIC_API_KEY / OPENAI_API_KEY, or pass --deterministic for the free keyword baseline.)\n");
+    const apiKey = await readSecret("API key (sk-ant-... or sk-...): ");
+    const provider = detectProviderFromKey(apiKey);
+    const validation = await validateLlmKey(provider, apiKey);
+    if (!validation.ok)
+        throw new Error(`${provider} rejected the key: ${validation.detail}`);
+    const now = new Date().toISOString();
+    storeCredential(provider, { kind: "api_key", accessToken: apiKey, createdAt: now, updatedAt: now });
+    console.error(`Stored ${provider} key (${validation.detail}). Future runs use it automatically; remove with \`fullstackgtm logout ${provider}\`.\n`);
+    return { provider, apiKey };
+}
+function renderScorecard(scorecard, title) {
+    const lines = [
+        `# Coaching Scorecard${title ? ` — ${title}` : ""}`,
+        "",
+        `**Overall: ${scorecard.overallScore}/${scorecard.scale}** (model: ${scorecard.model})`,
+        "",
+        "| Dimension | Score | | Coaching note |",
+        "| --- | --- | --- | --- |",
+    ];
+    for (const dim of scorecard.dimensions) {
+        const filled = Math.round((dim.score / dim.maxScore) * 5);
+        const bar = "█".repeat(filled) + "░".repeat(5 - filled);
+        lines.push(`| ${dim.name} | ${dim.score}/${dim.maxScore} | ${bar} | ${dim.coachingNote} |`);
+    }
+    if (scorecard.highlights.length) {
+        lines.push("", "**Highlights**");
+        for (const h of scorecard.highlights)
+            lines.push(`- ${h}`);
+    }
+    if (scorecard.missedItems.length) {
+        lines.push("", "**Missed**");
+        for (const m of scorecard.missedItems)
+            lines.push(`- ${m}`);
+    }
+    return lines.join("\n");
 }
 function buildCallPlan(parsed, deal, proposed, current, extraNextSteps) {
     const findings = [];
@@ -1067,8 +1198,24 @@ async function login(args) {
         console.log(`Logged in to Stripe. Credentials stored in ${credentialsPath()}.`);
         return;
     }
+    if (provider === "anthropic" || provider === "openai") {
+        rejectArgvSecret(args, "--token", "--key", "--api-key");
+        const key = await readSecret(`${provider} API key (${provider === "anthropic" ? "sk-ant-..." : "sk-..."})`);
+        if (!key)
+            throw new Error(`No ${provider} key provided.`);
+        if (!args.includes("--no-validate")) {
+            const validation = await validateLlmKey(provider, key);
+            if (!validation.ok)
+                throw new Error(`${provider} rejected the key: ${validation.detail}`);
+            console.log(validation.detail);
+        }
+        const stamp = new Date().toISOString();
+        storeCredential(provider, { kind: "api_key", accessToken: key, createdAt: stamp, updatedAt: stamp });
+        console.log(`Stored ${provider} API key in ${credentialsPath()}. \`fullstackgtm call parse\` and \`call score\` use it automatically.`);
+        return;
+    }
     if (provider !== "hubspot") {
-        throw new Error("login supports: hubspot, salesforce, stripe, or --via <hosted url>. Usage: fullstackgtm login <provider> | fullstackgtm login --via https://gtm.example.com");
+        throw new Error("login supports: hubspot, salesforce, stripe, anthropic, openai, or --via <hosted url>. Usage: fullstackgtm login <provider> | fullstackgtm login --via https://gtm.example.com");
     }
     const now = new Date().toISOString();
     if (args.includes("--oauth")) {
@@ -1150,6 +1297,7 @@ export function doctorReport(env = process.env) {
             ? { source: "env", detail: "STRIPE_SECRET_KEY" }
             : providerStatus("stripe", broker),
     };
+    const llm = resolveLlmCredential(env);
     const missingPeers = ["@modelcontextprotocol/sdk", "zod"].filter((name) => {
         try {
             import.meta.resolve(name);
@@ -1174,6 +1322,9 @@ export function doctorReport(env = process.env) {
         config: { path: configPath, exists: existsSync(configPath) },
         providers,
         broker: broker ? { paired: true, baseUrl: broker.baseUrl ?? "unknown" } : { paired: false },
+        llm: llm
+            ? { configured: true, provider: llm.provider, source: llm.source }
+            : { configured: false, detail: "call parse/score will prompt once, or set ANTHROPIC_API_KEY / OPENAI_API_KEY" },
         mcp: { peersInstalled: missingPeers.length === 0, missing: missingPeers },
         nextSteps,
     };
@@ -1215,6 +1366,7 @@ function doctorCommand(args) {
         "Providers:",
         ...Object.entries(report.providers).map(([provider, status]) => `  ${provider.padEnd(11)} ${status.source === "none" ? `not connected (${status.detail})` : `${status.source}: ${status.detail}`}`),
         `  ${"broker".padEnd(11)} ${report.broker.paired ? `paired with ${report.broker.baseUrl}` : "not paired (fullstackgtm login --via <hosted url>)"}`,
+        `  ${"llm".padEnd(11)} ${report.llm.configured ? `${report.llm.provider} key (${report.llm.source}) — call parse/score ready` : `not configured (${report.llm.detail})`}`,
         "",
         report.mcp.peersInstalled
             ? "MCP:        peers installed — `fullstackgtm-mcp` is ready"

package/dist/credentials.d.ts

@@ -23,7 +23,7 @@ export declare function baseHomeDir(): string;
  */
 export declare function listProfiles(): string[];
 export type StoredCredential = {
-    kind: "private_app" | "oauth" | "broker";
+    kind: "private_app" | "oauth" | "broker" | "api_key";
     accessToken: string;
     refreshToken?: string;
     /** Epoch ms when the access token expires (oauth only). */

package/dist/index.d.ts

@@ -17,5 +17,6 @@ export { HUBSPOT_DEFAULT_FIELD_MAPPINGS, SALESFORCE_DEFAULT_FIELD_MAPPINGS, mapp
 export { accountSingleSourceRule, activeDealAccountWithoutContactsRule, auditFindingId, buildSnapshotIndex, builtinAuditRules, closingSoonInactiveRule, duplicateAccountDomainRule, duplicateContactEmailRule, duplicateOpenDealRule, missingDealAccountRule, missingDealAmountRule, missingDealOwnerRule, orphanAccountRule, pastCloseDateRule, patchOperationId, requiresHumanInput, staleDealRule, } from "./rules.ts";
 export { extractCallInsights, normalizeTranscript, parseCall, parseTranscript, suggestCallDeal, summarizeInsights, type CallDealSuggestion, type CallInsightType, type ExtractedCallInsight, type ParsedCall, type ParsedTranscriptSegment, } from "./calls.ts";
 export { sampleSnapshot } from "./sampleData.ts";
+export { DEFAULT_MODELS, DEFAULT_RUBRIC, detectProviderFromKey, extractInsightsLlm, parseRubric, resolveLlmCredential, scoreCallLlm, validateLlmKey, type CallScorecard, type LlmCredential, type LlmExtractedInsight, type LlmProvider, type Rubric, type ScoredDimension, } from "./llm.ts";
 export { suggestValues, type SuggestionConfidence, type ValueSuggestion } from "./suggest.ts";
 export type { ApprovalStatus, AuditFinding, AuditFindingSeverity, CanonicalAccount, CanonicalActivity, CanonicalContact, CanonicalDeal, CanonicalGtmSnapshot, CanonicalUser, CrmProvider, GtmAuditRule, GtmConnector, GtmEvidence, GtmEvidenceSourceSystem, GtmObjectType, GtmPolicy, GtmRuleContext, GtmRuleResult, GtmSnapshotIndex, PatchOperation, PatchOperationResult, PatchOperationType, PatchPlan, PatchPlanRun, PatchPlanRunStatus, PatchVerification, PipelineFinding, PipelineFindingStatus, PipelineFindingType, ProviderIdentity, RiskLevel, SourceFreshness, } from "./types.ts";

package/dist/index.js

@@ -17,4 +17,5 @@ export { HUBSPOT_DEFAULT_FIELD_MAPPINGS, SALESFORCE_DEFAULT_FIELD_MAPPINGS, mapp
 export { accountSingleSourceRule, activeDealAccountWithoutContactsRule, auditFindingId, buildSnapshotIndex, builtinAuditRules, closingSoonInactiveRule, duplicateAccountDomainRule, duplicateContactEmailRule, duplicateOpenDealRule, missingDealAccountRule, missingDealAmountRule, missingDealOwnerRule, orphanAccountRule, pastCloseDateRule, patchOperationId, requiresHumanInput, staleDealRule, } from "./rules.js";
 export { extractCallInsights, normalizeTranscript, parseCall, parseTranscript, suggestCallDeal, summarizeInsights, } from "./calls.js";
 export { sampleSnapshot } from "./sampleData.js";
+export { DEFAULT_MODELS, DEFAULT_RUBRIC, detectProviderFromKey, extractInsightsLlm, parseRubric, resolveLlmCredential, scoreCallLlm, validateLlmKey, } from "./llm.js";
 export { suggestValues } from "./suggest.js";

package/dist/llm.d.ts

@@ -0,0 +1,71 @@
+import type { ExtractedCallInsight } from "./calls.ts";
+/**
+ * LLM-powered call extraction and scoring. Bring-your-own-key, two providers
+ * (Anthropic, OpenAI), raw fetch — no SDK dependency, mirroring how the CRM
+ * connectors talk to their APIs. Constrained tool calls keep the output in
+ * the same canonical insight shape as the deterministic engine, with
+ * mandatory verbatim-quote evidence; every insight is provenance-marked with
+ * the extractor that produced it.
+ */
+export type LlmProvider = "anthropic" | "openai";
+export type LlmCredential = {
+    provider: LlmProvider;
+    apiKey: string;
+    source: "env" | "stored";
+};
+export declare const DEFAULT_MODELS: Record<LlmProvider, string>;
+export declare function detectProviderFromKey(apiKey: string): LlmProvider;
+/** Env first (ANTHROPIC_API_KEY, then OPENAI_API_KEY), then the credential store. */
+export declare function resolveLlmCredential(env?: Record<string, string | undefined>): LlmCredential | null;
+export type LlmCallOptions = {
+    provider: LlmProvider;
+    apiKey: string;
+    model?: string;
+    fetchImpl?: typeof fetch;
+};
+export type LlmExtractedInsight = ExtractedCallInsight & {
+    owner?: string;
+    deadline?: string;
+    commitment?: "firm" | "tentative" | "exploratory";
+};
+export declare function extractInsightsLlm(transcript: string, options: LlmCallOptions & {
+    title?: string;
+}): Promise<{
+    insights: LlmExtractedInsight[];
+    model: string;
+}>;
+export type Rubric = {
+    scale: number;
+    dimensions: Array<{
+        name: string;
+        weight: number;
+        rubric: string;
+    }>;
+};
+export declare const DEFAULT_RUBRIC: Rubric;
+export type ScoredDimension = {
+    name: string;
+    score: number;
+    maxScore: number;
+    weight: number;
+    evidence: string[];
+    coachingNote: string;
+};
+export type CallScorecard = {
+    dimensions: ScoredDimension[];
+    /** Weighted average, computed deterministically client-side. */
+    overallScore: number;
+    scale: number;
+    highlights: string[];
+    missedItems: string[];
+    model: string;
+};
+export declare function scoreCallLlm(transcript: string, rubric: Rubric, options: LlmCallOptions & {
+    title?: string;
+}): Promise<CallScorecard>;
+export declare function parseRubric(json: string): Rubric;
+/** Cheap key validation against the provider's model-list endpoint. Status line only. */
+export declare function validateLlmKey(provider: LlmProvider, apiKey: string, fetchImpl?: typeof fetch): Promise<{
+    ok: boolean;
+    detail: string;
+}>;