fullstackgtm 0.25.0 → 0.25.2

package/dist/marketReport.js

@@ -28,6 +28,22 @@ function escapeHtml(value) {
         .replace(/>/g, ">")
         .replace(/"/g, """);
 }
+/**
+ * Serialize JSON for embedding inside an inline <script> block. JSON.stringify
+ * does not escape `<`, `>`, `&`, or the U+2028/U+2029 line separators, so a
+ * vendor name containing `</script>` (these are untrusted, competitor-authored
+ * strings) would close the tag and inject markup. Replacing them with their
+ * \uXXXX escapes keeps the parsed value identical while making the breakout
+ * sequence unrepresentable in the HTML source.
+ */
+export function safeJsonForScript(value) {
+    return JSON.stringify(value)
+        .replace(/</g, "\\u003c")
+        .replace(/>/g, "\\u003e")
+        .replace(/&/g, "\\u0026")
+        .replace(/\u2028/g, "\\u2028")
+        .replace(/\u2029/g, "\\u2029");
+}
 function buildModel(config, set) {
     const fronts = computeFrontStates(config, set);
     const stateByClaim = new Map(fronts.map((front) => [front.claimId, front.state]));
@@ -320,7 +336,7 @@ function axisSectionsHtml(config, set) {
       <table class="legend"><thead><tr><th></th><th>vendor</th><th class="num">${legendMeasureHead}</th></tr></thead><tbody>${legendRows}</tbody></table>
     </div>
     <div class="map-tip" id="map-tip" hidden></div>
-    <script type="application/json" id="map-data">${JSON.stringify(tipData)}</script>
+    <script type="application/json" id="map-data">${safeJsonForScript(tipData)}</script>
     <script>
     (function () {
       var data = JSON.parse(document.getElementById("map-data").textContent);
@@ -331,7 +347,16 @@ function axisSectionsHtml(config, set) {
       function show(v, evt) {
         var d = data[v];
         if (!d) return;
-        tip.innerHTML = "<b>" + d.n + " · " + d.name + "</b>" + d.lines.map(function (l) { return "<div>" + l + "</div>"; }).join("");
+        // textContent only — vendor names / axis labels are untrusted (competitor-controlled).
+        tip.textContent = "";
+        var head = document.createElement("b");
+        head.textContent = d.n + " · " + d.name;
+        tip.appendChild(head);
+        d.lines.forEach(function (l) {
+          var div = document.createElement("div");
+          div.textContent = l;
+          tip.appendChild(div);
+        });
         tip.hidden = false;
         var box = fig.getBoundingClientRect();
         tip.style.left = Math.min(evt.clientX - box.left + 14, box.width - tip.offsetWidth - 8) + "px";
@@ -419,7 +444,7 @@ export function marketMapToHtml(config, set) {
         const anchorLoud = anchor
             ? claimIds.filter((claimId) => model.cell(anchor, claimId)?.intensity === "loud").length
             : 0;
-        const anchorNote = anchor ? ` · ${vendorNamesById.get(anchor) ?? anchor} loud on ${anchorLoud}` : "";
+        const anchorNote = anchor ? ` · ${e(vendorNamesById.get(anchor) ?? anchor)} loud on ${anchorLoud}` : "";
         return `<details class="claim-group"><summary><b>${e(group.title)}</b> — ${claimIds.length} claim${claimIds.length === 1 ? "" : "s"} <span class="sum-soft">(${e(group.blurb)}${anchorNote})</span></summary>
       <table><thead><tr><th></th>${vendorHeads}<th></th></tr></thead><tbody>${claimIds.map(matrixRow).join("")}</tbody></table>
     </details>`;
@@ -475,7 +500,7 @@ export function marketMapToHtml(config, set) {
             const obs = model.cell(vendor.id, claimId);
             if (!obs || obs.evidence.length === 0)
                 return [];
-            return obs.evidence.map((evidence) => `<div class="ev"><span class="ev-head">${e(claimId)} · ${obs.intensity.toUpperCase()} (${obs.confidence})</span>` +
+            return obs.evidence.map((evidence) => `<div class="ev"><span class="ev-head">${e(claimId)} · ${e(obs.intensity.toUpperCase())} (${e(String(obs.confidence ?? ""))})</span>` +
                 `<blockquote>“${e(evidence.text)}”</blockquote>` +
                 `<span class="ev-src">${e(String(evidence.metadata?.url ?? ""))} · capture ${e(String(evidence.metadata?.captureHash ?? "").slice(0, 12))}</span></div>`);
         });

package/dist/schedule.d.ts

@@ -53,6 +53,23 @@ export declare function scheduleId(label: string, cron: string, argv: string[],
  * in-process into the CLI router, never through a shell).
  */
 export declare function validateSchedulableArgv(argv: string[]): void;
+/**
+ * A schedule label is free text the operator chooses, but it is later
+ * interpolated into a crontab comment line by `renderManagedBlock`. A newline
+ * (or carriage return) would break out of the comment and inject an arbitrary
+ * crontab entry on `schedule install`. Reject control characters at the entry
+ * point so a label can never carry a second line; `renderManagedBlock` also
+ * strips them defensively in case a hand-edited schedules.json slips one past.
+ */
+export declare function assertSingleLineLabel(label: string): void;
+/**
+ * True if the string contains any line-breaking or control character. Covers
+ * C0 controls + DEL, plus the Unicode separators a non-cron parser might honor
+ * (NEL U+0085, LS U+2028, PS U+2029, VT U+000B, FF U+000C) — defense-in-depth
+ * for the future modal/aws scaffold renderers whose target formats may treat
+ * those as line breaks.
+ */
+export declare function hasControlChar(value: string): boolean;
 /**
  * Split a `schedule add "<command>"` string into argv, honoring single and
  * double quotes (no escapes, no expansion — this is tokenization, not shell).

package/dist/schedule.js

@@ -77,6 +77,68 @@ export function validateSchedulableArgv(argv) {
         }
     }
 }
+/**
+ * A schedule label is free text the operator chooses, but it is later
+ * interpolated into a crontab comment line by `renderManagedBlock`. A newline
+ * (or carriage return) would break out of the comment and inject an arbitrary
+ * crontab entry on `schedule install`. Reject control characters at the entry
+ * point so a label can never carry a second line; `renderManagedBlock` also
+ * strips them defensively in case a hand-edited schedules.json slips one past.
+ */
+export function assertSingleLineLabel(label) {
+    if (hasControlChar(label)) {
+        throw new Error("A schedule --label cannot contain newlines or control characters " +
+            "(they would inject lines into the managed crontab block). Use a plain single-line name.");
+    }
+}
+/**
+ * True if the string contains any line-breaking or control character. Covers
+ * C0 controls + DEL, plus the Unicode separators a non-cron parser might honor
+ * (NEL U+0085, LS U+2028, PS U+2029, VT U+000B, FF U+000C) — defense-in-depth
+ * for the future modal/aws scaffold renderers whose target formats may treat
+ * those as line breaks.
+ */
+export function hasControlChar(value) {
+    for (let i = 0; i < value.length; i++) {
+        const code = value.charCodeAt(i);
+        if (code < 0x20 || code === 0x7f || code === 0x85 || code === 0x2028 || code === 0x2029)
+            return true;
+    }
+    return false;
+}
+/** Collapse any control/separator character to a space — last-resort guard at render time. */
+function sanitizeCrontabComment(value) {
+    let out = "";
+    for (const ch of value) {
+        const code = ch.charCodeAt(0);
+        out += code < 0x20 || code === 0x7f || code === 0x85 || code === 0x2028 || code === 0x2029 ? " " : ch;
+    }
+    return out.replace(/ {2,}/g, " ").trim();
+}
+/**
+ * Validate every field of an entry that `renderManagedBlock` interpolates into
+ * the crontab — not just the label. The EXECUTABLE line embeds `cron` and `id`
+ * raw, and `schedule install` renders entries straight from schedules.json, so
+ * a hand-edited (or otherwise tampered) entry with a newline in cron/id/profile
+ * would inject a live crontab line. Refuse to render a tampered entry rather
+ * than emit it. (Well-formed entries never trip this: cron is parser-validated,
+ * id is an fnv1a hex hash, label is guarded at add-time.)
+ */
+function assertRenderableEntry(profile, entry) {
+    const fields = [
+        ["profile", profile],
+        ["cron", entry.cron],
+        ["id", entry.id],
+        ["label", entry.label],
+        ...entry.argv.map((token, i) => [`argv[${i}]`, token]),
+    ];
+    for (const [name, value] of fields) {
+        if (hasControlChar(value)) {
+            throw new Error(`Refusing to render schedule entry ${entry.id}: its ${name} contains a newline or control character. ` +
+                "The schedules.json store has been tampered with or corrupted — repair it before installing.");
+        }
+    }
+}
 /**
  * Split a `schedule add "<command>"` string into argv, honoring single and
  * double quotes (no escapes, no expansion — this is tokenization, not shell).
@@ -124,7 +186,13 @@ const CRON_FIELD_SPECS = [
     { name: "day-of-week", min: 0, max: 7 },
 ];
 export function parseCron(expression) {
-    const fields = expression.trim().split(/\s+/);
+    // Reject non-ASCII whitespace and control chars: JS \s splits on U+00A0,
+    // U+3000, etc., but Vixie cron's field separator is only space/tab. A source
+    // carrying them would parse here yet be misparsed or rejected by `crontab -`.
+    if (hasControlChar(expression) || /[^\x20-\x7e]/.test(expression)) {
+        throw new Error(`Invalid cron expression "${expression}": only ASCII characters, space, and tab are allowed.`);
+    }
+    const fields = expression.trim().split(/[ \t]+/);
     if (fields.length !== 5) {
         throw new Error(`Invalid cron expression "${expression}": expected 5 fields ` +
             `(minute hour day-of-month month day-of-week), got ${fields.length}.`);
@@ -432,13 +500,26 @@ export function crontabSentinels(profile) {
  * but fullstackgtm dispatch (no arbitrary shell, ever).
  */
 export function renderManagedBlock(profile, entries, cliInvocation) {
+    // cliInvocation is spliced raw into the executable line; it is built from
+    // process.execPath, the script path, and FSGTM_HOME (cli.ts), so a newline in
+    // FSGTM_HOME would inject a crontab line. Validate it like the entry fields —
+    // single-quote shell-escaping does NOT defend cron's line parser.
+    if (hasControlChar(cliInvocation)) {
+        throw new Error("Refusing to render the managed crontab: the resolved CLI invocation (node path, script path, " +
+            "or FSGTM_HOME) contains a newline or control character. Check $FSGTM_HOME.");
+    }
     const { open, close } = crontabSentinels(profile);
     const lines = [
         open,
         "# Managed by `fullstackgtm schedule install` — replaced wholesale on re-install; do not edit.",
     ];
     for (const entry of entries) {
-        lines.push(`# ${entry.label} (${entry.id}): ${entry.argv.join(" ")}`);
+        // Refuse to render any entry whose interpolated fields carry a control char
+        // — the executable line below embeds cron/id raw, so a tampered store could
+        // otherwise inject a live crontab line. The comment line is additionally
+        // sanitized so a benign-but-messy label can't break it.
+        assertRenderableEntry(profile, entry);
+        lines.push(sanitizeCrontabComment(`# ${entry.label} (${entry.id}): ${entry.argv.join(" ")}`));
         lines.push(`${entry.cron} ${cliInvocation} schedule run ${entry.id} --profile ${profile} --trigger cron`);
     }
     lines.push(close);

package/docs/api.md

@@ -21,7 +21,7 @@ release.
 - `GtmAuditRule` — `{ id, title, description, category?, evaluate(context) }`; the public extension point.
 - `GtmRuleContext` — `{ snapshot, policy, index }` with the prebuilt O(n) `GtmSnapshotIndex`.
 - `auditSnapshot(snapshot, policy?, rules?)` → `PatchPlan`.
-- `builtinAuditRules` (11 rules) plus each rule exported individually.
+- `builtinAuditRules` (12 rules) plus each rule exported individually.
 - **Determinism guarantee**: identical inputs produce identical findings and operations with identical ids (`auditFindingId`, `patchOperationId` are stable hashes of rule + record).
 
 ## Patch plans and application
@@ -62,7 +62,9 @@ Commands: `login` / `logout`, `snapshot`, `audit`, `report`, `diff`, `merge`, `p
 `bulk-update`, `dedupe`, `reassign`, `fix`,
 `market` (`init` / `capture` / `classify` / `worksheet` / `observe` / `fronts` /
 `axes` / `overlay` / `scale` / `report` / `refresh`),
-`enrich` (`append` / `refresh` / `ingest` / `status`), `rules`, `profiles`, `doctor`.
+`enrich` (`append` / `refresh` / `ingest` / `status`),
+`schedule` (`add` / `list` / `remove` / `enable` / `disable` / `run` /
+`install` / `uninstall` / `status`), `rules`, `profiles`, `doctor`.
 Exit codes: `0` success · `1` error · `2` findings/regressions at the requested gate
 (`--fail-on`, `--fail-on-new-findings`). `--json` everywhere; JSON output shapes are stable.
 
@@ -115,6 +117,30 @@ dependency-free CSV intake; the Apollo client (`createApolloClient`,
 `pullApolloRecords`, 429-aware with `Retry-After`) is the first `api`-kind
 source.
 
+## Schedule
+
+The horizontal scheduler: a declarative schedule-entry store, a
+dependency-free 5-field cron parser, and the read/plan-side `SCHEDULABLE`
+allowlist. `validateSchedulableArgv` enforces the allowlist at `schedule add`
+time and re-checks it at run time (`tokenizeCommand` splits the quoted command
+string — tokenization, never shell). `apply` is schedulable only as
+`apply --plan-id <id>`, with the plan's `approved` status re-checked at every
+firing — an unapproved plan records a `plan_not_approved` no-op run
+(`ScheduleRunRecord.noopReason`) instead of executing.
+
+- Entries: `ScheduleEntry` (`ScheduleProvider` is `"local"` for now),
+  `scheduleId`, `ScheduleStore` / `createFileScheduleStore`.
+- Run history: `ScheduleRunRecord` (`ScheduleRunTrigger`: `cron` | `manual`),
+  `ScheduleRunStore` / `createFileScheduleRunStore`, with `schedulesPath` /
+  `scheduleRunsDir` for the profile-scoped file layout.
+- Cron: `parseCron` → `CronExpression`, `cronMatches`, `nextCronFiring`,
+  `expectedFirings`, `computeMissedFirings` (status and missed-firing
+  visibility — local cron has no catch-up).
+- Local provider: `schedule install` renders enabled entries into a
+  sentinel-managed crontab block — `crontabSentinels`, `renderManagedBlock`,
+  `replaceManagedBlock`, and `systemCrontabIo` behind the injectable
+  `CrontabIo` seam (tests never touch a real crontab).
+
 ## Market map
 
 Newer surface (0.16–0.23); shapes are settling toward the 1.0 contract. A live

package/docs/crm-health-lifecycle.md

@@ -78,18 +78,21 @@ values win, **merges cannot be undone**, and a record stops merging after
 250 cumulative merges. Salesforce merge is SOAP/Apex only (no REST), only
 Lead/Contact/Account/Case, max 3 records per call.
 
-**The gap:** our three duplicate rules (`duplicate-account-domain`,
-`duplicate-contact-email`, `duplicate-open-deal`) detect groups but emit
-only merge-review *tasks* — detection without remediation.
+**The gap (closed in 0.12):** our three duplicate rules
+(`duplicate-account-domain`, `duplicate-contact-email`,
+`duplicate-open-deal`) used to detect groups but emit only merge-review
+*tasks* — detection without remediation.
 
-**The plan (0.12):** a `merge_records` operation type —
+**Shipped (0.12):** a `merge_records` operation type —
 `requires_human_survivor_selection` placeholder, survivor heuristics in
 `suggest` (ordered, evidence-based: most engagements → oldest → most
 complete, each with a written reason), high risk, approval required, with
 the irreversibility called out in the plan text. The dry-run plan is the
 preview every commercial tool charges for; the pre-apply snapshot is the
 loser-record archive. HubSpot first; Salesforce merge documented as
-unsupported until an Apex path justifies itself.
+unsupported until an Apex path justifies itself. 0.23 added `dedupe` as a
+first-class verb over the same operation type (groups → one governed merge
+per group, deterministic survivor).
 
 ## D — Delete/Archive: the exit ramp
 
@@ -131,5 +134,7 @@ Lessons from auditing our own apply path:
 | 0.11.1 | Fix our own faucet: resolve-first `create:` + plan-scoped dedup, HubSpot association-aware CAS for `link_record`, domain normalization in `duplicate-account-domain`, `create_task` idempotency token |
 | 0.12 (shipped) | `merge_records` (HubSpot contacts/companies/deals) + survivor suggestions capped at low confidence; the three duplicate rules emit governed merges instead of review tasks |
 | 0.15 (shipped) | `resolve` gate (CLI/lib/MCP, gate exit codes), provenance capture (`hs_object_source*` → `RecordProvenance`) + attribution in duplicate findings, self-stamped creates |
-| 0.16 | prevention-posture checks (native duplicate rules active? unique-value properties defined?) · live targeted resolve lookups |
+| 0.16 (shipped the market map instead) | prevention-posture checks (native duplicate rules active? unique-value properties defined?) and live targeted resolve lookups were slated here but did not ship — they remain future work; 0.16 went to the market map layer |
+| 0.23 (shipped) | `dedupe <object> --key <domain\|email\|name>` — the Remediate layer as a first-class verb: duplicate groups by normalized identity key, one governed `merge_records` per group, deterministic survivor (`richest`/`oldest`) |
+| 0.24 (shipped) | schedule layer — recurring Detect: the nightly watch recipe becomes a declared cadence (`schedule add "audit --provider hubspot --save" --cron "0 2 * * *"`); read/plan-side allowlist only, scheduling never auto-approves |
 | docs | The nightly watch recipe (existing flags, documented as CRM CI) |

package/docs/roadmap-to-1.0.md

@@ -106,6 +106,33 @@ The original thesis: GTM data disagrees across systems.
 - Docs site with the operating-model registry as browsable reference.
 - Performance pass: streaming snapshots for very large orgs.
 
+## 0.10 → 0.25 — the layers, as shipped
+
+The plan above ended at the freeze; what shipped next grew the surface
+outward, one layer per release, each consolidating before the next expanded:
+
+- **0.11** — the suggest chain: deterministic placeholder values with
+  confidence + reasons, `plans approve --values-from`.
+- **0.12** — governed merge: `merge_records` (HubSpot contacts / companies /
+  deals), survivor suggestions capped at low confidence.
+- **0.13–0.14** — call intelligence: `call parse|score|link|plan`, LLM
+  extraction behind the bring-your-own-key seam, deterministic baseline,
+  provenance-marked insights.
+- **0.15** — the Prevent layer: the `resolve` create gate plus record-source
+  provenance and attribution.
+- **0.16–0.22** — the market map: content-addressed captures, classification
+  with mechanical span verification, front states and drift, axis discovery,
+  overlay directives, scale estimation, the field report.
+- **0.19 / 0.23** — governed write verbs (`bulk-update`, then `dedupe`,
+  `reassign`, `fix`) and the enrich layer (Apollo / Clay, fill-blanks-only
+  plans).
+- **0.24** — the schedule layer: horizontal cron, read/plan-side allowlist,
+  scheduling never auto-approves.
+- **0.25** — agent skill distribution (`npx skills add fullstackgtm/core`).
+
+The known-gaps list below predates these layers and has been re-verified
+against the 0.25 surface: still accurate, still open.
+
 ## Known real-portal gaps to close before 1.0
 
 Found by exercising the published package as a fresh RevOps user with a real

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fullstackgtm",
-  "version": "0.25.0",
+  "version": "0.25.2",
   "description": "Open-source agentic GTM ops framework: canonical GTM data model, pluggable deterministic audits, reviewable dry-run patch plans, approval-gated write-back with conflict detection, and cross-system entity resolution. HubSpot, Salesforce, and Stripe connectors included.",
   "license": "Apache-2.0",
   "author": "Full Stack GTM",

package/skills/fullstackgtm/SKILL.md

@@ -48,7 +48,8 @@ Credentials resolve in order: `--token-env <NAME>` → ambient env
 In a sandbox prefer the first two. LLM-powered verbs (`call parse`, `call
 score`, `market classify`) take `ANTHROPIC_API_KEY`/`OPENAI_API_KEY`, or use
 their deterministic/worksheet fallbacks — the CLI never prompts when
-non-interactive.
+non-interactive. `--profile <name>` (or `FULLSTACKGTM_PROFILE`) scopes
+credentials AND stored plans per client org.
 
 ## Verb map
 
@@ -61,9 +62,10 @@ non-interactive.
 | `fix --rule <id>` | audit one rule → suggest → approve at the confidence bar → apply only with `--yes` |
 | `call parse\|score\|link\|plan` | Transcripts → evidence-quoted insights, rubric scorecards, deal linking, governed next-step writes |
 | `enrich append\|refresh\|ingest\|status` | Governed enrichment (Apollo pull / Clay ingest), fill-blanks-only plans |
-| `market capture\|classify\|worksheet\|observe\|fronts\|axes\|overlay\|scale\|report\|refresh` | Competitive category map; evidence quotes verified verbatim against stored captures |
-| `schedule add\|install\|run\|status` | Horizontal cron; read/plan-side allowlist only — scheduling NEVER auto-approves |
-| `plans list\|approve` / `snapshot` / `rules` / `doctor` | Plan lifecycle, raw snapshots, rule registry, machine state |
+| `market init\|capture\|classify\|worksheet\|observe\|fronts\|axes\|overlay\|scale\|report\|refresh` | Competitive category map; evidence quotes verified verbatim against stored captures |
+| `schedule add\|list\|remove\|enable\|disable\|run\|install\|uninstall\|status` | Horizontal cron; read/plan-side allowlist only — scheduling NEVER auto-approves |
+| `report` | Client-ready audit deliverable (markdown or self-contained HTML) |
+| `plans list\|show\|approve\|reject` / `snapshot` / `rules` / `doctor` | Plan lifecycle, raw snapshots, rule registry, machine state |
 
 All write-shaped verbs produce plans; none writes outside approve → apply.
 Add `--json` for machine-readable output on any command.

package/src/cli.ts

@@ -109,6 +109,8 @@ import {
   parseCron,
   renderManagedBlock,
   replaceManagedBlock,
+  assertSingleLineLabel,
+  hasControlChar,
   scheduleId,
   systemCrontabIo,
   tokenizeCommand,
@@ -1831,6 +1833,7 @@ trigger: manual. status shows next firing and surfaces missed firings
     const label =
       option(rest, "--label") ??
       argv.filter((arg) => !arg.startsWith("--")).slice(0, 2).join("-").replace(/[^\w.-]+/g, "-");
+    assertSingleLineLabel(label);
     const entry: ScheduleEntry = {
       id: scheduleId(label, cron.source, argv, createdAt),
       label,
@@ -2052,12 +2055,26 @@ function scheduleCliInvocation(): string {
   if (!script || !existsSync(script)) {
     throw new Error("Cannot resolve the fullstackgtm entry point for crontab lines (process.argv[1] is missing).");
   }
+  // A newline/control char in any of these flows verbatim into the crontab
+  // executable line; single-quote escaping defends the shell, not cron's line
+  // parser. Refuse early with a clear message (renderManagedBlock re-checks).
+  for (const [name, value] of [
+    ["FSGTM_HOME", process.env.FSGTM_HOME],
+    ["the node executable path", process.execPath],
+    ["the CLI script path", script],
+  ] as const) {
+    if (value && hasControlChar(value)) {
+      throw new Error(`Cannot install schedules: ${name} contains a newline or control character.`);
+    }
+  }
   const quote = (value: string) => `'${value.replace(/'/g, `'\\''`)}'`;
   const parts = [quote(process.execPath)];
   if (script.endsWith(".ts")) parts.push("--experimental-strip-types");
   parts.push(quote(script));
   const home = process.env.FSGTM_HOME ? `FSGTM_HOME=${quote(process.env.FSGTM_HOME)} ` : "";
-  return home + parts.join(" ");
+  // cron treats an unescaped `%` in the command field as a newline/stdin split.
+  // Escape it as `\%` so a stray `%` in a path can't truncate the managed line.
+  return (home + parts.join(" ")).replace(/%/g, "\\%");
 }
 
 /**

package/src/connectors/hubspot.ts

@@ -77,8 +77,11 @@ export function createHubspotConnector(options: HubspotConnectorOptions): Requir
       throw new Error(`Cannot reach HubSpot at ${baseUrl}${cause}. Check network access.`);
     }
     if (!response.ok) {
-      const body = await response.text();
-      throw new Error(`HubSpot API error ${response.status}: ${body}`);
+      // Status line only — HubSpot 4xx bodies echo submitted property values
+      // (contact emails, company domains) and the request payload, and these
+      // errors are persisted into scheduled-run records. Never interpolate it.
+      await response.text().catch(() => undefined);
+      throw new Error(`HubSpot API error ${response.status}. Check the token scopes and request.`);
     }
     // DELETE and some association writes return 204 with an empty body.
     const text = await response.text();

package/src/connectors/salesforce.ts

@@ -88,8 +88,10 @@ export function createSalesforceConnector(
       );
     }
     if (!response.ok) {
-      const body = await response.text();
-      throw new Error(`Salesforce API error ${response.status}: ${body}`);
+      // Status line only — the body echoes submitted field values and the
+      // request, and these errors are persisted into scheduled-run records.
+      await response.text().catch(() => undefined);
+      throw new Error(`Salesforce API error ${response.status}. Check the token and request.`);
     }
     // Salesforce PATCH returns 204 No Content on success.
     const text = await response.text();

package/src/connectors/stripe.ts

@@ -46,8 +46,10 @@ export function createStripeConnector(options: StripeConnectorOptions): GtmConne
       headers: { Authorization: `Bearer ${apiKey}` },
     });
     if (!response.ok) {
-      const body = await response.text();
-      throw new Error(`Stripe API error ${response.status}: ${body}`);
+      // Status line only — the body can echo request details bound to a live
+      // billing key, and these errors land in scheduled-run records.
+      await response.text().catch(() => undefined);
+      throw new Error(`Stripe API error ${response.status}. Check the restricted key and request.`);
     }
     return response.json();
   }

package/src/credentials.ts

@@ -4,6 +4,7 @@ import {
   mkdirSync,
   readdirSync,
   readFileSync,
+  statSync,
   unlinkSync,
   writeFileSync,
 } from "node:fs";
@@ -143,8 +144,31 @@ export function writeSecureFile(path: string, contents: string) {
   }
 }
 
+/**
+ * The 0600/0700 guarantee was write-only: a credentials.json inherited at
+ * looser permissions (a restored backup, a file created by another tool, a
+ * cloned home) was read and trusted regardless of its actual mode. Enforce the
+ * mode on read too — re-tighten to 0600 and warn once — so a world-readable
+ * credential store can't sit there silently leaking the token to other users.
+ */
+function enforceCredentialFileMode(path: string): void {
+  try {
+    const mode = statSync(path).mode & 0o777;
+    if ((mode & 0o077) !== 0) {
+      chmodSync(path, 0o600);
+      console.error(
+        `fullstackgtm: tightened ${path} from ${mode.toString(8).padStart(3, "0")} to 600 ` +
+          "(it was readable or writable by other users).",
+      );
+    }
+  } catch {
+    // Missing file or non-POSIX filesystem: nothing to enforce.
+  }
+}
+
 function readFile(): CredentialsFile {
   try {
+    enforceCredentialFileMode(credentialsPath());
     const parsed = JSON.parse(readFileSync(credentialsPath(), "utf8"));
     if (parsed && typeof parsed === "object" && parsed.version === 1 && parsed.providers) {
       return parsed as CredentialsFile;

package/src/enrich.ts

@@ -394,6 +394,29 @@ function valueToString(value: unknown): string {
   return "";
 }
 
+/**
+ * CSV/formula-injection neutralization for string values destined for a CRM
+ * write. Third-party export rows (Clay CSV, webhook JSON) can contain cells
+ * like `=cmd|'/c calc'!A1` or `@SUM(...)`; written verbatim to a CRM field they
+ * lie dormant until someone exports the CRM to CSV and opens it in a spreadsheet,
+ * where the leading `= + - @` (or a leading tab/CR) makes the client execute it.
+ * We prefix a single apostrophe — the spreadsheet-standard escape that renders
+ * the cell as literal text. Numeric values bypass this (they're written as
+ * numbers, not strings), so signed numbers keep full fidelity; a phone number
+ * supplied as a string and starting with `+` gains a leading `'`, which the
+ * human sees in the approved diff. Applied only at the write path, never to
+ * match keys.
+ */
+function neutralizeFormulaInjection(value: string): string {
+  if (value && /^[=+\-@\t\r]/.test(value)) return `'${value}`;
+  return value;
+}
+
+/** valueToString for a value that will be written to a CRM field. */
+function writeSafeString(value: unknown): string {
+  return neutralizeFormulaInjection(valueToString(value));
+}
+
 // ---------------------------------------------------------------------------
 // Matching: ordered keys, unique-hit-wins, zero-hits-next-key,
 // multi-hit → onAmbiguous. Ambiguity is surfaced, never resolved by coin flip.
@@ -708,7 +731,7 @@ export function buildEnrichPlan(options: BuildEnrichPlanOptions): EnrichPlanResu
           operation: "set_field",
           field: canonicalField,
           beforeValue: currentValue ?? null,
-          afterValue: typeof sourceValue === "number" ? sourceValue : valueToString(sourceValue),
+          afterValue: typeof sourceValue === "number" ? sourceValue : writeSafeString(sourceValue),
           reason:
             `${source} ${record.objectType} "${describeSourceRecord(record)}" (matched by ` +
             `${outcome.matchedKey}) reports a changed value for ${canonicalField}.`,
@@ -726,7 +749,7 @@ export function buildEnrichPlan(options: BuildEnrichPlanOptions): EnrichPlanResu
       if (isEmptyValue(sourceValue)) continue;
       if (!isEmptyValue(currentValue)) continue;
       emittedForRecord = true;
-      const afterValue = typeof sourceValue === "number" ? sourceValue : valueToString(sourceValue);
+      const afterValue = typeof sourceValue === "number" ? sourceValue : writeSafeString(sourceValue);
       operations.push({
         id: `op_enr_${fnv1a(`${source}:${record.objectType}:${outcome.recordId}:${canonicalField}`)}`,
         objectType: canonicalObjectType(record.objectType),

package/src/enrichApollo.ts

@@ -78,9 +78,12 @@ export function createApolloClient(options: ApolloClientOptions): ApolloClient {
       }
       if (response.status === 404) return null;
       if (!response.ok) {
-        const body = await response.text();
+        // Status line only — never interpolate the response body. It can echo
+        // the submitted query (contact emails / company domains) or the API key,
+        // and these errors are persisted verbatim into scheduled-run records.
+        await response.text().catch(() => undefined);
         const exhausted = response.status === 429 ? ` (rate limited; ${maxRetries} retries exhausted)` : "";
-        throw new Error(`Apollo API error ${response.status}${exhausted}: ${body}`);
+        throw new Error(`Apollo API error ${response.status}${exhausted}. Check the API key and request.`);
       }
       const text = await response.text();
       return text ? (JSON.parse(text) as Record<string, unknown>) : null;