fullstackgtm 0.25.1 → 0.25.2

package/CHANGELOG.md

@@ -5,6 +5,50 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and the project adheres to [Semantic Versioning](https://semver.org/).
 The path to 1.0 is planned in [docs/roadmap-to-1.0.md](./docs/roadmap-to-1.0.md).
 
+## [0.25.2] — 2026-06-15
+
+Security hardening I — confirmed fixes from an adversarial audit (each verified
+by a refute-by-default re-attack; the crontab and report fixes took three
+rounds because the re-attack kept finding deeper paths).
+
+### Security
+
+- **Crontab injection via `schedule install` (was: arbitrary code execution).**
+  `schedule add --label` rejects newlines/control chars; `renderManagedBlock`
+  now refuses to render any entry (or CLI invocation) whose interpolated
+  fields — label, cron, id, profile, argv, **and the resolved node/script
+  path + `FSGTM_HOME`** — carry a control character, so a hand-edited
+  `schedules.json` or a newline in `FSGTM_HOME` can no longer inject a live
+  crontab line. `parseCron` now accepts ASCII space/tab only (rejects Unicode
+  whitespace), and a stray `%` in a path is escaped (`\%`) so it can't truncate
+  the managed line.
+- **SSRF in `market capture`.** Page fetches now allow only http/https, refuse
+  any host that is or resolves to a private/loopback/link-local/CGNAT/metadata
+  address (IPv4, IPv6, and IPv4-mapped IPv6 in dotted or hex form), follow
+  redirects manually with per-hop re-validation, and cap time/body size.
+- **Stored XSS in the market HTML report.** The embedded JSON data island is
+  serialized with `<`/`>`/`&`/U+2028/U+2029 escaped (no `</script>` breakout),
+  the tooltip is built with `textContent` (no `innerHTML`), and the two
+  remaining raw sinks (anchor vendor name, evidence-appendix confidence) are
+  now `escapeHtml`'d; `validateObservationSet` rejects a non-enum `confidence`
+  so an `observe --from` file can't smuggle markup.
+- **Provider response bodies no longer leak into errors.** HubSpot, Salesforce,
+  Apollo, and Stripe connectors throw status-line-only errors (a 4xx body can
+  echo submitted emails/domains or the key, and these errors are persisted into
+  scheduled-run records).
+- **CSV/formula injection neutralized at the enrich write path.** Ingested
+  string values beginning with `= + - @` / tab / CR are prefixed with `'` so
+  they can't execute if the CRM is later exported to a spreadsheet; numeric
+  values keep full fidelity.
+- **Credential-store mode enforced on read, not just write.** A pre-existing
+  `credentials.json` with group/other permissions is re-tightened to 0600 (and
+  warned) on read, closing the inherited-loose-permissions gap.
+
+Known residuals tracked for follow-up: `marketMapToMarkdown` does not
+HTML-escape (safe in terminals/GitHub; only a risk if a downstream renderer
+trusts raw HTML — to be addressed with the report work); the credential read
+check is reactive (a loose file is exposed until the next CLI read).
+
 ## [0.25.1] — 2026-06-12
 
 Docs-sync release — no code changes.

package/dist/cli.js

@@ -27,7 +27,7 @@ import { marketMapToHtml, marketMapToMarkdown } from "./marketReport.js";
 import { DEFAULT_RUBRIC, detectProviderFromKey, extractInsightsLlm, parseRubric, resolveLlmCredential, scoreCallLlm, validateLlmKey, } from "./llm.js";
 import { buildEnrichPlan, createFileEnrichRunStore, DEFAULT_STALE_DAYS, ENRICH_CONFIG_FILE_NAME, enrichRunId, inferIngestObjectType, latestStamps, loadEnrichConfig, parseCsv, resolveCrmField, selectStaleWork, stagedSourceRecords, staleDaysFor, } from "./enrich.js";
 import { apolloPullKeysForAppend, apolloPullKeysForRefresh, createApolloClient, pullApolloRecords, } from "./enrichApollo.js";
-import { computeMissedFirings, createFileScheduleRunStore, createFileScheduleStore, nextCronFiring, parseCron, renderManagedBlock, replaceManagedBlock, scheduleId, systemCrontabIo, tokenizeCommand, validateSchedulableArgv, } from "./schedule.js";
+import { computeMissedFirings, createFileScheduleRunStore, createFileScheduleStore, nextCronFiring, parseCron, renderManagedBlock, replaceManagedBlock, assertSingleLineLabel, hasControlChar, scheduleId, systemCrontabIo, tokenizeCommand, validateSchedulableArgv, } from "./schedule.js";
 import { resolveRecord } from "./resolve.js";
 import { buildBulkUpdatePlan } from "./bulkUpdate.js";
 import { buildDedupePlan } from "./dedupe.js";
@@ -1614,6 +1614,7 @@ trigger: manual. status shows next firing and surfaces missed firings
         const createdAt = new Date().toISOString();
         const label = option(rest, "--label") ??
             argv.filter((arg) => !arg.startsWith("--")).slice(0, 2).join("-").replace(/[^\w.-]+/g, "-");
+        assertSingleLineLabel(label);
         const entry = {
             id: scheduleId(label, cron.source, argv, createdAt),
             label,
@@ -1819,13 +1820,27 @@ function scheduleCliInvocation() {
     if (!script || !existsSync(script)) {
         throw new Error("Cannot resolve the fullstackgtm entry point for crontab lines (process.argv[1] is missing).");
     }
+    // A newline/control char in any of these flows verbatim into the crontab
+    // executable line; single-quote escaping defends the shell, not cron's line
+    // parser. Refuse early with a clear message (renderManagedBlock re-checks).
+    for (const [name, value] of [
+        ["FSGTM_HOME", process.env.FSGTM_HOME],
+        ["the node executable path", process.execPath],
+        ["the CLI script path", script],
+    ]) {
+        if (value && hasControlChar(value)) {
+            throw new Error(`Cannot install schedules: ${name} contains a newline or control character.`);
+        }
+    }
     const quote = (value) => `'${value.replace(/'/g, `'\\''`)}'`;
     const parts = [quote(process.execPath)];
     if (script.endsWith(".ts"))
         parts.push("--experimental-strip-types");
     parts.push(quote(script));
     const home = process.env.FSGTM_HOME ? `FSGTM_HOME=${quote(process.env.FSGTM_HOME)} ` : "";
-    return home + parts.join(" ");
+    // cron treats an unescaped `%` in the command field as a newline/stdin split.
+    // Escape it as `\%` so a stray `%` in a path can't truncate the managed line.
+    return (home + parts.join(" ")).replace(/%/g, "\\%");
 }
 /**
  * The single provider entry point: execute the scheduled command in-process

package/dist/connectors/hubspot.js

@@ -44,8 +44,11 @@ export function createHubspotConnector(options) {
             throw new Error(`Cannot reach HubSpot at ${baseUrl}${cause}. Check network access.`);
         }
         if (!response.ok) {
-            const body = await response.text();
-            throw new Error(`HubSpot API error ${response.status}: ${body}`);
+            // Status line only — HubSpot 4xx bodies echo submitted property values
+            // (contact emails, company domains) and the request payload, and these
+            // errors are persisted into scheduled-run records. Never interpolate it.
+            await response.text().catch(() => undefined);
+            throw new Error(`HubSpot API error ${response.status}. Check the token scopes and request.`);
         }
         // DELETE and some association writes return 204 with an empty body.
         const text = await response.text();

package/dist/connectors/salesforce.js

@@ -46,8 +46,10 @@ export function createSalesforceConnector(options) {
             throw new Error(`Cannot reach Salesforce at ${connection.instanceUrl}${cause}. Check SALESFORCE_INSTANCE_URL (your My Domain URL, e.g. https://yourco.my.salesforce.com) and network access.`);
         }
         if (!response.ok) {
-            const body = await response.text();
-            throw new Error(`Salesforce API error ${response.status}: ${body}`);
+            // Status line only — the body echoes submitted field values and the
+            // request, and these errors are persisted into scheduled-run records.
+            await response.text().catch(() => undefined);
+            throw new Error(`Salesforce API error ${response.status}. Check the token and request.`);
         }
         // Salesforce PATCH returns 204 No Content on success.
         const text = await response.text();

package/dist/connectors/stripe.js

@@ -26,8 +26,10 @@ export function createStripeConnector(options) {
             headers: { Authorization: `Bearer ${apiKey}` },
         });
         if (!response.ok) {
-            const body = await response.text();
-            throw new Error(`Stripe API error ${response.status}: ${body}`);
+            // Status line only — the body can echo request details bound to a live
+            // billing key, and these errors land in scheduled-run records.
+            await response.text().catch(() => undefined);
+            throw new Error(`Stripe API error ${response.status}. Check the restricted key and request.`);
         }
         return response.json();
     }

package/dist/credentials.js

@@ -1,4 +1,4 @@
-import { chmodSync, existsSync, mkdirSync, readdirSync, readFileSync, unlinkSync, writeFileSync, } from "node:fs";
+import { chmodSync, existsSync, mkdirSync, readdirSync, readFileSync, statSync, unlinkSync, writeFileSync, } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
 import { refreshHubspotToken } from "./connectors/hubspotAuth.js";
@@ -98,8 +98,29 @@ export function writeSecureFile(path, contents) {
         // Non-POSIX filesystems ignore chmod.
     }
 }
+/**
+ * The 0600/0700 guarantee was write-only: a credentials.json inherited at
+ * looser permissions (a restored backup, a file created by another tool, a
+ * cloned home) was read and trusted regardless of its actual mode. Enforce the
+ * mode on read too — re-tighten to 0600 and warn once — so a world-readable
+ * credential store can't sit there silently leaking the token to other users.
+ */
+function enforceCredentialFileMode(path) {
+    try {
+        const mode = statSync(path).mode & 0o777;
+        if ((mode & 0o077) !== 0) {
+            chmodSync(path, 0o600);
+            console.error(`fullstackgtm: tightened ${path} from ${mode.toString(8).padStart(3, "0")} to 600 ` +
+                "(it was readable or writable by other users).");
+        }
+    }
+    catch {
+        // Missing file or non-POSIX filesystem: nothing to enforce.
+    }
+}
 function readFile() {
     try {
+        enforceCredentialFileMode(credentialsPath());
         const parsed = JSON.parse(readFileSync(credentialsPath(), "utf8"));
         if (parsed && typeof parsed === "object" && parsed.version === 1 && parsed.providers) {
             return parsed;

package/dist/enrich.js

@@ -291,6 +291,28 @@ function valueToString(value) {
         return String(value);
     return "";
 }
+/**
+ * CSV/formula-injection neutralization for string values destined for a CRM
+ * write. Third-party export rows (Clay CSV, webhook JSON) can contain cells
+ * like `=cmd|'/c calc'!A1` or `@SUM(...)`; written verbatim to a CRM field they
+ * lie dormant until someone exports the CRM to CSV and opens it in a spreadsheet,
+ * where the leading `= + - @` (or a leading tab/CR) makes the client execute it.
+ * We prefix a single apostrophe — the spreadsheet-standard escape that renders
+ * the cell as literal text. Numeric values bypass this (they're written as
+ * numbers, not strings), so signed numbers keep full fidelity; a phone number
+ * supplied as a string and starting with `+` gains a leading `'`, which the
+ * human sees in the approved diff. Applied only at the write path, never to
+ * match keys.
+ */
+function neutralizeFormulaInjection(value) {
+    if (value && /^[=+\-@\t\r]/.test(value))
+        return `'${value}`;
+    return value;
+}
+/** valueToString for a value that will be written to a CRM field. */
+function writeSafeString(value) {
+    return neutralizeFormulaInjection(valueToString(value));
+}
 function normalizeKeyValue(key, value) {
     const text = valueToString(value).toLowerCase();
     if (!text)
@@ -498,7 +520,7 @@ export function buildEnrichPlan(options) {
                     operation: "set_field",
                     field: canonicalField,
                     beforeValue: currentValue ?? null,
-                    afterValue: typeof sourceValue === "number" ? sourceValue : valueToString(sourceValue),
+                    afterValue: typeof sourceValue === "number" ? sourceValue : writeSafeString(sourceValue),
                     reason: `${source} ${record.objectType} "${describeSourceRecord(record)}" (matched by ` +
                         `${outcome.matchedKey}) reports a changed value for ${canonicalField}.`,
                     sourceRuleOrPolicy: `enrich:${source}:${canonicalField}`,
@@ -516,7 +538,7 @@ export function buildEnrichPlan(options) {
             if (!isEmptyValue(currentValue))
                 continue;
             emittedForRecord = true;
-            const afterValue = typeof sourceValue === "number" ? sourceValue : valueToString(sourceValue);
+            const afterValue = typeof sourceValue === "number" ? sourceValue : writeSafeString(sourceValue);
             operations.push({
                 id: `op_enr_${fnv1a(`${source}:${record.objectType}:${outcome.recordId}:${canonicalField}`)}`,
                 objectType: canonicalObjectType(record.objectType),

package/dist/enrichApollo.js

@@ -56,9 +56,12 @@ export function createApolloClient(options) {
             if (response.status === 404)
                 return null;
             if (!response.ok) {
-                const body = await response.text();
+                // Status line only — never interpolate the response body. It can echo
+                // the submitted query (contact emails / company domains) or the API key,
+                // and these errors are persisted verbatim into scheduled-run records.
+                await response.text().catch(() => undefined);
                 const exhausted = response.status === 429 ? ` (rate limited; ${maxRetries} retries exhausted)` : "";
-                throw new Error(`Apollo API error ${response.status}${exhausted}: ${body}`);
+                throw new Error(`Apollo API error ${response.status}${exhausted}. Check the API key and request.`);
             }
             const text = await response.text();
             return text ? JSON.parse(text) : null;

package/dist/market.d.ts

@@ -153,6 +153,7 @@ export type FetchPage = (url: string) => Promise<{
     status: number;
     body: string;
 }>;
+export declare function assertPublicUrl(rawUrl: string): Promise<URL>;
 export type CaptureOptions = {
     /** Directory for captures; defaults to <marketHome>/captures. */
     dir?: string;

package/dist/market.js

@@ -1,5 +1,7 @@
 import { createHash } from "node:crypto";
+import { lookup } from "node:dns/promises";
 import { existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "node:fs";
+import { isIP } from "node:net";
 import { join } from "node:path";
 import { credentialsDir } from "./credentials.js";
 const INTENSITY_RANK = {
@@ -141,15 +143,144 @@ export function extractReadableText(html) {
         .filter(Boolean)
         .join("\n");
 }
+/**
+ * SSRF guard. market.config.json URLs are operator-authored, but configs are
+ * shared/templated in consulting/team use and `market capture|refresh` is on
+ * the cron allowlist — an unguarded fetch is an unattended internal-network
+ * and cloud-metadata probe. We therefore (1) allow only http/https, (2) refuse
+ * any host that is or resolves to a private/loopback/link-local/metadata
+ * address, and (3) follow redirects manually, re-validating each hop.
+ *
+ * Residual gap (documented, not defended here): TOCTOU DNS rebinding between
+ * our lookup and fetch's own resolution. Out of scope for fetching public
+ * competitor pages; a hardened deployment should fetch through an egress proxy.
+ */
+const MAX_REDIRECTS = 5;
+const FETCH_TIMEOUT_MS = 15_000;
+const MAX_BODY_BYTES = 5_000_000;
+function ipv4IsPrivate(ip) {
+    const parts = ip.split(".").map((n) => Number(n));
+    if (parts.length !== 4 || parts.some((n) => !Number.isInteger(n) || n < 0 || n > 255))
+        return true;
+    const [a, b] = parts;
+    if (a === 0 || a === 127)
+        return true; // this-host, loopback
+    if (a === 10)
+        return true; // private
+    if (a === 172 && b >= 16 && b <= 31)
+        return true; // private
+    if (a === 192 && b === 168)
+        return true; // private
+    if (a === 169 && b === 254)
+        return true; // link-local incl. 169.254.169.254 metadata
+    if (a === 100 && b >= 64 && b <= 127)
+        return true; // CGNAT
+    if (a >= 224)
+        return true; // multicast / reserved
+    return false;
+}
+function ipIsPrivate(ip) {
+    const family = isIP(ip);
+    if (family === 4)
+        return ipv4IsPrivate(ip);
+    if (family === 6) {
+        const lower = ip.toLowerCase();
+        if (lower === "::1" || lower === "::")
+            return true; // loopback / unspecified
+        // IPv4-mapped (::ffff:…) — Node normalizes ::ffff:127.0.0.1 to ::ffff:7f00:1,
+        // so accept both the dotted and the hex-pair forms, unwrap, check the v4.
+        const mapped = lower.match(/^::ffff:(.+)$/);
+        if (mapped) {
+            const rest = mapped[1];
+            if (rest.includes("."))
+                return ipv4IsPrivate(rest);
+            const groups = rest.split(":");
+            if (groups.length === 2) {
+                const hi = parseInt(groups[0], 16);
+                const lo = parseInt(groups[1], 16);
+                if (Number.isNaN(hi) || Number.isNaN(lo))
+                    return true;
+                return ipv4IsPrivate(`${(hi >> 8) & 0xff}.${hi & 0xff}.${(lo >> 8) & 0xff}.${lo & 0xff}`);
+            }
+            return true; // unrecognized mapped form → refuse
+        }
+        if (lower.startsWith("fe8") || lower.startsWith("fe9") || lower.startsWith("fea") || lower.startsWith("feb"))
+            return true; // link-local fe80::/10
+        if (lower.startsWith("fc") || lower.startsWith("fd"))
+            return true; // unique-local fc00::/7
+        return false;
+    }
+    return true; // not a recognizable IP literal → refuse
+}
+export async function assertPublicUrl(rawUrl) {
+    let url;
+    try {
+        url = new URL(rawUrl);
+    }
+    catch {
+        throw new Error(`market capture: "${rawUrl}" is not a valid URL.`);
+    }
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+        throw new Error(`market capture refuses ${url.protocol} URLs (only http/https): ${rawUrl}`);
+    }
+    const host = url.hostname.replace(/^\[|\]$/g, ""); // strip IPv6 brackets
+    if (isIP(host)) {
+        if (ipIsPrivate(host))
+            throw new Error(`market capture refuses private/loopback address ${host} (SSRF guard).`);
+        return url;
+    }
+    // Hostname: resolve and refuse if ANY address is private.
+    const addrs = await lookup(host, { all: true });
+    for (const { address } of addrs) {
+        if (ipIsPrivate(address)) {
+            throw new Error(`market capture refuses ${host} — it resolves to private/internal address ${address} (SSRF guard).`);
+        }
+    }
+    return url;
+}
 const defaultFetchPage = async (url) => {
-    const response = await fetch(url, {
-        headers: {
-            "User-Agent": "fullstackgtm-market/0 (+https://github.com/fullstackgtm/core)",
-            "Accept-Language": "en-US",
-        },
-        redirect: "follow",
-    });
-    return { status: response.status, body: await response.text() };
+    let current = url;
+    for (let hop = 0; hop <= MAX_REDIRECTS; hop++) {
+        await assertPublicUrl(current);
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+        let response;
+        try {
+            response = await fetch(current, {
+                headers: {
+                    "User-Agent": "fullstackgtm-market/0 (+https://github.com/fullstackgtm/core)",
+                    "Accept-Language": "en-US",
+                },
+                redirect: "manual",
+                signal: controller.signal,
+            });
+        }
+        finally {
+            clearTimeout(timer);
+        }
+        if (response.status >= 300 && response.status < 400 && response.headers.get("location")) {
+            current = new URL(response.headers.get("location"), current).toString();
+            continue; // re-validate the redirect target on the next iteration
+        }
+        const reader = response.body?.getReader();
+        if (!reader)
+            return { status: response.status, body: await response.text() };
+        const chunks = [];
+        let total = 0;
+        for (;;) {
+            const { done, value } = await reader.read();
+            if (done)
+                break;
+            total += value.length;
+            if (total > MAX_BODY_BYTES) {
+                await reader.cancel();
+                break;
+            }
+            chunks.push(value);
+        }
+        return { status: response.status, body: Buffer.concat(chunks).toString("utf8") };
+    }
+    throw new Error(`market capture: too many redirects (>${MAX_REDIRECTS}) for ${url}`);
 };
 export async function captureMarket(config, options = {}) {
     const dir = options.dir ?? join(marketHome(config.category), "captures");
@@ -284,6 +415,11 @@ export function validateObservationSet(config, set) {
         if (!INTENSITY_RANK[obs.intensity] && obs.intensity !== "unobservable") {
             problems.push(`${cell}: invalid intensity "${obs.intensity}"`);
         }
+        // confidence is rendered into the HTML report; only the enum is allowed, so
+        // an `observe --from` file can't smuggle markup through a free-text value.
+        if (obs.confidence !== "high" && obs.confidence !== "medium" && obs.confidence !== "low") {
+            problems.push(`${cell}: invalid confidence "${String(obs.confidence)}" (expected high, medium, or low)`);
+        }
         if ((obs.intensity === "loud" || obs.intensity === "quiet") && obs.evidence.length === 0) {
             problems.push(`${cell}: ${obs.intensity} reading with no quoted evidence`);
         }

package/dist/marketReport.d.ts

@@ -1,3 +1,12 @@
 import type { MarketConfig, ObservationSet } from "./market.ts";
+/**
+ * Serialize JSON for embedding inside an inline <script> block. JSON.stringify
+ * does not escape `<`, `>`, `&`, or the U+2028/U+2029 line separators, so a
+ * vendor name containing `</script>` (these are untrusted, competitor-authored
+ * strings) would close the tag and inject markup. Replacing them with their
+ * \uXXXX escapes keeps the parsed value identical while making the breakout
+ * sequence unrepresentable in the HTML source.
+ */
+export declare function safeJsonForScript(value: unknown): string;
 export declare function marketMapToMarkdown(config: MarketConfig, set: ObservationSet): string;
 export declare function marketMapToHtml(config: MarketConfig, set: ObservationSet): string;

package/dist/marketReport.js

@@ -28,6 +28,22 @@ function escapeHtml(value) {
         .replace(/>/g, ">")
         .replace(/"/g, """);
 }
+/**
+ * Serialize JSON for embedding inside an inline <script> block. JSON.stringify
+ * does not escape `<`, `>`, `&`, or the U+2028/U+2029 line separators, so a
+ * vendor name containing `</script>` (these are untrusted, competitor-authored
+ * strings) would close the tag and inject markup. Replacing them with their
+ * \uXXXX escapes keeps the parsed value identical while making the breakout
+ * sequence unrepresentable in the HTML source.
+ */
+export function safeJsonForScript(value) {
+    return JSON.stringify(value)
+        .replace(/</g, "\\u003c")
+        .replace(/>/g, "\\u003e")
+        .replace(/&/g, "\\u0026")
+        .replace(/\u2028/g, "\\u2028")
+        .replace(/\u2029/g, "\\u2029");
+}
 function buildModel(config, set) {
     const fronts = computeFrontStates(config, set);
     const stateByClaim = new Map(fronts.map((front) => [front.claimId, front.state]));
@@ -320,7 +336,7 @@ function axisSectionsHtml(config, set) {
       <table class="legend"><thead><tr><th></th><th>vendor</th><th class="num">${legendMeasureHead}</th></tr></thead><tbody>${legendRows}</tbody></table>
     </div>
     <div class="map-tip" id="map-tip" hidden></div>
-    <script type="application/json" id="map-data">${JSON.stringify(tipData)}</script>
+    <script type="application/json" id="map-data">${safeJsonForScript(tipData)}</script>
     <script>
     (function () {
       var data = JSON.parse(document.getElementById("map-data").textContent);
@@ -331,7 +347,16 @@ function axisSectionsHtml(config, set) {
       function show(v, evt) {
         var d = data[v];
         if (!d) return;
-        tip.innerHTML = "<b>" + d.n + " · " + d.name + "</b>" + d.lines.map(function (l) { return "<div>" + l + "</div>"; }).join("");
+        // textContent only — vendor names / axis labels are untrusted (competitor-controlled).
+        tip.textContent = "";
+        var head = document.createElement("b");
+        head.textContent = d.n + " · " + d.name;
+        tip.appendChild(head);
+        d.lines.forEach(function (l) {
+          var div = document.createElement("div");
+          div.textContent = l;
+          tip.appendChild(div);
+        });
         tip.hidden = false;
         var box = fig.getBoundingClientRect();
         tip.style.left = Math.min(evt.clientX - box.left + 14, box.width - tip.offsetWidth - 8) + "px";
@@ -419,7 +444,7 @@ export function marketMapToHtml(config, set) {
         const anchorLoud = anchor
             ? claimIds.filter((claimId) => model.cell(anchor, claimId)?.intensity === "loud").length
             : 0;
-        const anchorNote = anchor ? ` · ${vendorNamesById.get(anchor) ?? anchor} loud on ${anchorLoud}` : "";
+        const anchorNote = anchor ? ` · ${e(vendorNamesById.get(anchor) ?? anchor)} loud on ${anchorLoud}` : "";
         return `<details class="claim-group"><summary><b>${e(group.title)}</b> — ${claimIds.length} claim${claimIds.length === 1 ? "" : "s"} <span class="sum-soft">(${e(group.blurb)}${anchorNote})</span></summary>
       <table><thead><tr><th></th>${vendorHeads}<th></th></tr></thead><tbody>${claimIds.map(matrixRow).join("")}</tbody></table>
     </details>`;
@@ -475,7 +500,7 @@ export function marketMapToHtml(config, set) {
             const obs = model.cell(vendor.id, claimId);
             if (!obs || obs.evidence.length === 0)
                 return [];
-            return obs.evidence.map((evidence) => `<div class="ev"><span class="ev-head">${e(claimId)} · ${obs.intensity.toUpperCase()} (${obs.confidence})</span>` +
+            return obs.evidence.map((evidence) => `<div class="ev"><span class="ev-head">${e(claimId)} · ${e(obs.intensity.toUpperCase())} (${e(String(obs.confidence ?? ""))})</span>` +
                 `<blockquote>“${e(evidence.text)}”</blockquote>` +
                 `<span class="ev-src">${e(String(evidence.metadata?.url ?? ""))} · capture ${e(String(evidence.metadata?.captureHash ?? "").slice(0, 12))}</span></div>`);
         });

package/dist/schedule.d.ts

@@ -53,6 +53,23 @@ export declare function scheduleId(label: string, cron: string, argv: string[],
  * in-process into the CLI router, never through a shell).
  */
 export declare function validateSchedulableArgv(argv: string[]): void;
+/**
+ * A schedule label is free text the operator chooses, but it is later
+ * interpolated into a crontab comment line by `renderManagedBlock`. A newline
+ * (or carriage return) would break out of the comment and inject an arbitrary
+ * crontab entry on `schedule install`. Reject control characters at the entry
+ * point so a label can never carry a second line; `renderManagedBlock` also
+ * strips them defensively in case a hand-edited schedules.json slips one past.
+ */
+export declare function assertSingleLineLabel(label: string): void;
+/**
+ * True if the string contains any line-breaking or control character. Covers
+ * C0 controls + DEL, plus the Unicode separators a non-cron parser might honor
+ * (NEL U+0085, LS U+2028, PS U+2029, VT U+000B, FF U+000C) — defense-in-depth
+ * for the future modal/aws scaffold renderers whose target formats may treat
+ * those as line breaks.
+ */
+export declare function hasControlChar(value: string): boolean;
 /**
  * Split a `schedule add "<command>"` string into argv, honoring single and
  * double quotes (no escapes, no expansion — this is tokenization, not shell).

package/dist/schedule.js

@@ -77,6 +77,68 @@ export function validateSchedulableArgv(argv) {
         }
     }
 }
+/**
+ * A schedule label is free text the operator chooses, but it is later
+ * interpolated into a crontab comment line by `renderManagedBlock`. A newline
+ * (or carriage return) would break out of the comment and inject an arbitrary
+ * crontab entry on `schedule install`. Reject control characters at the entry
+ * point so a label can never carry a second line; `renderManagedBlock` also
+ * strips them defensively in case a hand-edited schedules.json slips one past.
+ */
+export function assertSingleLineLabel(label) {
+    if (hasControlChar(label)) {
+        throw new Error("A schedule --label cannot contain newlines or control characters " +
+            "(they would inject lines into the managed crontab block). Use a plain single-line name.");
+    }
+}
+/**
+ * True if the string contains any line-breaking or control character. Covers
+ * C0 controls + DEL, plus the Unicode separators a non-cron parser might honor
+ * (NEL U+0085, LS U+2028, PS U+2029, VT U+000B, FF U+000C) — defense-in-depth
+ * for the future modal/aws scaffold renderers whose target formats may treat
+ * those as line breaks.
+ */
+export function hasControlChar(value) {
+    for (let i = 0; i < value.length; i++) {
+        const code = value.charCodeAt(i);
+        if (code < 0x20 || code === 0x7f || code === 0x85 || code === 0x2028 || code === 0x2029)
+            return true;
+    }
+    return false;
+}
+/** Collapse any control/separator character to a space — last-resort guard at render time. */
+function sanitizeCrontabComment(value) {
+    let out = "";
+    for (const ch of value) {
+        const code = ch.charCodeAt(0);
+        out += code < 0x20 || code === 0x7f || code === 0x85 || code === 0x2028 || code === 0x2029 ? " " : ch;
+    }
+    return out.replace(/ {2,}/g, " ").trim();
+}
+/**
+ * Validate every field of an entry that `renderManagedBlock` interpolates into
+ * the crontab — not just the label. The EXECUTABLE line embeds `cron` and `id`
+ * raw, and `schedule install` renders entries straight from schedules.json, so
+ * a hand-edited (or otherwise tampered) entry with a newline in cron/id/profile
+ * would inject a live crontab line. Refuse to render a tampered entry rather
+ * than emit it. (Well-formed entries never trip this: cron is parser-validated,
+ * id is an fnv1a hex hash, label is guarded at add-time.)
+ */
+function assertRenderableEntry(profile, entry) {
+    const fields = [
+        ["profile", profile],
+        ["cron", entry.cron],
+        ["id", entry.id],
+        ["label", entry.label],
+        ...entry.argv.map((token, i) => [`argv[${i}]`, token]),
+    ];
+    for (const [name, value] of fields) {
+        if (hasControlChar(value)) {
+            throw new Error(`Refusing to render schedule entry ${entry.id}: its ${name} contains a newline or control character. ` +
+                "The schedules.json store has been tampered with or corrupted — repair it before installing.");
+        }
+    }
+}
 /**
  * Split a `schedule add "<command>"` string into argv, honoring single and
  * double quotes (no escapes, no expansion — this is tokenization, not shell).
@@ -124,7 +186,13 @@ const CRON_FIELD_SPECS = [
     { name: "day-of-week", min: 0, max: 7 },
 ];
 export function parseCron(expression) {
-    const fields = expression.trim().split(/\s+/);
+    // Reject non-ASCII whitespace and control chars: JS \s splits on U+00A0,
+    // U+3000, etc., but Vixie cron's field separator is only space/tab. A source
+    // carrying them would parse here yet be misparsed or rejected by `crontab -`.
+    if (hasControlChar(expression) || /[^\x20-\x7e]/.test(expression)) {
+        throw new Error(`Invalid cron expression "${expression}": only ASCII characters, space, and tab are allowed.`);
+    }
+    const fields = expression.trim().split(/[ \t]+/);
     if (fields.length !== 5) {
         throw new Error(`Invalid cron expression "${expression}": expected 5 fields ` +
             `(minute hour day-of-month month day-of-week), got ${fields.length}.`);
@@ -432,13 +500,26 @@ export function crontabSentinels(profile) {
  * but fullstackgtm dispatch (no arbitrary shell, ever).
  */
 export function renderManagedBlock(profile, entries, cliInvocation) {
+    // cliInvocation is spliced raw into the executable line; it is built from
+    // process.execPath, the script path, and FSGTM_HOME (cli.ts), so a newline in
+    // FSGTM_HOME would inject a crontab line. Validate it like the entry fields —
+    // single-quote shell-escaping does NOT defend cron's line parser.
+    if (hasControlChar(cliInvocation)) {
+        throw new Error("Refusing to render the managed crontab: the resolved CLI invocation (node path, script path, " +
+            "or FSGTM_HOME) contains a newline or control character. Check $FSGTM_HOME.");
+    }
     const { open, close } = crontabSentinels(profile);
     const lines = [
         open,
         "# Managed by `fullstackgtm schedule install` — replaced wholesale on re-install; do not edit.",
     ];
     for (const entry of entries) {
-        lines.push(`# ${entry.label} (${entry.id}): ${entry.argv.join(" ")}`);
+        // Refuse to render any entry whose interpolated fields carry a control char
+        // — the executable line below embeds cron/id raw, so a tampered store could
+        // otherwise inject a live crontab line. The comment line is additionally
+        // sanitized so a benign-but-messy label can't break it.
+        assertRenderableEntry(profile, entry);
+        lines.push(sanitizeCrontabComment(`# ${entry.label} (${entry.id}): ${entry.argv.join(" ")}`));
         lines.push(`${entry.cron} ${cliInvocation} schedule run ${entry.id} --profile ${profile} --trigger cron`);
     }
     lines.push(close);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fullstackgtm",
-  "version": "0.25.1",
+  "version": "0.25.2",
   "description": "Open-source agentic GTM ops framework: canonical GTM data model, pluggable deterministic audits, reviewable dry-run patch plans, approval-gated write-back with conflict detection, and cross-system entity resolution. HubSpot, Salesforce, and Stripe connectors included.",
   "license": "Apache-2.0",
   "author": "Full Stack GTM",

package/src/cli.ts

@@ -109,6 +109,8 @@ import {
   parseCron,
   renderManagedBlock,
   replaceManagedBlock,
+  assertSingleLineLabel,
+  hasControlChar,
   scheduleId,
   systemCrontabIo,
   tokenizeCommand,
@@ -1831,6 +1833,7 @@ trigger: manual. status shows next firing and surfaces missed firings
     const label =
       option(rest, "--label") ??
       argv.filter((arg) => !arg.startsWith("--")).slice(0, 2).join("-").replace(/[^\w.-]+/g, "-");
+    assertSingleLineLabel(label);
     const entry: ScheduleEntry = {
       id: scheduleId(label, cron.source, argv, createdAt),
       label,
@@ -2052,12 +2055,26 @@ function scheduleCliInvocation(): string {
   if (!script || !existsSync(script)) {
     throw new Error("Cannot resolve the fullstackgtm entry point for crontab lines (process.argv[1] is missing).");
   }
+  // A newline/control char in any of these flows verbatim into the crontab
+  // executable line; single-quote escaping defends the shell, not cron's line
+  // parser. Refuse early with a clear message (renderManagedBlock re-checks).
+  for (const [name, value] of [
+    ["FSGTM_HOME", process.env.FSGTM_HOME],
+    ["the node executable path", process.execPath],
+    ["the CLI script path", script],
+  ] as const) {
+    if (value && hasControlChar(value)) {
+      throw new Error(`Cannot install schedules: ${name} contains a newline or control character.`);
+    }
+  }
   const quote = (value: string) => `'${value.replace(/'/g, `'\\''`)}'`;
   const parts = [quote(process.execPath)];
   if (script.endsWith(".ts")) parts.push("--experimental-strip-types");
   parts.push(quote(script));
   const home = process.env.FSGTM_HOME ? `FSGTM_HOME=${quote(process.env.FSGTM_HOME)} ` : "";
-  return home + parts.join(" ");
+  // cron treats an unescaped `%` in the command field as a newline/stdin split.
+  // Escape it as `\%` so a stray `%` in a path can't truncate the managed line.
+  return (home + parts.join(" ")).replace(/%/g, "\\%");
 }
 
 /**

package/src/connectors/hubspot.ts

@@ -77,8 +77,11 @@ export function createHubspotConnector(options: HubspotConnectorOptions): Requir
       throw new Error(`Cannot reach HubSpot at ${baseUrl}${cause}. Check network access.`);
     }
     if (!response.ok) {
-      const body = await response.text();
-      throw new Error(`HubSpot API error ${response.status}: ${body}`);
+      // Status line only — HubSpot 4xx bodies echo submitted property values
+      // (contact emails, company domains) and the request payload, and these
+      // errors are persisted into scheduled-run records. Never interpolate it.
+      await response.text().catch(() => undefined);
+      throw new Error(`HubSpot API error ${response.status}. Check the token scopes and request.`);
     }
     // DELETE and some association writes return 204 with an empty body.
     const text = await response.text();

package/src/connectors/salesforce.ts

@@ -88,8 +88,10 @@ export function createSalesforceConnector(
       );
     }
     if (!response.ok) {
-      const body = await response.text();
-      throw new Error(`Salesforce API error ${response.status}: ${body}`);
+      // Status line only — the body echoes submitted field values and the
+      // request, and these errors are persisted into scheduled-run records.
+      await response.text().catch(() => undefined);
+      throw new Error(`Salesforce API error ${response.status}. Check the token and request.`);
     }
     // Salesforce PATCH returns 204 No Content on success.
     const text = await response.text();

package/src/connectors/stripe.ts

@@ -46,8 +46,10 @@ export function createStripeConnector(options: StripeConnectorOptions): GtmConne
       headers: { Authorization: `Bearer ${apiKey}` },
     });
     if (!response.ok) {
-      const body = await response.text();
-      throw new Error(`Stripe API error ${response.status}: ${body}`);
+      // Status line only — the body can echo request details bound to a live
+      // billing key, and these errors land in scheduled-run records.
+      await response.text().catch(() => undefined);
+      throw new Error(`Stripe API error ${response.status}. Check the restricted key and request.`);
     }
     return response.json();
   }

package/src/credentials.ts

@@ -4,6 +4,7 @@ import {
   mkdirSync,
   readdirSync,
   readFileSync,
+  statSync,
   unlinkSync,
   writeFileSync,
 } from "node:fs";
@@ -143,8 +144,31 @@ export function writeSecureFile(path: string, contents: string) {
   }
 }
 
+/**
+ * The 0600/0700 guarantee was write-only: a credentials.json inherited at
+ * looser permissions (a restored backup, a file created by another tool, a
+ * cloned home) was read and trusted regardless of its actual mode. Enforce the
+ * mode on read too — re-tighten to 0600 and warn once — so a world-readable
+ * credential store can't sit there silently leaking the token to other users.
+ */
+function enforceCredentialFileMode(path: string): void {
+  try {
+    const mode = statSync(path).mode & 0o777;
+    if ((mode & 0o077) !== 0) {
+      chmodSync(path, 0o600);
+      console.error(
+        `fullstackgtm: tightened ${path} from ${mode.toString(8).padStart(3, "0")} to 600 ` +
+          "(it was readable or writable by other users).",
+      );
+    }
+  } catch {
+    // Missing file or non-POSIX filesystem: nothing to enforce.
+  }
+}
+
 function readFile(): CredentialsFile {
   try {
+    enforceCredentialFileMode(credentialsPath());
     const parsed = JSON.parse(readFileSync(credentialsPath(), "utf8"));
     if (parsed && typeof parsed === "object" && parsed.version === 1 && parsed.providers) {
       return parsed as CredentialsFile;

package/src/enrich.ts

@@ -394,6 +394,29 @@ function valueToString(value: unknown): string {
   return "";
 }
 
+/**
+ * CSV/formula-injection neutralization for string values destined for a CRM
+ * write. Third-party export rows (Clay CSV, webhook JSON) can contain cells
+ * like `=cmd|'/c calc'!A1` or `@SUM(...)`; written verbatim to a CRM field they
+ * lie dormant until someone exports the CRM to CSV and opens it in a spreadsheet,
+ * where the leading `= + - @` (or a leading tab/CR) makes the client execute it.
+ * We prefix a single apostrophe — the spreadsheet-standard escape that renders
+ * the cell as literal text. Numeric values bypass this (they're written as
+ * numbers, not strings), so signed numbers keep full fidelity; a phone number
+ * supplied as a string and starting with `+` gains a leading `'`, which the
+ * human sees in the approved diff. Applied only at the write path, never to
+ * match keys.
+ */
+function neutralizeFormulaInjection(value: string): string {
+  if (value && /^[=+\-@\t\r]/.test(value)) return `'${value}`;
+  return value;
+}
+
+/** valueToString for a value that will be written to a CRM field. */
+function writeSafeString(value: unknown): string {
+  return neutralizeFormulaInjection(valueToString(value));
+}
+
 // ---------------------------------------------------------------------------
 // Matching: ordered keys, unique-hit-wins, zero-hits-next-key,
 // multi-hit → onAmbiguous. Ambiguity is surfaced, never resolved by coin flip.
@@ -708,7 +731,7 @@ export function buildEnrichPlan(options: BuildEnrichPlanOptions): EnrichPlanResu
           operation: "set_field",
           field: canonicalField,
           beforeValue: currentValue ?? null,
-          afterValue: typeof sourceValue === "number" ? sourceValue : valueToString(sourceValue),
+          afterValue: typeof sourceValue === "number" ? sourceValue : writeSafeString(sourceValue),
           reason:
             `${source} ${record.objectType} "${describeSourceRecord(record)}" (matched by ` +
             `${outcome.matchedKey}) reports a changed value for ${canonicalField}.`,
@@ -726,7 +749,7 @@ export function buildEnrichPlan(options: BuildEnrichPlanOptions): EnrichPlanResu
       if (isEmptyValue(sourceValue)) continue;
       if (!isEmptyValue(currentValue)) continue;
       emittedForRecord = true;
-      const afterValue = typeof sourceValue === "number" ? sourceValue : valueToString(sourceValue);
+      const afterValue = typeof sourceValue === "number" ? sourceValue : writeSafeString(sourceValue);
       operations.push({
         id: `op_enr_${fnv1a(`${source}:${record.objectType}:${outcome.recordId}:${canonicalField}`)}`,
         objectType: canonicalObjectType(record.objectType),

package/src/enrichApollo.ts

@@ -78,9 +78,12 @@ export function createApolloClient(options: ApolloClientOptions): ApolloClient {
       }
       if (response.status === 404) return null;
       if (!response.ok) {
-        const body = await response.text();
+        // Status line only — never interpolate the response body. It can echo
+        // the submitted query (contact emails / company domains) or the API key,
+        // and these errors are persisted verbatim into scheduled-run records.
+        await response.text().catch(() => undefined);
         const exhausted = response.status === 429 ? ` (rate limited; ${maxRetries} retries exhausted)` : "";
-        throw new Error(`Apollo API error ${response.status}${exhausted}: ${body}`);
+        throw new Error(`Apollo API error ${response.status}${exhausted}. Check the API key and request.`);
       }
       const text = await response.text();
       return text ? (JSON.parse(text) as Record<string, unknown>) : null;

package/src/market.ts

@@ -1,5 +1,7 @@
 import { createHash } from "node:crypto";
+import { lookup } from "node:dns/promises";
 import { existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "node:fs";
+import { isIP } from "node:net";
 import { join } from "node:path";
 import { credentialsDir } from "./credentials.ts";
 import type { GtmEvidence } from "./types.ts";
@@ -309,15 +311,129 @@ export function extractReadableText(html: string): string {
 
 export type FetchPage = (url: string) => Promise<{ status: number; body: string }>;
 
+/**
+ * SSRF guard. market.config.json URLs are operator-authored, but configs are
+ * shared/templated in consulting/team use and `market capture|refresh` is on
+ * the cron allowlist — an unguarded fetch is an unattended internal-network
+ * and cloud-metadata probe. We therefore (1) allow only http/https, (2) refuse
+ * any host that is or resolves to a private/loopback/link-local/metadata
+ * address, and (3) follow redirects manually, re-validating each hop.
+ *
+ * Residual gap (documented, not defended here): TOCTOU DNS rebinding between
+ * our lookup and fetch's own resolution. Out of scope for fetching public
+ * competitor pages; a hardened deployment should fetch through an egress proxy.
+ */
+const MAX_REDIRECTS = 5;
+const FETCH_TIMEOUT_MS = 15_000;
+const MAX_BODY_BYTES = 5_000_000;
+
+function ipv4IsPrivate(ip: string): boolean {
+  const parts = ip.split(".").map((n) => Number(n));
+  if (parts.length !== 4 || parts.some((n) => !Number.isInteger(n) || n < 0 || n > 255)) return true;
+  const [a, b] = parts;
+  if (a === 0 || a === 127) return true; // this-host, loopback
+  if (a === 10) return true; // private
+  if (a === 172 && b >= 16 && b <= 31) return true; // private
+  if (a === 192 && b === 168) return true; // private
+  if (a === 169 && b === 254) return true; // link-local incl. 169.254.169.254 metadata
+  if (a === 100 && b >= 64 && b <= 127) return true; // CGNAT
+  if (a >= 224) return true; // multicast / reserved
+  return false;
+}
+
+function ipIsPrivate(ip: string): boolean {
+  const family = isIP(ip);
+  if (family === 4) return ipv4IsPrivate(ip);
+  if (family === 6) {
+    const lower = ip.toLowerCase();
+    if (lower === "::1" || lower === "::") return true; // loopback / unspecified
+    // IPv4-mapped (::ffff:…) — Node normalizes ::ffff:127.0.0.1 to ::ffff:7f00:1,
+    // so accept both the dotted and the hex-pair forms, unwrap, check the v4.
+    const mapped = lower.match(/^::ffff:(.+)$/);
+    if (mapped) {
+      const rest = mapped[1];
+      if (rest.includes(".")) return ipv4IsPrivate(rest);
+      const groups = rest.split(":");
+      if (groups.length === 2) {
+        const hi = parseInt(groups[0], 16);
+        const lo = parseInt(groups[1], 16);
+        if (Number.isNaN(hi) || Number.isNaN(lo)) return true;
+        return ipv4IsPrivate(`${(hi >> 8) & 0xff}.${hi & 0xff}.${(lo >> 8) & 0xff}.${lo & 0xff}`);
+      }
+      return true; // unrecognized mapped form → refuse
+    }
+    if (lower.startsWith("fe8") || lower.startsWith("fe9") || lower.startsWith("fea") || lower.startsWith("feb")) return true; // link-local fe80::/10
+    if (lower.startsWith("fc") || lower.startsWith("fd")) return true; // unique-local fc00::/7
+    return false;
+  }
+  return true; // not a recognizable IP literal → refuse
+}
+
+export async function assertPublicUrl(rawUrl: string): Promise<URL> {
+  let url: URL;
+  try {
+    url = new URL(rawUrl);
+  } catch {
+    throw new Error(`market capture: "${rawUrl}" is not a valid URL.`);
+  }
+  if (url.protocol !== "http:" && url.protocol !== "https:") {
+    throw new Error(`market capture refuses ${url.protocol} URLs (only http/https): ${rawUrl}`);
+  }
+  const host = url.hostname.replace(/^\[|\]$/g, ""); // strip IPv6 brackets
+  if (isIP(host)) {
+    if (ipIsPrivate(host)) throw new Error(`market capture refuses private/loopback address ${host} (SSRF guard).`);
+    return url;
+  }
+  // Hostname: resolve and refuse if ANY address is private.
+  const addrs = await lookup(host, { all: true });
+  for (const { address } of addrs) {
+    if (ipIsPrivate(address)) {
+      throw new Error(`market capture refuses ${host} — it resolves to private/internal address ${address} (SSRF guard).`);
+    }
+  }
+  return url;
+}
+
 const defaultFetchPage: FetchPage = async (url) => {
-  const response = await fetch(url, {
-    headers: {
-      "User-Agent": "fullstackgtm-market/0 (+https://github.com/fullstackgtm/core)",
-      "Accept-Language": "en-US",
-    },
-    redirect: "follow",
-  });
-  return { status: response.status, body: await response.text() };
+  let current = url;
+  for (let hop = 0; hop <= MAX_REDIRECTS; hop++) {
+    await assertPublicUrl(current);
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+    let response: Response;
+    try {
+      response = await fetch(current, {
+        headers: {
+          "User-Agent": "fullstackgtm-market/0 (+https://github.com/fullstackgtm/core)",
+          "Accept-Language": "en-US",
+        },
+        redirect: "manual",
+        signal: controller.signal,
+      });
+    } finally {
+      clearTimeout(timer);
+    }
+    if (response.status >= 300 && response.status < 400 && response.headers.get("location")) {
+      current = new URL(response.headers.get("location") as string, current).toString();
+      continue; // re-validate the redirect target on the next iteration
+    }
+    const reader = response.body?.getReader();
+    if (!reader) return { status: response.status, body: await response.text() };
+    const chunks: Uint8Array[] = [];
+    let total = 0;
+    for (;;) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      total += value.length;
+      if (total > MAX_BODY_BYTES) {
+        await reader.cancel();
+        break;
+      }
+      chunks.push(value);
+    }
+    return { status: response.status, body: Buffer.concat(chunks).toString("utf8") };
+  }
+  throw new Error(`market capture: too many redirects (>${MAX_REDIRECTS}) for ${url}`);
 };
 
 export type CaptureOptions = {
@@ -478,6 +594,11 @@ export function validateObservationSet(config: MarketConfig, set: ObservationSet
     if (!INTENSITY_RANK[obs.intensity] && obs.intensity !== "unobservable") {
       problems.push(`${cell}: invalid intensity "${obs.intensity}"`);
     }
+    // confidence is rendered into the HTML report; only the enum is allowed, so
+    // an `observe --from` file can't smuggle markup through a free-text value.
+    if (obs.confidence !== "high" && obs.confidence !== "medium" && obs.confidence !== "low") {
+      problems.push(`${cell}: invalid confidence "${String(obs.confidence)}" (expected high, medium, or low)`);
+    }
     if ((obs.intensity === "loud" || obs.intensity === "quiet") && obs.evidence.length === 0) {
       problems.push(`${cell}: ${obs.intensity} reading with no quoted evidence`);
     }

package/src/marketReport.ts

@@ -40,6 +40,23 @@ function escapeHtml(value: string): string {
     .replace(/"/g, """);
 }
 
+/**
+ * Serialize JSON for embedding inside an inline <script> block. JSON.stringify
+ * does not escape `<`, `>`, `&`, or the U+2028/U+2029 line separators, so a
+ * vendor name containing `</script>` (these are untrusted, competitor-authored
+ * strings) would close the tag and inject markup. Replacing them with their
+ * \uXXXX escapes keeps the parsed value identical while making the breakout
+ * sequence unrepresentable in the HTML source.
+ */
+export function safeJsonForScript(value: unknown): string {
+  return JSON.stringify(value)
+    .replace(/</g, "\\u003c")
+    .replace(/>/g, "\\u003e")
+    .replace(/&/g, "\\u0026")
+    .replace(/\u2028/g, "\\u2028")
+    .replace(/\u2029/g, "\\u2029");
+}
+
 type MapModel = {
   config: MarketConfig;
   set: ObservationSet;
@@ -374,7 +391,7 @@ function axisSectionsHtml(
       <table class="legend"><thead><tr><th></th><th>vendor</th><th class="num">${legendMeasureHead}</th></tr></thead><tbody>${legendRows}</tbody></table>
     </div>
     <div class="map-tip" id="map-tip" hidden></div>
-    <script type="application/json" id="map-data">${JSON.stringify(tipData)}</script>
+    <script type="application/json" id="map-data">${safeJsonForScript(tipData)}</script>
     <script>
     (function () {
       var data = JSON.parse(document.getElementById("map-data").textContent);
@@ -385,7 +402,16 @@ function axisSectionsHtml(
       function show(v, evt) {
         var d = data[v];
         if (!d) return;
-        tip.innerHTML = "<b>" + d.n + " · " + d.name + "</b>" + d.lines.map(function (l) { return "<div>" + l + "</div>"; }).join("");
+        // textContent only — vendor names / axis labels are untrusted (competitor-controlled).
+        tip.textContent = "";
+        var head = document.createElement("b");
+        head.textContent = d.n + " · " + d.name;
+        tip.appendChild(head);
+        d.lines.forEach(function (l) {
+          var div = document.createElement("div");
+          div.textContent = l;
+          tip.appendChild(div);
+        });
         tip.hidden = false;
         var box = fig.getBoundingClientRect();
         tip.style.left = Math.min(evt.clientX - box.left + 14, box.width - tip.offsetWidth - 8) + "px";
@@ -481,7 +507,7 @@ export function marketMapToHtml(config: MarketConfig, set: ObservationSet): stri
     const anchorLoud = anchor
       ? claimIds.filter((claimId) => model.cell(anchor, claimId)?.intensity === "loud").length
       : 0;
-    const anchorNote = anchor ? ` · ${vendorNamesById.get(anchor) ?? anchor} loud on ${anchorLoud}` : "";
+    const anchorNote = anchor ? ` · ${e(vendorNamesById.get(anchor) ?? anchor)} loud on ${anchorLoud}` : "";
     return `<details class="claim-group"><summary><b>${e(group.title)}</b> — ${claimIds.length} claim${claimIds.length === 1 ? "" : "s"} <span class="sum-soft">(${e(group.blurb)}${anchorNote})</span></summary>
       <table><thead><tr><th></th>${vendorHeads}<th></th></tr></thead><tbody>${claimIds.map(matrixRow).join("")}</tbody></table>
     </details>`;
@@ -543,7 +569,7 @@ export function marketMapToHtml(config: MarketConfig, set: ObservationSet): stri
         if (!obs || obs.evidence.length === 0) return [];
         return obs.evidence.map(
           (evidence) =>
-            `<div class="ev"><span class="ev-head">${e(claimId)} · ${obs.intensity.toUpperCase()} (${obs.confidence})</span>` +
+            `<div class="ev"><span class="ev-head">${e(claimId)} · ${e(obs.intensity.toUpperCase())} (${e(String(obs.confidence ?? ""))})</span>` +
             `<blockquote>“${e(evidence.text)}”</blockquote>` +
             `<span class="ev-src">${e(String(evidence.metadata?.url ?? ""))} · capture ${e(String(evidence.metadata?.captureHash ?? "").slice(0, 12))}</span></div>`,
         );

package/src/schedule.ts

@@ -145,6 +145,75 @@ export function validateSchedulableArgv(argv: string[]): void {
   }
 }
 
+/**
+ * A schedule label is free text the operator chooses, but it is later
+ * interpolated into a crontab comment line by `renderManagedBlock`. A newline
+ * (or carriage return) would break out of the comment and inject an arbitrary
+ * crontab entry on `schedule install`. Reject control characters at the entry
+ * point so a label can never carry a second line; `renderManagedBlock` also
+ * strips them defensively in case a hand-edited schedules.json slips one past.
+ */
+export function assertSingleLineLabel(label: string): void {
+  if (hasControlChar(label)) {
+    throw new Error(
+      "A schedule --label cannot contain newlines or control characters " +
+        "(they would inject lines into the managed crontab block). Use a plain single-line name.",
+    );
+  }
+}
+
+/**
+ * True if the string contains any line-breaking or control character. Covers
+ * C0 controls + DEL, plus the Unicode separators a non-cron parser might honor
+ * (NEL U+0085, LS U+2028, PS U+2029, VT U+000B, FF U+000C) — defense-in-depth
+ * for the future modal/aws scaffold renderers whose target formats may treat
+ * those as line breaks.
+ */
+export function hasControlChar(value: string): boolean {
+  for (let i = 0; i < value.length; i++) {
+    const code = value.charCodeAt(i);
+    if (code < 0x20 || code === 0x7f || code === 0x85 || code === 0x2028 || code === 0x2029) return true;
+  }
+  return false;
+}
+
+/** Collapse any control/separator character to a space — last-resort guard at render time. */
+function sanitizeCrontabComment(value: string): string {
+  let out = "";
+  for (const ch of value) {
+    const code = ch.charCodeAt(0);
+    out += code < 0x20 || code === 0x7f || code === 0x85 || code === 0x2028 || code === 0x2029 ? " " : ch;
+  }
+  return out.replace(/ {2,}/g, " ").trim();
+}
+
+/**
+ * Validate every field of an entry that `renderManagedBlock` interpolates into
+ * the crontab — not just the label. The EXECUTABLE line embeds `cron` and `id`
+ * raw, and `schedule install` renders entries straight from schedules.json, so
+ * a hand-edited (or otherwise tampered) entry with a newline in cron/id/profile
+ * would inject a live crontab line. Refuse to render a tampered entry rather
+ * than emit it. (Well-formed entries never trip this: cron is parser-validated,
+ * id is an fnv1a hex hash, label is guarded at add-time.)
+ */
+function assertRenderableEntry(profile: string, entry: ScheduleEntry): void {
+  const fields: Array<[string, string]> = [
+    ["profile", profile],
+    ["cron", entry.cron],
+    ["id", entry.id],
+    ["label", entry.label],
+    ...entry.argv.map((token, i) => [`argv[${i}]`, token] as [string, string]),
+  ];
+  for (const [name, value] of fields) {
+    if (hasControlChar(value)) {
+      throw new Error(
+        `Refusing to render schedule entry ${entry.id}: its ${name} contains a newline or control character. ` +
+          "The schedules.json store has been tampered with or corrupted — repair it before installing.",
+      );
+    }
+  }
+}
+
 /**
  * Split a `schedule add "<command>"` string into argv, honoring single and
  * double quotes (no escapes, no expansion — this is tokenization, not shell).
@@ -206,7 +275,13 @@ const CRON_FIELD_SPECS = [
 ] as const;
 
 export function parseCron(expression: string): CronExpression {
-  const fields = expression.trim().split(/\s+/);
+  // Reject non-ASCII whitespace and control chars: JS \s splits on U+00A0,
+  // U+3000, etc., but Vixie cron's field separator is only space/tab. A source
+  // carrying them would parse here yet be misparsed or rejected by `crontab -`.
+  if (hasControlChar(expression) || /[^\x20-\x7e]/.test(expression)) {
+    throw new Error(`Invalid cron expression "${expression}": only ASCII characters, space, and tab are allowed.`);
+  }
+  const fields = expression.trim().split(/[ \t]+/);
   if (fields.length !== 5) {
     throw new Error(
       `Invalid cron expression "${expression}": expected 5 fields ` +
@@ -559,13 +634,28 @@ export function renderManagedBlock(
   entries: ScheduleEntry[],
   cliInvocation: string,
 ): string {
+  // cliInvocation is spliced raw into the executable line; it is built from
+  // process.execPath, the script path, and FSGTM_HOME (cli.ts), so a newline in
+  // FSGTM_HOME would inject a crontab line. Validate it like the entry fields —
+  // single-quote shell-escaping does NOT defend cron's line parser.
+  if (hasControlChar(cliInvocation)) {
+    throw new Error(
+      "Refusing to render the managed crontab: the resolved CLI invocation (node path, script path, " +
+        "or FSGTM_HOME) contains a newline or control character. Check $FSGTM_HOME.",
+    );
+  }
   const { open, close } = crontabSentinels(profile);
   const lines = [
     open,
     "# Managed by `fullstackgtm schedule install` — replaced wholesale on re-install; do not edit.",
   ];
   for (const entry of entries) {
-    lines.push(`# ${entry.label} (${entry.id}): ${entry.argv.join(" ")}`);
+    // Refuse to render any entry whose interpolated fields carry a control char
+    // — the executable line below embeds cron/id raw, so a tampered store could
+    // otherwise inject a live crontab line. The comment line is additionally
+    // sanitized so a benign-but-messy label can't break it.
+    assertRenderableEntry(profile, entry);
+    lines.push(sanitizeCrontabComment(`# ${entry.label} (${entry.id}): ${entry.argv.join(" ")}`));
     lines.push(`${entry.cron} ${cliInvocation} schedule run ${entry.id} --profile ${profile} --trigger cron`);
   }
   lines.push(close);