fullstackgtm 0.25.1 → 0.26.0

package/CHANGELOG.md

@@ -5,6 +5,103 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and the project adheres to [Semantic Versioning](https://semver.org/).
 The path to 1.0 is planned in [docs/roadmap-to-1.0.md](./docs/roadmap-to-1.0.md).
 
+## [0.26.0] — 2026-06-15
+
+Write-path integrity — the "no write without approval" guarantee now binds to
+operation *content*, and the two irreversible operations finally get a guard.
+Each fix verified by a refute-by-default re-attack; the integrity binding took
+three rounds (the re-attack kept finding unsigned fields that reach a write).
+
+### Added
+
+- **Plan-approval integrity signatures.** `plans approve` now HMAC-signs each
+  approved operation's full apply-relevant content (operation, object, field,
+  before/after value, group, preconditions, force flags, the approved value
+  override, and reason) with a per-install key (`$FSGTM_HOME/.plan-signing-key`,
+  0600). `apply --plan-id` re-verifies and refuses the whole apply if any
+  approved operation changed since approval, if the plan was approved without
+  signatures (downgrade guard), or if the signing key is absent (a plan
+  approved on another machine fails closed). The invariant: **what gets written
+  equals what the human signed** — a plan file edited between approval and apply
+  (by a synced/backed-up copy, a co-tenant, or a compromised dependency) is
+  caught instead of executed. apply-time `--value` is folded into the check, and
+  a scheduled `apply` may not take `--value` (it must write exactly the signed
+  values).
+- **Recovery snapshots on irreversible operations.** `dedupe` merge ops and
+  `bulk-update --archive` ops now carry `recoverySnapshot` — the field values of
+  every record that will be destroyed — so the rollback instruction ("recreate
+  it by hand") is backed by actual data in the plan, which is the backup.
+
+### Security
+
+- **Apply-time guard against destroying duplicates (the benchmark self-own).**
+  `apply` now refuses any `archive_record` whose target still shares an identity
+  key (account domain / contact email) with another live record — unless the
+  human explicitly forced it (`--force-archive-duplicates`, which is recorded on
+  the operation and signed). This catches every path (agent-driven, hand-edited,
+  audit), not just `bulk-update`, so an agent on a dedupe task can no longer
+  silently archive a record where it should merge — the rail is safe regardless
+  of model strength.
+- **Drift guard for irreversible operations.** `merge_records` and
+  `archive_record` got no compare-and-set (there is no single field to compare).
+  Apply now checks a fresh snapshot: a merge whose survivor is gone, or whose
+  duplicates are already merged, and an archive of a record that no longer
+  exists, all conflict out instead of firing an irreversible, replay-unsafe write.
+
+### Notes
+
+- The CAS empty/null equivalence in field compare-and-set is intentional (CRMs
+  normalize `""`↔`null` server-side; distinguishing them would cause false
+  conflicts). Known residuals for a follow-up: the archive-duplicate guard keys
+  on domain/email only, so `dedupe --key name` (and deal dedupe, which has no
+  identity key) are not guarded against destructive archive — use `dedupe`
+  (merge) for those; and `marketMapToMarkdown` is not HTML-escaped (the HTML
+  report is).
+
+## [0.25.2] — 2026-06-15
+
+Security hardening I — confirmed fixes from an adversarial audit (each verified
+by a refute-by-default re-attack; the crontab and report fixes took three
+rounds because the re-attack kept finding deeper paths).
+
+### Security
+
+- **Crontab injection via `schedule install` (was: arbitrary code execution).**
+  `schedule add --label` rejects newlines/control chars; `renderManagedBlock`
+  now refuses to render any entry (or CLI invocation) whose interpolated
+  fields — label, cron, id, profile, argv, **and the resolved node/script
+  path + `FSGTM_HOME`** — carry a control character, so a hand-edited
+  `schedules.json` or a newline in `FSGTM_HOME` can no longer inject a live
+  crontab line. `parseCron` now accepts ASCII space/tab only (rejects Unicode
+  whitespace), and a stray `%` in a path is escaped (`\%`) so it can't truncate
+  the managed line.
+- **SSRF in `market capture`.** Page fetches now allow only http/https, refuse
+  any host that is or resolves to a private/loopback/link-local/CGNAT/metadata
+  address (IPv4, IPv6, and IPv4-mapped IPv6 in dotted or hex form), follow
+  redirects manually with per-hop re-validation, and cap time/body size.
+- **Stored XSS in the market HTML report.** The embedded JSON data island is
+  serialized with `<`/`>`/`&`/U+2028/U+2029 escaped (no `</script>` breakout),
+  the tooltip is built with `textContent` (no `innerHTML`), and the two
+  remaining raw sinks (anchor vendor name, evidence-appendix confidence) are
+  now `escapeHtml`'d; `validateObservationSet` rejects a non-enum `confidence`
+  so an `observe --from` file can't smuggle markup.
+- **Provider response bodies no longer leak into errors.** HubSpot, Salesforce,
+  Apollo, and Stripe connectors throw status-line-only errors (a 4xx body can
+  echo submitted emails/domains or the key, and these errors are persisted into
+  scheduled-run records).
+- **CSV/formula injection neutralized at the enrich write path.** Ingested
+  string values beginning with `= + - @` / tab / CR are prefixed with `'` so
+  they can't execute if the CRM is later exported to a spreadsheet; numeric
+  values keep full fidelity.
+- **Credential-store mode enforced on read, not just write.** A pre-existing
+  `credentials.json` with group/other permissions is re-tightened to 0600 (and
+  warned) on read, closing the inherited-loose-permissions gap.
+
+Known residuals tracked for follow-up: `marketMapToMarkdown` does not
+HTML-escape (safe in terminals/GitHub; only a risk if a downstream renderer
+trusts raw HTML — to be addressed with the report work); the credential read
+check is reactive (a loose file is exposed until the next CLI read).
+
 ## [0.25.1] — 2026-06-12
 
 Docs-sync release — no code changes.

package/dist/bulkUpdate.js

@@ -27,6 +27,7 @@
  * `account.ownerId`, `account.contactCount`; accounts get `contactCount`
  * and `openDealCount`.
  */
+import { recoverableFields } from "./dedupe.js";
 import { normalizeDomain } from "./merge.js";
 import { stableHash } from "./rules.js";
 const FIELD_PATTERN = "[a-zA-Z][a-zA-Z0-9_]*(?:\\.[a-zA-Z][a-zA-Z0-9_]*)?";
@@ -319,7 +320,11 @@ export function buildBulkUpdatePlan(snapshot, options) {
                 beforeValue: null,
                 afterValue: null,
                 riskLevel: "high",
-                rollback: "Archived records can be restored from the provider's recycle bin within its retention window.",
+                // Carry the human's explicit force decision to the apply-time guard, and
+                // snapshot the record so it can be recreated if the archive was wrong.
+                ...(options.forceArchiveDuplicates ? { forceArchiveDuplicate: true } : {}),
+                recoverySnapshot: [recoverableFields(record)],
+                rollback: "Archived records can be restored from the provider's recycle bin within its retention window; recoverySnapshot also retains the field values.",
             });
             continue;
         }

package/dist/cli.js

@@ -13,6 +13,7 @@ import { activeProfile, credentialsPath, DEFAULT_PROFILE, deleteCredential, getC
 import { generateDemoSnapshot } from "./demo.js";
 import { formatPatchPlanRun, patchPlanToMarkdown } from "./format.js";
 import { mergeSnapshots } from "./merge.js";
+import { verifyApprovalDigests } from "./integrity.js";
 import { createFilePlanStore } from "./planStore.js";
 import { auditReportToHtml, auditReportToMarkdown } from "./report.js";
 import { builtinAuditRules } from "./rules.js";
@@ -22,12 +23,13 @@ import { captureMarket, computeFrontStates, createFileObservationStore, diffFron
 import { assessAxes, axesReportToText } from "./marketAxes.js";
 import { computeDirectives, computeOverlayStats, directivesToPlan, overlayToMarkdown, } from "./marketOverlay.js";
 import { computeScaleIndex, scaleReportToText } from "./marketScale.js";
+import { suggestMarketConfig } from "./marketTaxonomy.js";
 import { buildWorksheet, classifyMarket } from "./marketClassify.js";
 import { marketMapToHtml, marketMapToMarkdown } from "./marketReport.js";
 import { DEFAULT_RUBRIC, detectProviderFromKey, extractInsightsLlm, parseRubric, resolveLlmCredential, scoreCallLlm, validateLlmKey, } from "./llm.js";
 import { buildEnrichPlan, createFileEnrichRunStore, DEFAULT_STALE_DAYS, ENRICH_CONFIG_FILE_NAME, enrichRunId, inferIngestObjectType, latestStamps, loadEnrichConfig, parseCsv, resolveCrmField, selectStaleWork, stagedSourceRecords, staleDaysFor, } from "./enrich.js";
 import { apolloPullKeysForAppend, apolloPullKeysForRefresh, createApolloClient, pullApolloRecords, } from "./enrichApollo.js";
-import { computeMissedFirings, createFileScheduleRunStore, createFileScheduleStore, nextCronFiring, parseCron, renderManagedBlock, replaceManagedBlock, scheduleId, systemCrontabIo, tokenizeCommand, validateSchedulableArgv, } from "./schedule.js";
+import { computeMissedFirings, createFileScheduleRunStore, createFileScheduleStore, nextCronFiring, parseCron, renderManagedBlock, replaceManagedBlock, assertSingleLineLabel, hasControlChar, scheduleId, systemCrontabIo, tokenizeCommand, validateSchedulableArgv, } from "./schedule.js";
 import { resolveRecord } from "./resolve.js";
 import { buildBulkUpdatePlan } from "./bulkUpdate.js";
 import { buildDedupePlan } from "./dedupe.js";
@@ -827,6 +829,8 @@ async function marketCommand(args) {
     if (!subcommand || subcommand === "--help" || subcommand === "-h" || rest.includes("--help") || rest.includes("-h")) {
         console.log(`Usage:
 market init --category <name> [--out <path>]   write a starter market.config.json
+market init --category <name> --auto --vendor <url> [--vendor <url>...] [--anchor <url>] [--max-claims n]
+                                               LLM-propose vendors + claim taxonomy from seed pages (needs an API key)
 market capture [--config <path>] [--run <label>]
 market classify [--run <label>] [--capture-run <label>] [--vendor <id>] [--model m] [--out <path>]
 market worksheet --vendor <id> [--capture-run <label>] [--out <path>]
@@ -877,6 +881,27 @@ recomputed deterministically on every invocation — never stored.`);
         const outPath = resolve(process.cwd(), option(rest, "--out") ?? "market.config.json");
         if (existsSync(outPath))
             throw new Error(`${outPath} already exists — refusing to overwrite`);
+        if (rest.includes("--auto")) {
+            const vendorUrls = repeatedOption(rest, "--vendor");
+            if (vendorUrls.length === 0) {
+                throw new Error("market init --auto requires at least one --vendor <url> (the competitor homepages to seed from)");
+            }
+            const anchorUrl = option(rest, "--anchor");
+            const credential = await requireLlmCredential("market classify");
+            console.error(`Capturing ${vendorUrls.length} seed page(s) and proposing a claim taxonomy with ${credential.provider}…`);
+            const { config, unreadableVendorIds, model } = await suggestMarketConfig({
+                category,
+                vendors: vendorUrls.map((url) => ({ url, anchor: anchorUrl ? url === anchorUrl : false })),
+                llm: { ...credential, model: option(rest, "--model") ?? undefined },
+                maxClaims: numericOption(rest, "--max-claims"),
+            });
+            writeFileSync(outPath, `${JSON.stringify(config, null, 2)}\n`);
+            if (unreadableVendorIds.length > 0) {
+                console.error(`Note: no readable text for ${unreadableVendorIds.join(", ")} — excluded from taxonomy grounding.`);
+            }
+            console.log(`Wrote ${outPath}: ${config.vendors.length} vendors, ${config.claims.length} proposed claims (${model}). Review it, then: fullstackgtm market refresh`);
+            return;
+        }
         writeFileSync(outPath, `${JSON.stringify(starterMarketConfig(category), null, 2)}\n`);
         console.log(`Wrote ${outPath}. Fill in vendors and claims, then: fullstackgtm market capture`);
         return;
@@ -1614,6 +1639,7 @@ trigger: manual. status shows next firing and surfaces missed firings
         const createdAt = new Date().toISOString();
         const label = option(rest, "--label") ??
             argv.filter((arg) => !arg.startsWith("--")).slice(0, 2).join("-").replace(/[^\w.-]+/g, "-");
+        assertSingleLineLabel(label);
         const entry = {
             id: scheduleId(label, cron.source, argv, createdAt),
             label,
@@ -1819,13 +1845,27 @@ function scheduleCliInvocation() {
     if (!script || !existsSync(script)) {
         throw new Error("Cannot resolve the fullstackgtm entry point for crontab lines (process.argv[1] is missing).");
     }
+    // A newline/control char in any of these flows verbatim into the crontab
+    // executable line; single-quote escaping defends the shell, not cron's line
+    // parser. Refuse early with a clear message (renderManagedBlock re-checks).
+    for (const [name, value] of [
+        ["FSGTM_HOME", process.env.FSGTM_HOME],
+        ["the node executable path", process.execPath],
+        ["the CLI script path", script],
+    ]) {
+        if (value && hasControlChar(value)) {
+            throw new Error(`Cannot install schedules: ${name} contains a newline or control character.`);
+        }
+    }
     const quote = (value) => `'${value.replace(/'/g, `'\\''`)}'`;
     const parts = [quote(process.execPath)];
     if (script.endsWith(".ts"))
         parts.push("--experimental-strip-types");
     parts.push(quote(script));
     const home = process.env.FSGTM_HOME ? `FSGTM_HOME=${quote(process.env.FSGTM_HOME)} ` : "";
-    return home + parts.join(" ");
+    // cron treats an unescaped `%` in the command field as a newline/stdin split.
+    // Escape it as `\%` so a stray `%` in a path can't truncate the managed line.
+    return (home + parts.join(" ")).replace(/%/g, "\\%");
 }
 /**
  * The single provider entry point: execute the scheduled command in-process
@@ -2262,7 +2302,32 @@ async function apply(args) {
         }
         plan = stored.plan;
         approvedOperationIds = stored.approvedOperationIds;
+        // Downgrade guard: an approved plan with no signatures is either pre-0.26
+        // (re-approve to gain them) or had its approvalDigests stripped to skip the
+        // integrity check. Either way, refuse rather than fall back to trusting the
+        // file. (A plan with zero approved operations has nothing to apply anyway.)
+        if (stored.approvedOperationIds.length > 0 && !stored.approvalDigests) {
+            throw new Error(`Refusing to apply plan ${planId}: it was approved without integrity signatures ` +
+                "(approved before 0.26.0, or its signatures were removed). Re-approve it with " +
+                `\`fullstackgtm plans approve ${planId} --operations <ids|all>\`.`);
+        }
+        // Integrity gate: the plan file is re-read from disk, so verify each approved
+        // operation still matches what was signed at approval. Verify against the
+        // EFFECTIVE overrides (stored ∪ apply-time --value): the invariant is "what
+        // gets written must equal what was signed", so an apply-time --value that
+        // changes a value the human did not approve is treated as tamper, not a live
+        // override. A mismatch means the plan/overrides were edited after approval —
+        // refuse the whole apply rather than write an unapproved value.
         valueOverrides = { ...stored.valueOverrides, ...parseValueOverrides(args) };
+        const verification = verifyApprovalDigests(stored.plan.operations, stored.approvedOperationIds, valueOverrides, stored.approvalDigests);
+        if (!verification.ok) {
+            const detail = verification.reason === "no_key"
+                ? "the plan-signing key is missing (was this plan approved on another machine?). Re-approve it here with `fullstackgtm plans approve`."
+                : `these operations differ from what was approved: ${verification.tampered.join(", ")}. ` +
+                    "If you changed a value at apply time, set it at approval instead (`plans approve --value <op>=<v>`) and re-approve; " +
+                    "otherwise the plan was edited after approval — review and re-approve.";
+            throw new Error(`Refusing to apply plan ${planId}: ${detail}`);
+        }
     }
     else {
         const approve = option(args, "--approve");

package/dist/connector.js

@@ -1,4 +1,69 @@
+import { dedupeKey } from "./dedupe.js";
 import { requiresHumanInput } from "./rules.js";
+const IRREVERSIBLE_OPERATIONS = new Set(["merge_records", "archive_record"]);
+const IDENTITY_KEY_BY_TYPE = {
+    account: "domain",
+    contact: "email",
+};
+/** snapshot collection for an object type */
+function collectionFor(objectType) {
+    if (objectType === "account")
+        return "accounts";
+    if (objectType === "contact")
+        return "contacts";
+    if (objectType === "deal")
+        return "deals";
+    return null;
+}
+/**
+ * Drift/safety check for the two IRREVERSIBLE operations against a fresh
+ * snapshot. Returns a conflict detail string, or null if the op is safe to
+ * apply. These operations get NO field compare-and-set (there is no single
+ * field to compare), so this snapshot check is their only guard.
+ */
+function checkIrreversibleOp(operation, snapshot) {
+    const collection = collectionFor(operation.objectType);
+    if (!collection)
+        return null;
+    const records = snapshot[collection];
+    const byId = (id) => records.find((record) => String(record.id) === id);
+    if (operation.operation === "archive_record") {
+        if (!byId(operation.objectId)) {
+            return `Record ${operation.objectType}/${operation.objectId} no longer exists (already archived or merged). Re-plan against current data.`;
+        }
+        // Archiving a duplicate discards data a merge would keep — refuse unless the
+        // human explicitly forced it. This catches every archive_record path (agent,
+        // hand-edited plan, audit), not just `bulk-update --archive`.
+        if (!operation.forceArchiveDuplicate) {
+            const keyName = IDENTITY_KEY_BY_TYPE[operation.objectType];
+            if (keyName) {
+                const target = byId(operation.objectId);
+                const key = dedupeKey(target, keyName);
+                if (key) {
+                    const sharers = records.filter((record) => String(record.id) !== operation.objectId && dedupeKey(record, keyName) === key);
+                    if (sharers.length > 0) {
+                        return (`Refusing to archive ${operation.objectType}/${operation.objectId}: it shares ${keyName} "${key}" with ` +
+                            `${sharers.length} other record(s) — that's a duplicate, and archiving discards its data where merging keeps it. ` +
+                            `Merge with \`fullstackgtm dedupe ${operation.objectType} --key ${keyName}\` instead, or rebuild the op with --force-archive-duplicates.`);
+                    }
+                }
+            }
+        }
+        return null;
+    }
+    if (operation.operation === "merge_records") {
+        if (!byId(operation.objectId)) {
+            return `Merge survivor ${operation.objectType}/${operation.objectId} no longer exists (archived or merged away since the plan was built). Re-plan — merges are irreversible.`;
+        }
+        const groupIds = Array.isArray(operation.beforeValue) ? operation.beforeValue.map(String) : [];
+        const losersStillPresent = groupIds.filter((id) => id !== operation.objectId && byId(id));
+        if (groupIds.length > 0 && losersStillPresent.length === 0) {
+            return `Every record to merge into ${operation.objectType}/${operation.objectId} is already gone (merge already applied?). Nothing to do — re-plan if duplicates remain.`;
+        }
+        return null;
+    }
+    return null;
+}
 const FIELD_WRITE_OPERATIONS = new Set(["set_field", "clear_field", "link_record"]);
 function normalizeForComparison(value) {
     if (value === undefined || value === null || value === "")
@@ -35,9 +100,16 @@ export async function applyPatchPlan(connector, plan, options) {
     // closed — but it can be shrunk: re-run the snapshot checks after the
     // first write and every `recheckEvery` writes, conflicting out any
     // operation whose record went stale mid-run.
-    const needsSnapshot = ((plan.guards && plan.guards.length > 0) || plan.filter) && connector.fetchSnapshot;
+    // Irreversible ops (merge/archive) need a fresh snapshot too — it is their
+    // only drift/safety guard (no field to compare-and-set). Respect a caller's
+    // explicit checkConflicts:false opt-out (a stub/known-stale snapshot).
+    const hasIrreversibleApproved = checkConflicts &&
+        plan.operations.some((operation) => approved.has(operation.id) && IRREVERSIBLE_OPERATIONS.has(operation.operation));
+    const needsSnapshot = ((plan.guards && plan.guards.length > 0) || plan.filter || hasIrreversibleApproved) &&
+        connector.fetchSnapshot;
     const recheckEvery = Math.max(1, options.recheckEvery ?? 25);
     const staleIds = new Set();
+    const irreversibleStale = new Map();
     let guardFailure = null;
     const refreshSnapshotChecks = async () => {
         if (!needsSnapshot)
@@ -52,6 +124,16 @@ export async function applyPatchPlan(connector, plan, options) {
                     staleIds.add(operation.objectId);
             }
         }
+        irreversibleStale.clear();
+        if (checkConflicts) {
+            for (const operation of plan.operations) {
+                if (!approved.has(operation.id) || !IRREVERSIBLE_OPERATIONS.has(operation.operation))
+                    continue;
+                const detail = checkIrreversibleOp(operation, liveSnapshot);
+                if (detail)
+                    irreversibleStale.set(operation.id, detail);
+            }
+        }
         for (const guard of plan.guards ?? []) {
             const failure = evaluateGuard(liveSnapshot, guard);
             if (failure) {
@@ -182,6 +264,13 @@ export async function applyPatchPlan(connector, plan, options) {
                 poisonedGroups.add(operation.groupId);
             continue;
         }
+        const irreversibleConflict = irreversibleStale.get(operation.id);
+        if (irreversibleConflict) {
+            results.push({ operationId: operation.id, status: "conflict", detail: irreversibleConflict });
+            if (operation.groupId)
+                poisonedGroups.add(operation.groupId);
+            continue;
+        }
         if (operation.groupId && poisonedGroups.has(operation.groupId)) {
             results.push({
                 operationId: operation.id,

package/dist/connectors/hubspot.js

@@ -44,8 +44,11 @@ export function createHubspotConnector(options) {
             throw new Error(`Cannot reach HubSpot at ${baseUrl}${cause}. Check network access.`);
         }
         if (!response.ok) {
-            const body = await response.text();
-            throw new Error(`HubSpot API error ${response.status}: ${body}`);
+            // Status line only — HubSpot 4xx bodies echo submitted property values
+            // (contact emails, company domains) and the request payload, and these
+            // errors are persisted into scheduled-run records. Never interpolate it.
+            await response.text().catch(() => undefined);
+            throw new Error(`HubSpot API error ${response.status}. Check the token scopes and request.`);
         }
         // DELETE and some association writes return 204 with an empty body.
         const text = await response.text();

package/dist/connectors/salesforce.js

@@ -46,8 +46,10 @@ export function createSalesforceConnector(options) {
             throw new Error(`Cannot reach Salesforce at ${connection.instanceUrl}${cause}. Check SALESFORCE_INSTANCE_URL (your My Domain URL, e.g. https://yourco.my.salesforce.com) and network access.`);
         }
         if (!response.ok) {
-            const body = await response.text();
-            throw new Error(`Salesforce API error ${response.status}: ${body}`);
+            // Status line only — the body echoes submitted field values and the
+            // request, and these errors are persisted into scheduled-run records.
+            await response.text().catch(() => undefined);
+            throw new Error(`Salesforce API error ${response.status}. Check the token and request.`);
         }
         // Salesforce PATCH returns 204 No Content on success.
         const text = await response.text();

package/dist/connectors/stripe.js

@@ -26,8 +26,10 @@ export function createStripeConnector(options) {
             headers: { Authorization: `Bearer ${apiKey}` },
         });
         if (!response.ok) {
-            const body = await response.text();
-            throw new Error(`Stripe API error ${response.status}: ${body}`);
+            // Status line only — the body can echo request details bound to a live
+            // billing key, and these errors land in scheduled-run records.
+            await response.text().catch(() => undefined);
+            throw new Error(`Stripe API error ${response.status}. Check the restricted key and request.`);
         }
         return response.json();
     }

package/dist/credentials.js

@@ -1,4 +1,4 @@
-import { chmodSync, existsSync, mkdirSync, readdirSync, readFileSync, unlinkSync, writeFileSync, } from "node:fs";
+import { chmodSync, existsSync, mkdirSync, readdirSync, readFileSync, statSync, unlinkSync, writeFileSync, } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
 import { refreshHubspotToken } from "./connectors/hubspotAuth.js";
@@ -98,8 +98,29 @@ export function writeSecureFile(path, contents) {
         // Non-POSIX filesystems ignore chmod.
     }
 }
+/**
+ * The 0600/0700 guarantee was write-only: a credentials.json inherited at
+ * looser permissions (a restored backup, a file created by another tool, a
+ * cloned home) was read and trusted regardless of its actual mode. Enforce the
+ * mode on read too — re-tighten to 0600 and warn once — so a world-readable
+ * credential store can't sit there silently leaking the token to other users.
+ */
+function enforceCredentialFileMode(path) {
+    try {
+        const mode = statSync(path).mode & 0o777;
+        if ((mode & 0o077) !== 0) {
+            chmodSync(path, 0o600);
+            console.error(`fullstackgtm: tightened ${path} from ${mode.toString(8).padStart(3, "0")} to 600 ` +
+                "(it was readable or writable by other users).");
+        }
+    }
+    catch {
+        // Missing file or non-POSIX filesystem: nothing to enforce.
+    }
+}
 function readFile() {
     try {
+        enforceCredentialFileMode(credentialsPath());
         const parsed = JSON.parse(readFileSync(credentialsPath(), "utf8"));
         if (parsed && typeof parsed === "object" && parsed.version === 1 && parsed.providers) {
             return parsed;

package/dist/dedupe.d.ts

@@ -9,6 +9,12 @@ export type DedupeOptions = {
     /** refuse to build plans larger than this (default 500 operations) */
     maxOperations?: number;
 };
+/**
+ * The subset of a record worth keeping as a merge-recovery artifact: its id (to
+ * reference) plus every populated data field, dropping bulky/plumbing fields
+ * (raw, identities, provenance) that aren't needed to recreate it by hand.
+ */
+export declare function recoverableFields(record: Record<string, unknown>): Record<string, unknown>;
 /** Normalize a record's identity key; undefined when the field is empty. */
 export declare function dedupeKey(record: Record<string, unknown>, key: DedupeOptions["key"]): string | undefined;
 export declare function buildDedupePlan(snapshot: CanonicalGtmSnapshot, options: DedupeOptions): PatchPlan;

package/dist/dedupe.js

@@ -40,6 +40,22 @@ const NON_DATA_FIELDS = new Set(["id", "provider", "crmId", "identities", "raw",
 function populatedDataFields(record) {
     return Object.entries(record).filter(([field, value]) => !NON_DATA_FIELDS.has(field) && value !== undefined && value !== null && value !== "").length;
 }
+/**
+ * The subset of a record worth keeping as a merge-recovery artifact: its id (to
+ * reference) plus every populated data field, dropping bulky/plumbing fields
+ * (raw, identities, provenance) that aren't needed to recreate it by hand.
+ */
+export function recoverableFields(record) {
+    const out = { id: String(record.id) };
+    for (const [field, value] of Object.entries(record)) {
+        if (NON_DATA_FIELDS.has(field))
+            continue;
+        if (value === undefined || value === null || value === "")
+            continue;
+        out[field] = value;
+    }
+    return out;
+}
 /** True when id `a` sorts before id `b` — numeric when both ids are numeric. */
 function idBefore(a, b) {
     const numericA = Number(a);
@@ -102,6 +118,12 @@ export function buildDedupePlan(snapshot, options) {
         const groupIds = members
             .map((member) => String(member.id))
             .sort((a, b) => (idBefore(a, b) ? -1 : 1));
+        // Recovery artifact: the records that will be merged away (everyone but the
+        // survivor), captured with their field values so a human can recreate one by
+        // hand if the merge was wrong. Merges are irreversible — the plan is the backup.
+        const recoverySnapshot = members
+            .filter((member) => String(member.id) !== String(survivor.id))
+            .map((member) => recoverableFields(member));
         const survivorName = typeof survivor.name === "string" && survivor.name
             ? survivor.name
             : typeof survivor.email === "string" && survivor.email
@@ -124,7 +146,8 @@ export function buildDedupePlan(snapshot, options) {
             approvalRequired: true,
             sourceRuleOrPolicy: "dedupe",
             groupId: `grp_${options.objectType}_${String(survivor.id)}`,
-            rollback: "IRREVERSIBLE: provider merges cannot be unmerged. The pre-apply snapshot retains every record's field values; recreate a record manually from it if a merge was wrong.",
+            recoverySnapshot,
+            rollback: "IRREVERSIBLE: provider merges cannot be unmerged. recoverySnapshot on this operation retains every merged-away record's field values; recreate a record manually from it if a merge was wrong.",
         });
     }
     return {

package/dist/enrich.js

@@ -291,6 +291,28 @@ function valueToString(value) {
         return String(value);
     return "";
 }
+/**
+ * CSV/formula-injection neutralization for string values destined for a CRM
+ * write. Third-party export rows (Clay CSV, webhook JSON) can contain cells
+ * like `=cmd|'/c calc'!A1` or `@SUM(...)`; written verbatim to a CRM field they
+ * lie dormant until someone exports the CRM to CSV and opens it in a spreadsheet,
+ * where the leading `= + - @` (or a leading tab/CR) makes the client execute it.
+ * We prefix a single apostrophe — the spreadsheet-standard escape that renders
+ * the cell as literal text. Numeric values bypass this (they're written as
+ * numbers, not strings), so signed numbers keep full fidelity; a phone number
+ * supplied as a string and starting with `+` gains a leading `'`, which the
+ * human sees in the approved diff. Applied only at the write path, never to
+ * match keys.
+ */
+function neutralizeFormulaInjection(value) {
+    if (value && /^[=+\-@\t\r]/.test(value))
+        return `'${value}`;
+    return value;
+}
+/** valueToString for a value that will be written to a CRM field. */
+function writeSafeString(value) {
+    return neutralizeFormulaInjection(valueToString(value));
+}
 function normalizeKeyValue(key, value) {
     const text = valueToString(value).toLowerCase();
     if (!text)
@@ -498,7 +520,7 @@ export function buildEnrichPlan(options) {
                     operation: "set_field",
                     field: canonicalField,
                     beforeValue: currentValue ?? null,
-                    afterValue: typeof sourceValue === "number" ? sourceValue : valueToString(sourceValue),
+                    afterValue: typeof sourceValue === "number" ? sourceValue : writeSafeString(sourceValue),
                     reason: `${source} ${record.objectType} "${describeSourceRecord(record)}" (matched by ` +
                         `${outcome.matchedKey}) reports a changed value for ${canonicalField}.`,
                     sourceRuleOrPolicy: `enrich:${source}:${canonicalField}`,
@@ -516,7 +538,7 @@ export function buildEnrichPlan(options) {
             if (!isEmptyValue(currentValue))
                 continue;
             emittedForRecord = true;
-            const afterValue = typeof sourceValue === "number" ? sourceValue : valueToString(sourceValue);
+            const afterValue = typeof sourceValue === "number" ? sourceValue : writeSafeString(sourceValue);
             operations.push({
                 id: `op_enr_${fnv1a(`${source}:${record.objectType}:${outcome.recordId}:${canonicalField}`)}`,
                 objectType: canonicalObjectType(record.objectType),

package/dist/enrichApollo.js

@@ -56,9 +56,12 @@ export function createApolloClient(options) {
             if (response.status === 404)
                 return null;
             if (!response.ok) {
-                const body = await response.text();
+                // Status line only — never interpolate the response body. It can echo
+                // the submitted query (contact emails / company domains) or the API key,
+                // and these errors are persisted verbatim into scheduled-run records.
+                await response.text().catch(() => undefined);
                 const exhausted = response.status === 429 ? ` (rate limited; ${maxRetries} retries exhausted)` : "";
-                throw new Error(`Apollo API error ${response.status}${exhausted}: ${body}`);
+                throw new Error(`Apollo API error ${response.status}${exhausted}. Check the API key and request.`);
             }
             const text = await response.text();
             return text ? JSON.parse(text) : null;

package/dist/index.d.ts

@@ -16,6 +16,7 @@ export { apolloPullKeysForAppend, apolloPullKeysForRefresh, createApolloClient,
 export { diffFindings, diffSnapshots, diffToMarkdown, type CollectionDiff, type FieldChange, type FindingsDrift, type RecordChange, type SnapshotDiff, } from "./diff.ts";
 export { mergeSnapshots, type MergeConflict, type MergeMatch, type MergeReport, type MergeSuggestion, } from "./merge.ts";
 export { createFilePlanStore, type PlanStore, type StoredPlan } from "./planStore.ts";
+export { computeApprovalDigests, loadOrCreateSigningKey, loadSigningKey, signApproval, verifyApprovalDigests, type ApprovalVerification, } from "./integrity.ts";
 export { formatPatchPlanRun, patchPlanToMarkdown } from "./format.ts";
 export { auditReportToHtml, auditReportToMarkdown, type ReportOptions } from "./report.ts";
 export { HUBSPOT_DEFAULT_FIELD_MAPPINGS, SALESFORCE_DEFAULT_FIELD_MAPPINGS, mappedField, mappedFields, normalizeFieldMappings, readMappedValue, type CrmObjectType, type FieldMappings, } from "./mappings.ts";

package/dist/index.js

@@ -16,6 +16,7 @@ export { apolloPullKeysForAppend, apolloPullKeysForRefresh, createApolloClient,
 export { diffFindings, diffSnapshots, diffToMarkdown, } from "./diff.js";
 export { mergeSnapshots, } from "./merge.js";
 export { createFilePlanStore } from "./planStore.js";
+export { computeApprovalDigests, loadOrCreateSigningKey, loadSigningKey, signApproval, verifyApprovalDigests, } from "./integrity.js";
 export { formatPatchPlanRun, patchPlanToMarkdown } from "./format.js";
 export { auditReportToHtml, auditReportToMarkdown } from "./report.js";
 export { HUBSPOT_DEFAULT_FIELD_MAPPINGS, SALESFORCE_DEFAULT_FIELD_MAPPINGS, mappedField, mappedFields, normalizeFieldMappings, readMappedValue, } from "./mappings.js";

package/dist/integrity.d.ts

@@ -0,0 +1,30 @@
+import type { PatchOperation } from "./types.ts";
+/** Read the signing key, or null if it has not been created yet. */
+export declare function loadSigningKey(): Buffer | null;
+/** Read the signing key, creating a fresh 32-byte one (0600) on first use. */
+export declare function loadOrCreateSigningKey(): Buffer;
+/** HMAC-SHA256 signature of one operation's approved content. */
+export declare function signApproval(operation: PatchOperation, override: unknown, key: Buffer): string;
+/**
+ * Compute the approval signature map for a set of approved operation ids,
+ * resolving each op from the plan and its (approved) value override.
+ */
+export declare function computeApprovalDigests(operations: PatchOperation[], approvedOperationIds: string[], valueOverrides: Record<string, unknown>, key: Buffer): Record<string, string>;
+export type ApprovalVerification = {
+    ok: true;
+} | {
+    ok: false;
+    reason: "no_key";
+    tampered: string[];
+} | {
+    ok: false;
+    reason: "mismatch";
+    tampered: string[];
+};
+/**
+ * Verify that every approved operation still matches what was signed. Returns
+ * ok:true when there are no stored digests (a pre-integrity plan — nothing to
+ * verify), when all match, or fails with the list of operation ids whose
+ * content changed since approval.
+ */
+export declare function verifyApprovalDigests(operations: PatchOperation[], approvedOperationIds: string[], valueOverrides: Record<string, unknown>, storedDigests: Record<string, string> | undefined): ApprovalVerification;