fullstackgtm 0.25.1 → 0.26.0

package/dist/integrity.js

@@ -0,0 +1,128 @@
+import { createHmac, randomBytes } from "node:crypto";
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { credentialsDir, ensureSecureHomeDir, writeSecureFile } from "./credentials.js";
+/**
+ * Approval integrity.
+ *
+ * The plan store records WHICH operation ids a human approved, but the apply
+ * path re-reads the operation BODIES fresh from the (user-editable) plan file.
+ * Nothing bound the approval to the content: an approved op's afterValue or
+ * objectId could be changed on disk between `plans approve` and `apply` — by a
+ * compromised dependency, a co-tenant, or a plan file synced/edited on another
+ * machine — and the changed value would be written under the prior approval.
+ *
+ * Fix: at approval time, HMAC-sign each approved operation's security-relevant
+ * content (including the approved value override) with a per-install secret key
+ * stored 0600 alongside the credentials. At apply time, recompute and verify.
+ * Any post-approval edit to the operations or the approved overrides changes the
+ * signature; a tamper must now also forge an HMAC it cannot compute without the
+ * key. The key never leaves the machine, so a plan approved here and applied
+ * elsewhere fails closed ("re-approve on this machine") rather than open.
+ *
+ * This raises the bar from "trust the plan JSON" to "trust the plan JSON only
+ * insofar as it still matches what was signed with the local key." It is not a
+ * defense against an attacker who already holds the signing key (same-dir, same
+ * permissions as the credential store) — that is the documented boundary.
+ */
+const SIGNING_KEY_FILE = ".plan-signing-key";
+function signingKeyPath() {
+    return join(credentialsDir(), SIGNING_KEY_FILE);
+}
+/** Read the signing key, or null if it has not been created yet. */
+export function loadSigningKey() {
+    const path = signingKeyPath();
+    if (!existsSync(path))
+        return null;
+    try {
+        return Buffer.from(readFileSync(path, "utf8").trim(), "hex");
+    }
+    catch {
+        return null;
+    }
+}
+/** Read the signing key, creating a fresh 32-byte one (0600) on first use. */
+export function loadOrCreateSigningKey() {
+    const existing = loadSigningKey();
+    if (existing && existing.length >= 32)
+        return existing;
+    ensureSecureHomeDir();
+    const key = randomBytes(32);
+    writeSecureFile(signingKeyPath(), `${key.toString("hex")}\n`);
+    return key;
+}
+/**
+ * Canonical, stable string of the operation content an approval binds to. Only
+ * the fields that determine WHAT gets written: changing any of them must
+ * invalidate the approval. `override` is the approved value override for this op
+ * (the value actually written when set), so tampering with stored overrides is
+ * caught too.
+ */
+function canonicalApprovalContent(operation, override) {
+    return JSON.stringify([
+        operation.id,
+        operation.operation,
+        operation.objectType,
+        operation.objectId,
+        operation.field ?? null,
+        operation.beforeValue ?? null,
+        operation.afterValue ?? null,
+        operation.groupId ?? null,
+        // Safety-relevant fields too: editing a precondition could relax a drift
+        // guard, and forging forceArchiveDuplicate could suppress the archive-of-
+        // duplicate refusal — the signed approval must pin apply BEHAVIOR, not just
+        // the written value. `reason` is human-reviewed AND written verbatim into
+        // create_task bodies (afterValue ?? reason fallback in the connectors), so a
+        // create_task with a null afterValue would otherwise let a disk edit to
+        // reason write unapproved text under a still-valid digest.
+        operation.preconditions ?? null,
+        operation.forceArchiveDuplicate ?? false,
+        operation.reason ?? null,
+        override === undefined ? null : ["__override__", override],
+    ]);
+}
+/** HMAC-SHA256 signature of one operation's approved content. */
+export function signApproval(operation, override, key) {
+    return createHmac("sha256", key).update(canonicalApprovalContent(operation, override)).digest("hex");
+}
+/**
+ * Compute the approval signature map for a set of approved operation ids,
+ * resolving each op from the plan and its (approved) value override.
+ */
+export function computeApprovalDigests(operations, approvedOperationIds, valueOverrides, key) {
+    const byId = new Map(operations.map((operation) => [operation.id, operation]));
+    const digests = {};
+    for (const id of approvedOperationIds) {
+        const operation = byId.get(id);
+        if (!operation)
+            continue;
+        digests[id] = signApproval(operation, valueOverrides[id], key);
+    }
+    return digests;
+}
+/**
+ * Verify that every approved operation still matches what was signed. Returns
+ * ok:true when there are no stored digests (a pre-integrity plan — nothing to
+ * verify), when all match, or fails with the list of operation ids whose
+ * content changed since approval.
+ */
+export function verifyApprovalDigests(operations, approvedOperationIds, valueOverrides, storedDigests) {
+    if (!storedDigests || Object.keys(storedDigests).length === 0)
+        return { ok: true };
+    const key = loadSigningKey();
+    if (!key)
+        return { ok: false, reason: "no_key", tampered: approvedOperationIds };
+    const byId = new Map(operations.map((operation) => [operation.id, operation]));
+    const tampered = [];
+    for (const id of approvedOperationIds) {
+        const operation = byId.get(id);
+        const expected = storedDigests[id];
+        if (!operation || !expected) {
+            tampered.push(id);
+            continue;
+        }
+        if (signApproval(operation, valueOverrides[id], key) !== expected)
+            tampered.push(id);
+    }
+    return tampered.length === 0 ? { ok: true } : { ok: false, reason: "mismatch", tampered };
+}

package/dist/market.d.ts

@@ -153,6 +153,7 @@ export type FetchPage = (url: string) => Promise<{
     status: number;
     body: string;
 }>;
+export declare function assertPublicUrl(rawUrl: string): Promise<URL>;
 export type CaptureOptions = {
     /** Directory for captures; defaults to <marketHome>/captures. */
     dir?: string;

package/dist/market.js

@@ -1,5 +1,7 @@
 import { createHash } from "node:crypto";
+import { lookup } from "node:dns/promises";
 import { existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "node:fs";
+import { isIP } from "node:net";
 import { join } from "node:path";
 import { credentialsDir } from "./credentials.js";
 const INTENSITY_RANK = {
@@ -141,15 +143,144 @@ export function extractReadableText(html) {
         .filter(Boolean)
         .join("\n");
 }
+/**
+ * SSRF guard. market.config.json URLs are operator-authored, but configs are
+ * shared/templated in consulting/team use and `market capture|refresh` is on
+ * the cron allowlist — an unguarded fetch is an unattended internal-network
+ * and cloud-metadata probe. We therefore (1) allow only http/https, (2) refuse
+ * any host that is or resolves to a private/loopback/link-local/metadata
+ * address, and (3) follow redirects manually, re-validating each hop.
+ *
+ * Residual gap (documented, not defended here): TOCTOU DNS rebinding between
+ * our lookup and fetch's own resolution. Out of scope for fetching public
+ * competitor pages; a hardened deployment should fetch through an egress proxy.
+ */
+const MAX_REDIRECTS = 5;
+const FETCH_TIMEOUT_MS = 15_000;
+const MAX_BODY_BYTES = 5_000_000;
+function ipv4IsPrivate(ip) {
+    const parts = ip.split(".").map((n) => Number(n));
+    if (parts.length !== 4 || parts.some((n) => !Number.isInteger(n) || n < 0 || n > 255))
+        return true;
+    const [a, b] = parts;
+    if (a === 0 || a === 127)
+        return true; // this-host, loopback
+    if (a === 10)
+        return true; // private
+    if (a === 172 && b >= 16 && b <= 31)
+        return true; // private
+    if (a === 192 && b === 168)
+        return true; // private
+    if (a === 169 && b === 254)
+        return true; // link-local incl. 169.254.169.254 metadata
+    if (a === 100 && b >= 64 && b <= 127)
+        return true; // CGNAT
+    if (a >= 224)
+        return true; // multicast / reserved
+    return false;
+}
+function ipIsPrivate(ip) {
+    const family = isIP(ip);
+    if (family === 4)
+        return ipv4IsPrivate(ip);
+    if (family === 6) {
+        const lower = ip.toLowerCase();
+        if (lower === "::1" || lower === "::")
+            return true; // loopback / unspecified
+        // IPv4-mapped (::ffff:…) — Node normalizes ::ffff:127.0.0.1 to ::ffff:7f00:1,
+        // so accept both the dotted and the hex-pair forms, unwrap, check the v4.
+        const mapped = lower.match(/^::ffff:(.+)$/);
+        if (mapped) {
+            const rest = mapped[1];
+            if (rest.includes("."))
+                return ipv4IsPrivate(rest);
+            const groups = rest.split(":");
+            if (groups.length === 2) {
+                const hi = parseInt(groups[0], 16);
+                const lo = parseInt(groups[1], 16);
+                if (Number.isNaN(hi) || Number.isNaN(lo))
+                    return true;
+                return ipv4IsPrivate(`${(hi >> 8) & 0xff}.${hi & 0xff}.${(lo >> 8) & 0xff}.${lo & 0xff}`);
+            }
+            return true; // unrecognized mapped form → refuse
+        }
+        if (lower.startsWith("fe8") || lower.startsWith("fe9") || lower.startsWith("fea") || lower.startsWith("feb"))
+            return true; // link-local fe80::/10
+        if (lower.startsWith("fc") || lower.startsWith("fd"))
+            return true; // unique-local fc00::/7
+        return false;
+    }
+    return true; // not a recognizable IP literal → refuse
+}
+export async function assertPublicUrl(rawUrl) {
+    let url;
+    try {
+        url = new URL(rawUrl);
+    }
+    catch {
+        throw new Error(`market capture: "${rawUrl}" is not a valid URL.`);
+    }
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+        throw new Error(`market capture refuses ${url.protocol} URLs (only http/https): ${rawUrl}`);
+    }
+    const host = url.hostname.replace(/^\[|\]$/g, ""); // strip IPv6 brackets
+    if (isIP(host)) {
+        if (ipIsPrivate(host))
+            throw new Error(`market capture refuses private/loopback address ${host} (SSRF guard).`);
+        return url;
+    }
+    // Hostname: resolve and refuse if ANY address is private.
+    const addrs = await lookup(host, { all: true });
+    for (const { address } of addrs) {
+        if (ipIsPrivate(address)) {
+            throw new Error(`market capture refuses ${host} — it resolves to private/internal address ${address} (SSRF guard).`);
+        }
+    }
+    return url;
+}
 const defaultFetchPage = async (url) => {
-    const response = await fetch(url, {
-        headers: {
-            "User-Agent": "fullstackgtm-market/0 (+https://github.com/fullstackgtm/core)",
-            "Accept-Language": "en-US",
-        },
-        redirect: "follow",
-    });
-    return { status: response.status, body: await response.text() };
+    let current = url;
+    for (let hop = 0; hop <= MAX_REDIRECTS; hop++) {
+        await assertPublicUrl(current);
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+        let response;
+        try {
+            response = await fetch(current, {
+                headers: {
+                    "User-Agent": "fullstackgtm-market/0 (+https://github.com/fullstackgtm/core)",
+                    "Accept-Language": "en-US",
+                },
+                redirect: "manual",
+                signal: controller.signal,
+            });
+        }
+        finally {
+            clearTimeout(timer);
+        }
+        if (response.status >= 300 && response.status < 400 && response.headers.get("location")) {
+            current = new URL(response.headers.get("location"), current).toString();
+            continue; // re-validate the redirect target on the next iteration
+        }
+        const reader = response.body?.getReader();
+        if (!reader)
+            return { status: response.status, body: await response.text() };
+        const chunks = [];
+        let total = 0;
+        for (;;) {
+            const { done, value } = await reader.read();
+            if (done)
+                break;
+            total += value.length;
+            if (total > MAX_BODY_BYTES) {
+                await reader.cancel();
+                break;
+            }
+            chunks.push(value);
+        }
+        return { status: response.status, body: Buffer.concat(chunks).toString("utf8") };
+    }
+    throw new Error(`market capture: too many redirects (>${MAX_REDIRECTS}) for ${url}`);
 };
 export async function captureMarket(config, options = {}) {
     const dir = options.dir ?? join(marketHome(config.category), "captures");
@@ -284,6 +415,11 @@ export function validateObservationSet(config, set) {
         if (!INTENSITY_RANK[obs.intensity] && obs.intensity !== "unobservable") {
             problems.push(`${cell}: invalid intensity "${obs.intensity}"`);
         }
+        // confidence is rendered into the HTML report; only the enum is allowed, so
+        // an `observe --from` file can't smuggle markup through a free-text value.
+        if (obs.confidence !== "high" && obs.confidence !== "medium" && obs.confidence !== "low") {
+            problems.push(`${cell}: invalid confidence "${String(obs.confidence)}" (expected high, medium, or low)`);
+        }
         if ((obs.intensity === "loud" || obs.intensity === "quiet") && obs.evidence.length === 0) {
             problems.push(`${cell}: ${obs.intensity} reading with no quoted evidence`);
         }

package/dist/marketReport.d.ts

@@ -1,3 +1,12 @@
 import type { MarketConfig, ObservationSet } from "./market.ts";
+/**
+ * Serialize JSON for embedding inside an inline <script> block. JSON.stringify
+ * does not escape `<`, `>`, `&`, or the U+2028/U+2029 line separators, so a
+ * vendor name containing `</script>` (these are untrusted, competitor-authored
+ * strings) would close the tag and inject markup. Replacing them with their
+ * \uXXXX escapes keeps the parsed value identical while making the breakout
+ * sequence unrepresentable in the HTML source.
+ */
+export declare function safeJsonForScript(value: unknown): string;
 export declare function marketMapToMarkdown(config: MarketConfig, set: ObservationSet): string;
 export declare function marketMapToHtml(config: MarketConfig, set: ObservationSet): string;

package/dist/marketReport.js

@@ -28,6 +28,22 @@ function escapeHtml(value) {
         .replace(/>/g, ">")
         .replace(/"/g, """);
 }
+/**
+ * Serialize JSON for embedding inside an inline <script> block. JSON.stringify
+ * does not escape `<`, `>`, `&`, or the U+2028/U+2029 line separators, so a
+ * vendor name containing `</script>` (these are untrusted, competitor-authored
+ * strings) would close the tag and inject markup. Replacing them with their
+ * \uXXXX escapes keeps the parsed value identical while making the breakout
+ * sequence unrepresentable in the HTML source.
+ */
+export function safeJsonForScript(value) {
+    return JSON.stringify(value)
+        .replace(/</g, "\\u003c")
+        .replace(/>/g, "\\u003e")
+        .replace(/&/g, "\\u0026")
+        .replace(/\u2028/g, "\\u2028")
+        .replace(/\u2029/g, "\\u2029");
+}
 function buildModel(config, set) {
     const fronts = computeFrontStates(config, set);
     const stateByClaim = new Map(fronts.map((front) => [front.claimId, front.state]));
@@ -320,7 +336,7 @@ function axisSectionsHtml(config, set) {
       <table class="legend"><thead><tr><th></th><th>vendor</th><th class="num">${legendMeasureHead}</th></tr></thead><tbody>${legendRows}</tbody></table>
     </div>
     <div class="map-tip" id="map-tip" hidden></div>
-    <script type="application/json" id="map-data">${JSON.stringify(tipData)}</script>
+    <script type="application/json" id="map-data">${safeJsonForScript(tipData)}</script>
     <script>
     (function () {
       var data = JSON.parse(document.getElementById("map-data").textContent);
@@ -331,7 +347,16 @@ function axisSectionsHtml(config, set) {
       function show(v, evt) {
         var d = data[v];
         if (!d) return;
-        tip.innerHTML = "<b>" + d.n + " · " + d.name + "</b>" + d.lines.map(function (l) { return "<div>" + l + "</div>"; }).join("");
+        // textContent only — vendor names / axis labels are untrusted (competitor-controlled).
+        tip.textContent = "";
+        var head = document.createElement("b");
+        head.textContent = d.n + " · " + d.name;
+        tip.appendChild(head);
+        d.lines.forEach(function (l) {
+          var div = document.createElement("div");
+          div.textContent = l;
+          tip.appendChild(div);
+        });
         tip.hidden = false;
         var box = fig.getBoundingClientRect();
         tip.style.left = Math.min(evt.clientX - box.left + 14, box.width - tip.offsetWidth - 8) + "px";
@@ -419,7 +444,7 @@ export function marketMapToHtml(config, set) {
         const anchorLoud = anchor
             ? claimIds.filter((claimId) => model.cell(anchor, claimId)?.intensity === "loud").length
             : 0;
-        const anchorNote = anchor ? ` · ${vendorNamesById.get(anchor) ?? anchor} loud on ${anchorLoud}` : "";
+        const anchorNote = anchor ? ` · ${e(vendorNamesById.get(anchor) ?? anchor)} loud on ${anchorLoud}` : "";
         return `<details class="claim-group"><summary><b>${e(group.title)}</b> — ${claimIds.length} claim${claimIds.length === 1 ? "" : "s"} <span class="sum-soft">(${e(group.blurb)}${anchorNote})</span></summary>
       <table><thead><tr><th></th>${vendorHeads}<th></th></tr></thead><tbody>${claimIds.map(matrixRow).join("")}</tbody></table>
     </details>`;
@@ -475,7 +500,7 @@ export function marketMapToHtml(config, set) {
             const obs = model.cell(vendor.id, claimId);
             if (!obs || obs.evidence.length === 0)
                 return [];
-            return obs.evidence.map((evidence) => `<div class="ev"><span class="ev-head">${e(claimId)} · ${obs.intensity.toUpperCase()} (${obs.confidence})</span>` +
+            return obs.evidence.map((evidence) => `<div class="ev"><span class="ev-head">${e(claimId)} · ${e(obs.intensity.toUpperCase())} (${e(String(obs.confidence ?? ""))})</span>` +
                 `<blockquote>“${e(evidence.text)}”</blockquote>` +
                 `<span class="ev-src">${e(String(evidence.metadata?.url ?? ""))} · capture ${e(String(evidence.metadata?.captureHash ?? "").slice(0, 12))}</span></div>`);
         });

package/dist/marketTaxonomy.d.ts

@@ -0,0 +1,41 @@
+import { type LlmCallOptions } from "./llm.ts";
+import { type FetchPage, type MarketConfig } from "./market.ts";
+/**
+ * Cold-start taxonomy bootstrap. `market init` writes a stub for a human
+ * analyst to fill in; the self-serve hosted map has no analyst in the loop, so
+ * this proposes the claim taxonomy automatically from the seed vendors' own
+ * pages.
+ *
+ * Posture matches the rest of the market layer: the LLM is a *proposal* layer
+ * grounded in captured evidence (it only sees text we actually fetched), and
+ * everything downstream — capture, classify with verbatim-span verification,
+ * front states, the report — stays deterministic over the stored observations.
+ * The taxonomy it emits is a normal `market.config.json` a human can still edit.
+ */
+export type SeedVendor = {
+    url: string;
+    /** Display name; derived from the host when omitted. */
+    name?: string;
+    /** Marks the user's own company as the anchor vendor. */
+    anchor?: boolean;
+};
+export type SuggestTaxonomyOptions = {
+    category: string;
+    vendors: SeedVendor[];
+    llm: LlmCallOptions;
+    /** Upper bound on proposed claims, to keep classification bounded. */
+    maxClaims?: number;
+    /** Per-vendor captured-text budget fed to the proposer (chars). */
+    perVendorChars?: number;
+    /** Test injectables. */
+    fetchPage?: FetchPage;
+    capturesDir?: string;
+    now?: () => Date;
+};
+export type SuggestTaxonomyResult = {
+    config: MarketConfig;
+    /** Vendors whose homepage capture was empty/failed (excluded from grounding). */
+    unreadableVendorIds: string[];
+    model: string;
+};
+export declare function suggestMarketConfig(options: SuggestTaxonomyOptions): Promise<SuggestTaxonomyResult>;

package/dist/marketTaxonomy.js

@@ -0,0 +1,193 @@
+import { DEFAULT_MODELS, forcedToolCall, } from "./llm.js";
+import { captureMarket, loadCaptureTexts, } from "./market.js";
+const DEFAULT_MAX_CLAIMS = 16;
+const DEFAULT_PER_VENDOR_CHARS = 6_000;
+/** Stable, human-readable id from a string (claim capability or host). */
+function slugify(value, maxWords = 6) {
+    const slug = value
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-+|-+$/g, "")
+        .split("-")
+        .filter(Boolean)
+        .slice(0, maxWords)
+        .join("-");
+    return slug || "item";
+}
+/** Second-level domain as a vendor id seed: https://www.stripe.com/ -> stripe. */
+function vendorIdFromUrl(url) {
+    let host;
+    try {
+        host = new URL(url).hostname;
+    }
+    catch {
+        return slugify(url);
+    }
+    const labels = host.replace(/^www\./, "").split(".");
+    const sld = labels.length >= 2 ? labels[labels.length - 2] : labels[0];
+    return slugify(sld || host);
+}
+/** Disambiguate repeated ids by suffixing -2, -3, … */
+function uniqueId(base, taken) {
+    if (!taken.has(base)) {
+        taken.add(base);
+        return base;
+    }
+    for (let n = 2;; n += 1) {
+        const candidate = `${base}-${n}`;
+        if (!taken.has(candidate)) {
+            taken.add(candidate);
+            return candidate;
+        }
+    }
+}
+function provisionalVendors(seeds) {
+    const taken = new Set();
+    return seeds.map((seed) => {
+        const id = uniqueId(vendorIdFromUrl(seed.url), taken);
+        const host = (() => {
+            try {
+                return new URL(seed.url).hostname.replace(/^www\./, "");
+            }
+            catch {
+                return seed.url;
+            }
+        })();
+        return {
+            id,
+            name: seed.name?.trim() || host,
+            urls: { home: seed.url, pricing: null, product: [] },
+        };
+    });
+}
+const TAXONOMY_SCHEMA = {
+    type: "object",
+    required: ["claims"],
+    properties: {
+        surfaceRule: {
+            type: "string",
+            description: "One sentence stating how a reader judges LOUD vs QUIET vs ABSENT for this category (e.g. hero/top-nav = LOUD, deeper pages = QUIET, nowhere = ABSENT).",
+        },
+        claims: {
+            type: "array",
+            description: "The distinct capability positions vendors in this category compete on. 8-16 of them. Only include claims you can actually see evidence for on the supplied pages.",
+            items: {
+                type: "object",
+                required: ["capability", "icp", "pricingStructure", "definition"],
+                properties: {
+                    capability: {
+                        type: "string",
+                        description: "What is being claimed, precise enough to judge loud/quiet/absent. Max ~10 words.",
+                    },
+                    icp: { type: "string", description: "Which buyer/ICP this claim cell addresses (category vocabulary)." },
+                    pricingStructure: {
+                        type: "string",
+                        description: "Which pricing structure the claim implies (e.g. per-seat, usage-based, flat, free-tier).",
+                    },
+                    definition: {
+                        type: "string",
+                        description: "Operational definition a human (or classifier) uses to score any vendor's page LOUD/QUIET/ABSENT on this claim.",
+                    },
+                    terms: {
+                        type: "array",
+                        items: { type: "string" },
+                        description: "Exact buyer phrasings for this claim, for deterministic mention matching. 2-5 terms.",
+                    },
+                },
+            },
+        },
+        vendors: {
+            type: "array",
+            description: "Optional refinements: a clean display name per seed URL, and a pricing-page URL if one is clearly linked.",
+            items: {
+                type: "object",
+                required: ["seedUrl"],
+                properties: {
+                    seedUrl: { type: "string" },
+                    name: { type: "string" },
+                    pricingUrl: { type: ["string", "null"] },
+                },
+            },
+        },
+    },
+};
+function buildDossier(vendors, capture, perVendorChars) {
+    const { entries, textByHash } = capture;
+    const unreadable = [];
+    const blocks = [];
+    for (const vendor of vendors) {
+        const hash = entries.find((e) => e.vendorId === vendor.id && e.captureHash)?.captureHash ?? null;
+        const text = hash ? textByHash.get(hash) ?? "" : "";
+        if (!text.trim()) {
+            unreadable.push(vendor.id);
+            continue;
+        }
+        blocks.push(`### ${vendor.name} (${vendor.urls.home})\n${text.slice(0, perVendorChars)}`);
+    }
+    return { dossier: blocks.join("\n\n"), unreadable };
+}
+const INSTRUCTIONS = `You are seeding a competitive "market map" for a category. A market map breaks the category into CLAIMS — the distinct capability positions vendors compete on — so each (vendor x claim) cell can later be scored LOUD / QUIET / ABSENT from that vendor's pages.
+
+Propose the claim taxonomy for this category from the competitor homepages below. Rules:
+- Ground every claim in what is actually visible on the supplied pages. Do not invent positions no vendor mentions.
+- Each claim is a cell: a precise capability, the ICP it targets, and the pricing structure it implies.
+- Write each definition so a reader could judge ANY vendor's page LOUD/QUIET/ABSENT against it.
+- Aim for the 8-16 claims that genuinely differentiate vendors. Prefer specific, contested positions over generic table stakes.
+- Provide 2-5 verbatim buyer terms per claim for later mention matching.
+- Optionally return a cleaned display name and a pricing-page URL per seed vendor when evident.`;
+export async function suggestMarketConfig(options) {
+    const { category } = options;
+    if (options.vendors.length === 0)
+        throw new Error("suggestMarketConfig requires at least one seed vendor");
+    const maxClaims = options.maxClaims ?? DEFAULT_MAX_CLAIMS;
+    const perVendorChars = options.perVendorChars ?? DEFAULT_PER_VENDOR_CHARS;
+    const model = options.llm.model ?? DEFAULT_MODELS[options.llm.provider];
+    const vendors = provisionalVendors(options.vendors);
+    const anchorSeed = options.vendors.find((seed) => seed.anchor);
+    const anchorId = anchorSeed ? vendors[options.vendors.indexOf(anchorSeed)]?.id : undefined;
+    // Capture the seed homepages so the proposer only sees text we actually
+    // fetched (the SSRF guard in captureMarket applies to these user-supplied URLs).
+    await captureMarket({ category, vendors, claims: [] }, { dir: options.capturesDir, runLabel: "bootstrap", fetchPage: options.fetchPage, now: options.now });
+    const capture = loadCaptureTexts(category, options.capturesDir);
+    const { dossier, unreadable } = buildDossier(vendors, capture, perVendorChars);
+    if (!dossier.trim()) {
+        throw new Error(`market init --auto: none of the ${vendors.length} seed pages returned readable text — check the URLs are public homepages.`);
+    }
+    const prompt = `${INSTRUCTIONS}\n\nCategory: ${category}\n\nCompetitor homepages:\n${dossier}`;
+    const result = (await forcedToolCall(prompt, "propose_market_taxonomy", TAXONOMY_SCHEMA, model, options.llm));
+    const takenClaimIds = new Set();
+    const claims = (result.claims ?? [])
+        .filter((claim) => claim?.capability && claim?.definition)
+        .slice(0, maxClaims)
+        .map((claim) => ({
+        id: uniqueId(slugify(claim.capability), takenClaimIds),
+        capability: claim.capability.trim(),
+        icp: (claim.icp ?? "").trim() || "general",
+        pricingStructure: (claim.pricingStructure ?? "").trim() || "unspecified",
+        definition: claim.definition.trim(),
+        ...(claim.terms?.length ? { terms: claim.terms.map((t) => t.trim()).filter(Boolean) } : {}),
+    }));
+    if (claims.length === 0) {
+        throw new Error("market init --auto: the model proposed no usable claims — try again or seed the taxonomy by hand.");
+    }
+    // Apply optional vendor refinements (display name + pricing URL), matched by seed URL.
+    const refinementByUrl = new Map((result.vendors ?? []).map((v) => [v.seedUrl, v]));
+    const refinedVendors = vendors.map((vendor) => {
+        const refinement = refinementByUrl.get(vendor.urls.home);
+        const pricing = refinement?.pricingUrl && /^https?:\/\//i.test(refinement.pricingUrl) ? refinement.pricingUrl : vendor.urls.pricing;
+        return {
+            ...vendor,
+            name: refinement?.name?.trim() || vendor.name,
+            urls: { ...vendor.urls, pricing },
+        };
+    });
+    const config = {
+        category,
+        ...(anchorId ? { anchorVendor: anchorId } : {}),
+        vendors: refinedVendors,
+        claims,
+        surfaceRule: result.surfaceRule?.trim() ||
+            "LOUD = hero copy OR top-level-nav named product with a dedicated page; QUIET = present on any indexed page below that; ABSENT = nowhere observed; UNOBSERVABLE = capture empty/failed — never score ABSENT from a failed capture.",
+    };
+    return { config, unreadableVendorIds: unreadable, model };
+}

package/dist/planStore.d.ts

@@ -11,6 +11,12 @@ export type StoredPlan = {
     status: ApprovalStatus;
     approvedOperationIds: string[];
     valueOverrides: Record<string, unknown>;
+    /**
+     * HMAC of each approved operation's content at approval time (see
+     * integrity.ts). Apply re-verifies these so a post-approval edit to the plan
+     * file is caught instead of written. Absent on plans approved before 0.26.0.
+     */
+    approvalDigests?: Record<string, string>;
     runs: PatchPlanRun[];
     createdAt: string;
     updatedAt: string;

package/dist/planStore.js

@@ -1,6 +1,7 @@
 import { chmodSync, mkdirSync, readdirSync, readFileSync } from "node:fs";
 import { join } from "node:path";
 import { credentialsDir, ensureSecureHomeDir, writeSecureFile } from "./credentials.js";
+import { computeApprovalDigests, loadOrCreateSigningKey } from "./integrity.js";
 /**
  * Plans as JSON files in a directory (default `$FSGTM_HOME/plans`), one file
  * per plan id. Filesystem-shaped on purpose: greppable, diffable, and any
@@ -90,11 +91,18 @@ export function createFilePlanStore(directory) {
                     throw new Error(`Plan ${planId} has no operation ${operationId}.`);
                 }
             }
+            const approvedOperationIds = Array.from(new Set([...stored.approvedOperationIds, ...operationIds]));
+            const mergedOverrides = { ...stored.valueOverrides, ...valueOverrides };
+            // Bind the approval to the operation content so apply can detect a
+            // post-approval edit. Recompute over ALL approved ops (a later approve
+            // call may add overrides that change an earlier op's resolved value).
+            const approvalDigests = computeApprovalDigests(stored.plan.operations, approvedOperationIds, mergedOverrides, loadOrCreateSigningKey());
             return write({
                 ...stored,
                 status: "approved",
-                approvedOperationIds: Array.from(new Set([...stored.approvedOperationIds, ...operationIds])),
-                valueOverrides: { ...stored.valueOverrides, ...valueOverrides },
+                approvedOperationIds,
+                valueOverrides: mergedOverrides,
+                approvalDigests,
             });
         },
         async reject(planId) {