fullstackgtm 0.25.1 → 0.26.0

package/dist/schedule.d.ts

@@ -53,6 +53,23 @@ export declare function scheduleId(label: string, cron: string, argv: string[],
  * in-process into the CLI router, never through a shell).
  */
 export declare function validateSchedulableArgv(argv: string[]): void;
+/**
+ * A schedule label is free text the operator chooses, but it is later
+ * interpolated into a crontab comment line by `renderManagedBlock`. A newline
+ * (or carriage return) would break out of the comment and inject an arbitrary
+ * crontab entry on `schedule install`. Reject control characters at the entry
+ * point so a label can never carry a second line; `renderManagedBlock` also
+ * strips them defensively in case a hand-edited schedules.json slips one past.
+ */
+export declare function assertSingleLineLabel(label: string): void;
+/**
+ * True if the string contains any line-breaking or control character. Covers
+ * C0 controls + DEL, plus the Unicode separators a non-cron parser might honor
+ * (NEL U+0085, LS U+2028, PS U+2029, VT U+000B, FF U+000C) — defense-in-depth
+ * for the future modal/aws scaffold renderers whose target formats may treat
+ * those as line breaks.
+ */
+export declare function hasControlChar(value: string): boolean;
 /**
  * Split a `schedule add "<command>"` string into argv, honoring single and
  * double quotes (no escapes, no expansion — this is tokenization, not shell).

package/dist/schedule.js

@@ -61,6 +61,10 @@ export function validateSchedulableArgv(argv) {
             throw new Error("A scheduled apply cannot take --plan/--approve — file-based approval would bypass the " +
                 "plan store's approval state. Use `apply --plan-id <id>` and approve via `plans approve`.");
         }
+        if (argv.includes("--value")) {
+            throw new Error("A scheduled apply cannot take --value — an unattended run must write exactly the values " +
+                "signed at approval. Set the value with `plans approve --value <op>=<v>` and re-approve.");
+        }
         return;
     }
     if (!Object.hasOwn(SCHEDULABLE, head)) {
@@ -77,6 +81,68 @@ export function validateSchedulableArgv(argv) {
         }
     }
 }
+/**
+ * A schedule label is free text the operator chooses, but it is later
+ * interpolated into a crontab comment line by `renderManagedBlock`. A newline
+ * (or carriage return) would break out of the comment and inject an arbitrary
+ * crontab entry on `schedule install`. Reject control characters at the entry
+ * point so a label can never carry a second line; `renderManagedBlock` also
+ * strips them defensively in case a hand-edited schedules.json slips one past.
+ */
+export function assertSingleLineLabel(label) {
+    if (hasControlChar(label)) {
+        throw new Error("A schedule --label cannot contain newlines or control characters " +
+            "(they would inject lines into the managed crontab block). Use a plain single-line name.");
+    }
+}
+/**
+ * True if the string contains any line-breaking or control character. Covers
+ * C0 controls + DEL, plus the Unicode separators a non-cron parser might honor
+ * (NEL U+0085, LS U+2028, PS U+2029, VT U+000B, FF U+000C) — defense-in-depth
+ * for the future modal/aws scaffold renderers whose target formats may treat
+ * those as line breaks.
+ */
+export function hasControlChar(value) {
+    for (let i = 0; i < value.length; i++) {
+        const code = value.charCodeAt(i);
+        if (code < 0x20 || code === 0x7f || code === 0x85 || code === 0x2028 || code === 0x2029)
+            return true;
+    }
+    return false;
+}
+/** Collapse any control/separator character to a space — last-resort guard at render time. */
+function sanitizeCrontabComment(value) {
+    let out = "";
+    for (const ch of value) {
+        const code = ch.charCodeAt(0);
+        out += code < 0x20 || code === 0x7f || code === 0x85 || code === 0x2028 || code === 0x2029 ? " " : ch;
+    }
+    return out.replace(/ {2,}/g, " ").trim();
+}
+/**
+ * Validate every field of an entry that `renderManagedBlock` interpolates into
+ * the crontab — not just the label. The EXECUTABLE line embeds `cron` and `id`
+ * raw, and `schedule install` renders entries straight from schedules.json, so
+ * a hand-edited (or otherwise tampered) entry with a newline in cron/id/profile
+ * would inject a live crontab line. Refuse to render a tampered entry rather
+ * than emit it. (Well-formed entries never trip this: cron is parser-validated,
+ * id is an fnv1a hex hash, label is guarded at add-time.)
+ */
+function assertRenderableEntry(profile, entry) {
+    const fields = [
+        ["profile", profile],
+        ["cron", entry.cron],
+        ["id", entry.id],
+        ["label", entry.label],
+        ...entry.argv.map((token, i) => [`argv[${i}]`, token]),
+    ];
+    for (const [name, value] of fields) {
+        if (hasControlChar(value)) {
+            throw new Error(`Refusing to render schedule entry ${entry.id}: its ${name} contains a newline or control character. ` +
+                "The schedules.json store has been tampered with or corrupted — repair it before installing.");
+        }
+    }
+}
 /**
  * Split a `schedule add "<command>"` string into argv, honoring single and
  * double quotes (no escapes, no expansion — this is tokenization, not shell).
@@ -124,7 +190,13 @@ const CRON_FIELD_SPECS = [
     { name: "day-of-week", min: 0, max: 7 },
 ];
 export function parseCron(expression) {
-    const fields = expression.trim().split(/\s+/);
+    // Reject non-ASCII whitespace and control chars: JS \s splits on U+00A0,
+    // U+3000, etc., but Vixie cron's field separator is only space/tab. A source
+    // carrying them would parse here yet be misparsed or rejected by `crontab -`.
+    if (hasControlChar(expression) || /[^\x20-\x7e]/.test(expression)) {
+        throw new Error(`Invalid cron expression "${expression}": only ASCII characters, space, and tab are allowed.`);
+    }
+    const fields = expression.trim().split(/[ \t]+/);
     if (fields.length !== 5) {
         throw new Error(`Invalid cron expression "${expression}": expected 5 fields ` +
             `(minute hour day-of-month month day-of-week), got ${fields.length}.`);
@@ -432,13 +504,26 @@ export function crontabSentinels(profile) {
  * but fullstackgtm dispatch (no arbitrary shell, ever).
  */
 export function renderManagedBlock(profile, entries, cliInvocation) {
+    // cliInvocation is spliced raw into the executable line; it is built from
+    // process.execPath, the script path, and FSGTM_HOME (cli.ts), so a newline in
+    // FSGTM_HOME would inject a crontab line. Validate it like the entry fields —
+    // single-quote shell-escaping does NOT defend cron's line parser.
+    if (hasControlChar(cliInvocation)) {
+        throw new Error("Refusing to render the managed crontab: the resolved CLI invocation (node path, script path, " +
+            "or FSGTM_HOME) contains a newline or control character. Check $FSGTM_HOME.");
+    }
     const { open, close } = crontabSentinels(profile);
     const lines = [
         open,
         "# Managed by `fullstackgtm schedule install` — replaced wholesale on re-install; do not edit.",
     ];
     for (const entry of entries) {
-        lines.push(`# ${entry.label} (${entry.id}): ${entry.argv.join(" ")}`);
+        // Refuse to render any entry whose interpolated fields carry a control char
+        // — the executable line below embeds cron/id raw, so a tampered store could
+        // otherwise inject a live crontab line. The comment line is additionally
+        // sanitized so a benign-but-messy label can't break it.
+        assertRenderableEntry(profile, entry);
+        lines.push(sanitizeCrontabComment(`# ${entry.label} (${entry.id}): ${entry.argv.join(" ")}`));
         lines.push(`${entry.cron} ${cliInvocation} schedule run ${entry.id} --profile ${profile} --trigger cron`);
     }
     lines.push(close);

package/dist/types.d.ts

@@ -239,6 +239,22 @@ export type PatchOperation = {
      * member of the group.
      */
     groupId?: string;
+    /**
+     * Set only when a human explicitly chose to archive a record that shares an
+     * identity key with another (`bulk-update --archive --force-archive-duplicates`).
+     * Without it, apply refuses to archive_record a record the live snapshot still
+     * sees as a duplicate — archiving a duplicate discards data that merging keeps,
+     * and an agent on a dedupe task must not silently substitute archive for merge.
+     */
+    forceArchiveDuplicate?: boolean;
+    /**
+     * For irreversible operations (merge_records, archive_record): the field
+     * values of the records that will be destroyed, captured at plan-build time.
+     * Merges and archives cannot be undone on any provider, so this is the
+     * recovery artifact a human uses to recreate a record by hand if a merge or
+     * archive was wrong — the plan file IS the backup.
+     */
+    recoverySnapshot?: Record<string, unknown>[];
 };
 /**
  * A patch plan is always a dry-run proposal. Applying a plan never mutates

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fullstackgtm",
-  "version": "0.25.1",
+  "version": "0.26.0",
   "description": "Open-source agentic GTM ops framework: canonical GTM data model, pluggable deterministic audits, reviewable dry-run patch plans, approval-gated write-back with conflict detection, and cross-system entity resolution. HubSpot, Salesforce, and Stripe connectors included.",
   "license": "Apache-2.0",
   "author": "Full Stack GTM",

package/src/bulkUpdate.ts

@@ -27,6 +27,7 @@
  * `account.ownerId`, `account.contactCount`; accounts get `contactCount`
  * and `openDealCount`.
  */
+import { recoverableFields } from "./dedupe.ts";
 import { normalizeDomain } from "./merge.ts";
 import { stableHash } from "./rules.ts";
 import type {
@@ -399,7 +400,11 @@ export function buildBulkUpdatePlan(
         beforeValue: null,
         afterValue: null,
         riskLevel: "high",
-        rollback: "Archived records can be restored from the provider's recycle bin within its retention window.",
+        // Carry the human's explicit force decision to the apply-time guard, and
+        // snapshot the record so it can be recreated if the archive was wrong.
+        ...(options.forceArchiveDuplicates ? { forceArchiveDuplicate: true } : {}),
+        recoverySnapshot: [recoverableFields(record)],
+        rollback: "Archived records can be restored from the provider's recycle bin within its retention window; recoverySnapshot also retains the field values.",
       });
       continue;
     }

package/src/cli.ts

@@ -34,6 +34,7 @@ import {
 import { generateDemoSnapshot } from "./demo.ts";
 import { formatPatchPlanRun, patchPlanToMarkdown } from "./format.ts";
 import { mergeSnapshots } from "./merge.ts";
+import { verifyApprovalDigests } from "./integrity.ts";
 import { createFilePlanStore } from "./planStore.ts";
 import { auditReportToHtml, auditReportToMarkdown, type ReportOptions } from "./report.ts";
 import { builtinAuditRules } from "./rules.ts";
@@ -60,6 +61,7 @@ import {
   type CallDocument,
 } from "./marketOverlay.ts";
 import { computeScaleIndex, scaleReportToText } from "./marketScale.ts";
+import { suggestMarketConfig } from "./marketTaxonomy.ts";
 import { buildWorksheet, classifyMarket } from "./marketClassify.ts";
 import { marketMapToHtml, marketMapToMarkdown } from "./marketReport.ts";
 import {
@@ -109,6 +111,8 @@ import {
   parseCron,
   renderManagedBlock,
   replaceManagedBlock,
+  assertSingleLineLabel,
+  hasControlChar,
   scheduleId,
   systemCrontabIo,
   tokenizeCommand,
@@ -974,6 +978,8 @@ async function marketCommand(args: string[]) {
   if (!subcommand || subcommand === "--help" || subcommand === "-h" || rest.includes("--help") || rest.includes("-h")) {
     console.log(`Usage:
 market init --category <name> [--out <path>]   write a starter market.config.json
+market init --category <name> --auto --vendor <url> [--vendor <url>...] [--anchor <url>] [--max-claims n]
+                                               LLM-propose vendors + claim taxonomy from seed pages (needs an API key)
 market capture [--config <path>] [--run <label>]
 market classify [--run <label>] [--capture-run <label>] [--vendor <id>] [--model m] [--out <path>]
 market worksheet --vendor <id> [--capture-run <label>] [--out <path>]
@@ -1023,6 +1029,31 @@ recomputed deterministically on every invocation — never stored.`);
     if (!category) throw new Error("market init requires --category <name>");
     const outPath = resolve(process.cwd(), option(rest, "--out") ?? "market.config.json");
     if (existsSync(outPath)) throw new Error(`${outPath} already exists — refusing to overwrite`);
+
+    if (rest.includes("--auto")) {
+      const vendorUrls = repeatedOption(rest, "--vendor");
+      if (vendorUrls.length === 0) {
+        throw new Error("market init --auto requires at least one --vendor <url> (the competitor homepages to seed from)");
+      }
+      const anchorUrl = option(rest, "--anchor");
+      const credential = await requireLlmCredential("market classify");
+      console.error(`Capturing ${vendorUrls.length} seed page(s) and proposing a claim taxonomy with ${credential.provider}…`);
+      const { config, unreadableVendorIds, model } = await suggestMarketConfig({
+        category,
+        vendors: vendorUrls.map((url) => ({ url, anchor: anchorUrl ? url === anchorUrl : false })),
+        llm: { ...credential, model: option(rest, "--model") ?? undefined },
+        maxClaims: numericOption(rest, "--max-claims"),
+      });
+      writeFileSync(outPath, `${JSON.stringify(config, null, 2)}\n`);
+      if (unreadableVendorIds.length > 0) {
+        console.error(`Note: no readable text for ${unreadableVendorIds.join(", ")} — excluded from taxonomy grounding.`);
+      }
+      console.log(
+        `Wrote ${outPath}: ${config.vendors.length} vendors, ${config.claims.length} proposed claims (${model}). Review it, then: fullstackgtm market refresh`,
+      );
+      return;
+    }
+
     writeFileSync(outPath, `${JSON.stringify(starterMarketConfig(category), null, 2)}\n`);
     console.log(`Wrote ${outPath}. Fill in vendors and claims, then: fullstackgtm market capture`);
     return;
@@ -1831,6 +1862,7 @@ trigger: manual. status shows next firing and surfaces missed firings
     const label =
       option(rest, "--label") ??
       argv.filter((arg) => !arg.startsWith("--")).slice(0, 2).join("-").replace(/[^\w.-]+/g, "-");
+    assertSingleLineLabel(label);
     const entry: ScheduleEntry = {
       id: scheduleId(label, cron.source, argv, createdAt),
       label,
@@ -2052,12 +2084,26 @@ function scheduleCliInvocation(): string {
   if (!script || !existsSync(script)) {
     throw new Error("Cannot resolve the fullstackgtm entry point for crontab lines (process.argv[1] is missing).");
   }
+  // A newline/control char in any of these flows verbatim into the crontab
+  // executable line; single-quote escaping defends the shell, not cron's line
+  // parser. Refuse early with a clear message (renderManagedBlock re-checks).
+  for (const [name, value] of [
+    ["FSGTM_HOME", process.env.FSGTM_HOME],
+    ["the node executable path", process.execPath],
+    ["the CLI script path", script],
+  ] as const) {
+    if (value && hasControlChar(value)) {
+      throw new Error(`Cannot install schedules: ${name} contains a newline or control character.`);
+    }
+  }
   const quote = (value: string) => `'${value.replace(/'/g, `'\\''`)}'`;
   const parts = [quote(process.execPath)];
   if (script.endsWith(".ts")) parts.push("--experimental-strip-types");
   parts.push(quote(script));
   const home = process.env.FSGTM_HOME ? `FSGTM_HOME=${quote(process.env.FSGTM_HOME)} ` : "";
-  return home + parts.join(" ");
+  // cron treats an unescaped `%` in the command field as a newline/stdin split.
+  // Escape it as `\%` so a stray `%` in a path can't truncate the managed line.
+  return (home + parts.join(" ")).replace(/%/g, "\\%");
 }
 
 /**
@@ -2535,7 +2581,40 @@ async function apply(args: string[]) {
     }
     plan = stored.plan;
     approvedOperationIds = stored.approvedOperationIds;
+    // Downgrade guard: an approved plan with no signatures is either pre-0.26
+    // (re-approve to gain them) or had its approvalDigests stripped to skip the
+    // integrity check. Either way, refuse rather than fall back to trusting the
+    // file. (A plan with zero approved operations has nothing to apply anyway.)
+    if (stored.approvedOperationIds.length > 0 && !stored.approvalDigests) {
+      throw new Error(
+        `Refusing to apply plan ${planId}: it was approved without integrity signatures ` +
+          "(approved before 0.26.0, or its signatures were removed). Re-approve it with " +
+          `\`fullstackgtm plans approve ${planId} --operations <ids|all>\`.`,
+      );
+    }
+    // Integrity gate: the plan file is re-read from disk, so verify each approved
+    // operation still matches what was signed at approval. Verify against the
+    // EFFECTIVE overrides (stored ∪ apply-time --value): the invariant is "what
+    // gets written must equal what was signed", so an apply-time --value that
+    // changes a value the human did not approve is treated as tamper, not a live
+    // override. A mismatch means the plan/overrides were edited after approval —
+    // refuse the whole apply rather than write an unapproved value.
     valueOverrides = { ...stored.valueOverrides, ...parseValueOverrides(args) };
+    const verification = verifyApprovalDigests(
+      stored.plan.operations,
+      stored.approvedOperationIds,
+      valueOverrides,
+      stored.approvalDigests,
+    );
+    if (!verification.ok) {
+      const detail =
+        verification.reason === "no_key"
+          ? "the plan-signing key is missing (was this plan approved on another machine?). Re-approve it here with `fullstackgtm plans approve`."
+          : `these operations differ from what was approved: ${verification.tampered.join(", ")}. ` +
+            "If you changed a value at apply time, set it at approval instead (`plans approve --value <op>=<v>`) and re-approve; " +
+            "otherwise the plan was edited after approval — review and re-approve.";
+      throw new Error(`Refusing to apply plan ${planId}: ${detail}`);
+    }
   } else {
     const approve = option(args, "--approve");
     if (!approve) {

package/src/connector.ts

@@ -1,5 +1,7 @@
+import { dedupeKey } from "./dedupe.ts";
 import { requiresHumanInput } from "./rules.ts";
 import type {
+  CanonicalGtmSnapshot,
   GtmConnector,
   PatchOperation,
   PatchOperationResult,
@@ -8,6 +10,75 @@ import type {
   PatchPlanRunStatus,
 } from "./types.ts";
 
+const IRREVERSIBLE_OPERATIONS = new Set(["merge_records", "archive_record"]);
+const IDENTITY_KEY_BY_TYPE: Partial<Record<string, "domain" | "email">> = {
+  account: "domain",
+  contact: "email",
+};
+
+/** snapshot collection for an object type */
+function collectionFor(objectType: string): "accounts" | "contacts" | "deals" | null {
+  if (objectType === "account") return "accounts";
+  if (objectType === "contact") return "contacts";
+  if (objectType === "deal") return "deals";
+  return null;
+}
+
+/**
+ * Drift/safety check for the two IRREVERSIBLE operations against a fresh
+ * snapshot. Returns a conflict detail string, or null if the op is safe to
+ * apply. These operations get NO field compare-and-set (there is no single
+ * field to compare), so this snapshot check is their only guard.
+ */
+function checkIrreversibleOp(operation: PatchOperation, snapshot: CanonicalGtmSnapshot): string | null {
+  const collection = collectionFor(operation.objectType);
+  if (!collection) return null;
+  const records = snapshot[collection] as Array<Record<string, unknown>>;
+  const byId = (id: string) => records.find((record) => String(record.id) === id);
+
+  if (operation.operation === "archive_record") {
+    if (!byId(operation.objectId)) {
+      return `Record ${operation.objectType}/${operation.objectId} no longer exists (already archived or merged). Re-plan against current data.`;
+    }
+    // Archiving a duplicate discards data a merge would keep — refuse unless the
+    // human explicitly forced it. This catches every archive_record path (agent,
+    // hand-edited plan, audit), not just `bulk-update --archive`.
+    if (!operation.forceArchiveDuplicate) {
+      const keyName = IDENTITY_KEY_BY_TYPE[operation.objectType];
+      if (keyName) {
+        const target = byId(operation.objectId)!;
+        const key = dedupeKey(target, keyName);
+        if (key) {
+          const sharers = records.filter(
+            (record) => String(record.id) !== operation.objectId && dedupeKey(record, keyName) === key,
+          );
+          if (sharers.length > 0) {
+            return (
+              `Refusing to archive ${operation.objectType}/${operation.objectId}: it shares ${keyName} "${key}" with ` +
+              `${sharers.length} other record(s) — that's a duplicate, and archiving discards its data where merging keeps it. ` +
+              `Merge with \`fullstackgtm dedupe ${operation.objectType} --key ${keyName}\` instead, or rebuild the op with --force-archive-duplicates.`
+            );
+          }
+        }
+      }
+    }
+    return null;
+  }
+
+  if (operation.operation === "merge_records") {
+    if (!byId(operation.objectId)) {
+      return `Merge survivor ${operation.objectType}/${operation.objectId} no longer exists (archived or merged away since the plan was built). Re-plan — merges are irreversible.`;
+    }
+    const groupIds = Array.isArray(operation.beforeValue) ? (operation.beforeValue as unknown[]).map(String) : [];
+    const losersStillPresent = groupIds.filter((id) => id !== operation.objectId && byId(id));
+    if (groupIds.length > 0 && losersStillPresent.length === 0) {
+      return `Every record to merge into ${operation.objectType}/${operation.objectId} is already gone (merge already applied?). Nothing to do — re-plan if duplicates remain.`;
+    }
+    return null;
+  }
+  return null;
+}
+
 export type ApplyPatchPlanOptions = {
   /**
    * Explicit allow-list of operation ids the human approved. Operations not
@@ -79,10 +150,20 @@ export async function applyPatchPlan(
   // closed — but it can be shrunk: re-run the snapshot checks after the
   // first write and every `recheckEvery` writes, conflicting out any
   // operation whose record went stale mid-run.
+  // Irreversible ops (merge/archive) need a fresh snapshot too — it is their
+  // only drift/safety guard (no field to compare-and-set). Respect a caller's
+  // explicit checkConflicts:false opt-out (a stub/known-stale snapshot).
+  const hasIrreversibleApproved =
+    checkConflicts &&
+    plan.operations.some(
+      (operation) => approved.has(operation.id) && IRREVERSIBLE_OPERATIONS.has(operation.operation),
+    );
   const needsSnapshot =
-    ((plan.guards && plan.guards.length > 0) || plan.filter) && connector.fetchSnapshot;
+    ((plan.guards && plan.guards.length > 0) || plan.filter || hasIrreversibleApproved) &&
+    connector.fetchSnapshot;
   const recheckEvery = Math.max(1, options.recheckEvery ?? 25);
   const staleIds = new Set<string>();
+  const irreversibleStale = new Map<string, string>();
   let guardFailure: string | null = null;
   const refreshSnapshotChecks = async (): Promise<void> => {
     if (!needsSnapshot) return;
@@ -95,6 +176,14 @@ export async function applyPatchPlan(
         if (!stillEligible.has(operation.objectId)) staleIds.add(operation.objectId);
       }
     }
+    irreversibleStale.clear();
+    if (checkConflicts) {
+      for (const operation of plan.operations) {
+        if (!approved.has(operation.id) || !IRREVERSIBLE_OPERATIONS.has(operation.operation)) continue;
+        const detail = checkIrreversibleOp(operation, liveSnapshot);
+        if (detail) irreversibleStale.set(operation.id, detail);
+      }
+    }
     for (const guard of plan.guards ?? []) {
       const failure = evaluateGuard(liveSnapshot, guard);
       if (failure) {
@@ -232,6 +321,12 @@ export async function applyPatchPlan(
       if (operation.groupId) poisonedGroups.add(operation.groupId);
       continue;
     }
+    const irreversibleConflict = irreversibleStale.get(operation.id);
+    if (irreversibleConflict) {
+      results.push({ operationId: operation.id, status: "conflict", detail: irreversibleConflict });
+      if (operation.groupId) poisonedGroups.add(operation.groupId);
+      continue;
+    }
     if (operation.groupId && poisonedGroups.has(operation.groupId)) {
       results.push({
         operationId: operation.id,

package/src/connectors/hubspot.ts

@@ -77,8 +77,11 @@ export function createHubspotConnector(options: HubspotConnectorOptions): Requir
       throw new Error(`Cannot reach HubSpot at ${baseUrl}${cause}. Check network access.`);
     }
     if (!response.ok) {
-      const body = await response.text();
-      throw new Error(`HubSpot API error ${response.status}: ${body}`);
+      // Status line only — HubSpot 4xx bodies echo submitted property values
+      // (contact emails, company domains) and the request payload, and these
+      // errors are persisted into scheduled-run records. Never interpolate it.
+      await response.text().catch(() => undefined);
+      throw new Error(`HubSpot API error ${response.status}. Check the token scopes and request.`);
     }
     // DELETE and some association writes return 204 with an empty body.
     const text = await response.text();

package/src/connectors/salesforce.ts

@@ -88,8 +88,10 @@ export function createSalesforceConnector(
       );
     }
     if (!response.ok) {
-      const body = await response.text();
-      throw new Error(`Salesforce API error ${response.status}: ${body}`);
+      // Status line only — the body echoes submitted field values and the
+      // request, and these errors are persisted into scheduled-run records.
+      await response.text().catch(() => undefined);
+      throw new Error(`Salesforce API error ${response.status}. Check the token and request.`);
     }
     // Salesforce PATCH returns 204 No Content on success.
     const text = await response.text();

package/src/connectors/stripe.ts

@@ -46,8 +46,10 @@ export function createStripeConnector(options: StripeConnectorOptions): GtmConne
       headers: { Authorization: `Bearer ${apiKey}` },
     });
     if (!response.ok) {
-      const body = await response.text();
-      throw new Error(`Stripe API error ${response.status}: ${body}`);
+      // Status line only — the body can echo request details bound to a live
+      // billing key, and these errors land in scheduled-run records.
+      await response.text().catch(() => undefined);
+      throw new Error(`Stripe API error ${response.status}. Check the restricted key and request.`);
     }
     return response.json();
   }

package/src/credentials.ts

@@ -4,6 +4,7 @@ import {
   mkdirSync,
   readdirSync,
   readFileSync,
+  statSync,
   unlinkSync,
   writeFileSync,
 } from "node:fs";
@@ -143,8 +144,31 @@ export function writeSecureFile(path: string, contents: string) {
   }
 }
 
+/**
+ * The 0600/0700 guarantee was write-only: a credentials.json inherited at
+ * looser permissions (a restored backup, a file created by another tool, a
+ * cloned home) was read and trusted regardless of its actual mode. Enforce the
+ * mode on read too — re-tighten to 0600 and warn once — so a world-readable
+ * credential store can't sit there silently leaking the token to other users.
+ */
+function enforceCredentialFileMode(path: string): void {
+  try {
+    const mode = statSync(path).mode & 0o777;
+    if ((mode & 0o077) !== 0) {
+      chmodSync(path, 0o600);
+      console.error(
+        `fullstackgtm: tightened ${path} from ${mode.toString(8).padStart(3, "0")} to 600 ` +
+          "(it was readable or writable by other users).",
+      );
+    }
+  } catch {
+    // Missing file or non-POSIX filesystem: nothing to enforce.
+  }
+}
+
 function readFile(): CredentialsFile {
   try {
+    enforceCredentialFileMode(credentialsPath());
     const parsed = JSON.parse(readFileSync(credentialsPath(), "utf8"));
     if (parsed && typeof parsed === "object" && parsed.version === 1 && parsed.providers) {
       return parsed as CredentialsFile;

package/src/dedupe.ts

@@ -65,6 +65,21 @@ function populatedDataFields(record: Record<string, unknown>): number {
   ).length;
 }
 
+/**
+ * The subset of a record worth keeping as a merge-recovery artifact: its id (to
+ * reference) plus every populated data field, dropping bulky/plumbing fields
+ * (raw, identities, provenance) that aren't needed to recreate it by hand.
+ */
+export function recoverableFields(record: Record<string, unknown>): Record<string, unknown> {
+  const out: Record<string, unknown> = { id: String(record.id) };
+  for (const [field, value] of Object.entries(record)) {
+    if (NON_DATA_FIELDS.has(field)) continue;
+    if (value === undefined || value === null || value === "") continue;
+    out[field] = value;
+  }
+  return out;
+}
+
 /** True when id `a` sorts before id `b` — numeric when both ids are numeric. */
 function idBefore(a: string, b: string): boolean {
   const numericA = Number(a);
@@ -137,6 +152,12 @@ export function buildDedupePlan(
     const groupIds = members
       .map((member) => String(member.id))
       .sort((a, b) => (idBefore(a, b) ? -1 : 1));
+    // Recovery artifact: the records that will be merged away (everyone but the
+    // survivor), captured with their field values so a human can recreate one by
+    // hand if the merge was wrong. Merges are irreversible — the plan is the backup.
+    const recoverySnapshot = members
+      .filter((member) => String(member.id) !== String(survivor.id))
+      .map((member) => recoverableFields(member));
     const survivorName =
       typeof survivor.name === "string" && survivor.name
         ? survivor.name
@@ -162,8 +183,9 @@ export function buildDedupePlan(
       approvalRequired: true,
       sourceRuleOrPolicy: "dedupe",
       groupId: `grp_${options.objectType}_${String(survivor.id)}`,
+      recoverySnapshot,
       rollback:
-        "IRREVERSIBLE: provider merges cannot be unmerged. The pre-apply snapshot retains every record's field values; recreate a record manually from it if a merge was wrong.",
+        "IRREVERSIBLE: provider merges cannot be unmerged. recoverySnapshot on this operation retains every merged-away record's field values; recreate a record manually from it if a merge was wrong.",
     });
   }
 

package/src/enrich.ts

@@ -394,6 +394,29 @@ function valueToString(value: unknown): string {
   return "";
 }
 
+/**
+ * CSV/formula-injection neutralization for string values destined for a CRM
+ * write. Third-party export rows (Clay CSV, webhook JSON) can contain cells
+ * like `=cmd|'/c calc'!A1` or `@SUM(...)`; written verbatim to a CRM field they
+ * lie dormant until someone exports the CRM to CSV and opens it in a spreadsheet,
+ * where the leading `= + - @` (or a leading tab/CR) makes the client execute it.
+ * We prefix a single apostrophe — the spreadsheet-standard escape that renders
+ * the cell as literal text. Numeric values bypass this (they're written as
+ * numbers, not strings), so signed numbers keep full fidelity; a phone number
+ * supplied as a string and starting with `+` gains a leading `'`, which the
+ * human sees in the approved diff. Applied only at the write path, never to
+ * match keys.
+ */
+function neutralizeFormulaInjection(value: string): string {
+  if (value && /^[=+\-@\t\r]/.test(value)) return `'${value}`;
+  return value;
+}
+
+/** valueToString for a value that will be written to a CRM field. */
+function writeSafeString(value: unknown): string {
+  return neutralizeFormulaInjection(valueToString(value));
+}
+
 // ---------------------------------------------------------------------------
 // Matching: ordered keys, unique-hit-wins, zero-hits-next-key,
 // multi-hit → onAmbiguous. Ambiguity is surfaced, never resolved by coin flip.
@@ -708,7 +731,7 @@ export function buildEnrichPlan(options: BuildEnrichPlanOptions): EnrichPlanResu
           operation: "set_field",
           field: canonicalField,
           beforeValue: currentValue ?? null,
-          afterValue: typeof sourceValue === "number" ? sourceValue : valueToString(sourceValue),
+          afterValue: typeof sourceValue === "number" ? sourceValue : writeSafeString(sourceValue),
           reason:
             `${source} ${record.objectType} "${describeSourceRecord(record)}" (matched by ` +
             `${outcome.matchedKey}) reports a changed value for ${canonicalField}.`,
@@ -726,7 +749,7 @@ export function buildEnrichPlan(options: BuildEnrichPlanOptions): EnrichPlanResu
       if (isEmptyValue(sourceValue)) continue;
       if (!isEmptyValue(currentValue)) continue;
       emittedForRecord = true;
-      const afterValue = typeof sourceValue === "number" ? sourceValue : valueToString(sourceValue);
+      const afterValue = typeof sourceValue === "number" ? sourceValue : writeSafeString(sourceValue);
       operations.push({
         id: `op_enr_${fnv1a(`${source}:${record.objectType}:${outcome.recordId}:${canonicalField}`)}`,
         objectType: canonicalObjectType(record.objectType),