fullstackgtm 0.25.2 → 0.27.0

package/CHANGELOG.md

@@ -5,6 +5,104 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and the project adheres to [Semantic Versioning](https://semver.org/).
 The path to 1.0 is planned in [docs/roadmap-to-1.0.md](./docs/roadmap-to-1.0.md).
 
+## [0.27.0] — 2026-06-16
+
+Trust, compliance & transparency — the artifacts a skeptical buyer's security
+and procurement review asks for, plus an exportable audit trail and two
+content-grounding fixes. Security-relevant additions were re-attacked before
+release (the audit-log signing and the transcript gate each took two rounds).
+
+### Added
+
+- **`audit-log export` / `audit-log verify`** — a tamper-evident record of every
+  apply run, flattened across all plans into a hash chain, with the head
+  HMAC-signed by the per-install key. Exports are always signed; `verify`
+  recomputes the chain and refuses an edited, reordered, truncated, or
+  signature-stripped log (and reports it as unverifiable on a machine without
+  the key). The change-management/SIEM artifact the prior audit flagged as
+  missing.
+- **`SECURITY.md`** — disclosure address (security@fullstackgtm.com) and the
+  full trust model (credential custody, approval gating, approval-integrity
+  signing, scheduling, untrusted-input handling, auditability).
+- **`DATA-FLOWS.md`** — exactly what data leaves the machine, to which endpoint,
+  for which command, and under whose account; the "CLI is BYO-key, no
+  vendor data path, no sub-processors" statement procurement needs; and how to
+  run the whole loop with zero third-party calls.
+- **Company-of-record** — `package.json` author and a `NOTICE` file now name
+  Full Stack GTM with a contact; LICENSE unchanged (Apache-2.0).
+
+### Security
+
+- **Call-transcript insight grounding.** LLM-extracted call insights are now
+  mechanically verified: the evidence quote must be a non-trivial verbatim span
+  of the transcript, and for `next_step` (the only insight whose text is written
+  to the CRM) the written action itself must be grounded in that quote — every
+  number/amount must appear in the quote, and the action's distinctive terms
+  must overlap it. This closes the prompt-injection path where a transcript
+  fabricates a malicious next step accompanied by an innocuous real quote. (This
+  is defense-in-depth on a human-approved path; a determined paraphrase-style
+  injection still surfaces to the approver as the proposed value.)
+
+### Changed
+
+- README now states the design as **deterministic apply, governed suggest** and
+  cites the current 1,020-run / five-model benchmark (was a stale 612-run line);
+  a CI guard fails if the documented synthetic-scenario count drifts from the
+  code.
+
+## [0.26.0] — 2026-06-15
+
+Write-path integrity — the "no write without approval" guarantee now binds to
+operation *content*, and the two irreversible operations finally get a guard.
+Each fix verified by a refute-by-default re-attack; the integrity binding took
+three rounds (the re-attack kept finding unsigned fields that reach a write).
+
+### Added
+
+- **Plan-approval integrity signatures.** `plans approve` now HMAC-signs each
+  approved operation's full apply-relevant content (operation, object, field,
+  before/after value, group, preconditions, force flags, the approved value
+  override, and reason) with a per-install key (`$FSGTM_HOME/.plan-signing-key`,
+  0600). `apply --plan-id` re-verifies and refuses the whole apply if any
+  approved operation changed since approval, if the plan was approved without
+  signatures (downgrade guard), or if the signing key is absent (a plan
+  approved on another machine fails closed). The invariant: **what gets written
+  equals what the human signed** — a plan file edited between approval and apply
+  (by a synced/backed-up copy, a co-tenant, or a compromised dependency) is
+  caught instead of executed. apply-time `--value` is folded into the check, and
+  a scheduled `apply` may not take `--value` (it must write exactly the signed
+  values).
+- **Recovery snapshots on irreversible operations.** `dedupe` merge ops and
+  `bulk-update --archive` ops now carry `recoverySnapshot` — the field values of
+  every record that will be destroyed — so the rollback instruction ("recreate
+  it by hand") is backed by actual data in the plan, which is the backup.
+
+### Security
+
+- **Apply-time guard against destroying duplicates (the benchmark self-own).**
+  `apply` now refuses any `archive_record` whose target still shares an identity
+  key (account domain / contact email) with another live record — unless the
+  human explicitly forced it (`--force-archive-duplicates`, which is recorded on
+  the operation and signed). This catches every path (agent-driven, hand-edited,
+  audit), not just `bulk-update`, so an agent on a dedupe task can no longer
+  silently archive a record where it should merge — the rail is safe regardless
+  of model strength.
+- **Drift guard for irreversible operations.** `merge_records` and
+  `archive_record` got no compare-and-set (there is no single field to compare).
+  Apply now checks a fresh snapshot: a merge whose survivor is gone, or whose
+  duplicates are already merged, and an archive of a record that no longer
+  exists, all conflict out instead of firing an irreversible, replay-unsafe write.
+
+### Notes
+
+- The CAS empty/null equivalence in field compare-and-set is intentional (CRMs
+  normalize `""`↔`null` server-side; distinguishing them would cause false
+  conflicts). Known residuals for a follow-up: the archive-duplicate guard keys
+  on domain/email only, so `dedupe --key name` (and deal dedupe, which has no
+  identity key) are not guarded against destructive archive — use `dedupe`
+  (merge) for those; and `marketMapToMarkdown` is not HTML-escaped (the HTML
+  report is).
+
 ## [0.25.2] — 2026-06-15
 
 Security hardening I — confirmed fixes from an adversarial audit (each verified

package/DATA-FLOWS.md

@@ -0,0 +1,52 @@
+# Data flows & trust boundary
+
+A procurement / security review needs to know exactly what data leaves the
+machine, to which endpoint, and under whose account. This is that enumeration
+for the open-source `fullstackgtm` CLI. The short version: **the CLI is
+bring-your-own-key and talks directly to services you already control — there
+is no fullstackgtm-operated server in the data path for the open package.**
+
+## What stays local
+
+- CRM snapshots, patch plans, approvals, apply-run records, market captures and
+  observations, enrich run state, and the signing/credential stores all live
+  under `$FSGTM_HOME` (default `~/.fullstackgtm`), `0600`/`0700`. Nothing is
+  uploaded to Full Stack GTM.
+- No telemetry, analytics, or phone-home. The core package has zero runtime
+  dependencies; the only network calls are the ones listed below, all to
+  endpoints you configure.
+
+## What leaves the machine, by command
+
+| Command(s) | Destination | Data sent | Auth |
+|---|---|---|---|
+| `snapshot`, `audit`, `apply`, `resolve`, `bulk-update`, `dedupe`, `reassign`, `fix`, `enrich` (writeback) | **Your CRM** (HubSpot / Salesforce / Stripe API) | Reads: your CRM records. Writes: only approved patch operations. | Your CRM token (env / stored / broker) |
+| `call parse`, `call score`, `market classify`, `market refresh` | **Your LLM provider** (api.anthropic.com or api.openai.com) | The call transcript / captured competitor page text you point at, plus the extraction prompt | Your `ANTHROPIC_API_KEY` / `OPENAI_API_KEY` (BYO) |
+| `enrich append --source apollo`, `enrich refresh` | **Apollo** (api.apollo.io) | The company domain / contact email being enriched | Your `APOLLO_API_KEY` (BYO) |
+| `market capture`, `market refresh` | **Public vendor websites** you list in `market.config.json` | An HTTP GET (no data sent beyond the request); SSRF-guarded to public hosts only | none |
+| `login --via <url>` (optional) | **Your hosted deployment's broker** | A pairing handshake; the broker mints short-lived CRM tokens | broker pairing token |
+
+Commands not listed (`plans`, `rules`, `doctor`, `schedule`, `audit-log`,
+`diff`, `merge`, report rendering) make **no network calls**.
+
+## Avoiding third-party data egress
+
+- **LLM verbs are optional.** `call parse --deterministic` uses a free,
+  offline keyword baseline (no LLM call). `market worksheet` lets an agent or
+  human classify without the CLI making an LLM call. A regulated deployment can
+  run the full audit → plan → apply loop with **zero third-party calls** —
+  CRM-only.
+- **No data is sent for training.** Anthropic, OpenAI, and Apollo are reached
+  with your own API keys under your own agreements; their data-handling terms
+  (and any DPA you have with them) govern that traffic. Full Stack GTM is not
+  in that path and is not a sub-processor for the open-source CLI.
+
+## Sub-processors
+
+For the **open-source CLI**: none (BYO-key, direct-to-service). The data
+controllers are you and the providers whose keys you supply.
+
+For the **hosted application** (a separate, proprietary product — not this
+package): a sub-processor list and DPA are provided through that product's
+agreement. If you are evaluating the hosted product, request them from
+security@fullstackgtm.com.

package/NOTICE

@@ -0,0 +1,5 @@
+fullstackgtm
+Copyright 2026 Full Stack GTM
+
+This product is developed and maintained by Full Stack GTM (https://fullstackgtm.com).
+Licensed under the Apache License, Version 2.0 (see LICENSE).

package/README.md

@@ -219,7 +219,9 @@ fullstackgtm diff --before old.json --after new.json --fail-on-new-findings
 - `--demo` (with `--seed`) generates a realistic mid-market CRM with injected real-world failure modes — departed owners, unlinked deals, orphan accounts, stale pipeline — so agents and CI can exercise the full snapshot → audit → apply pipeline with zero credentials.
 - Exit codes: `0` success, `1` error, `2` findings at/above `--fail-on`.
 
-"Built for agents" is measured, not asserted: a 612-run benchmark (17 scenarios × 3 tool-surface arms × 4 trials, deterministic graders over final CRM state, τ-bench-style pass^k) shows the gated CLI surface beating raw CRM-API access on completion-under-policy for every model tested. Full matrix and methodology: [the leaderboard](./evals/crm/leaderboard/RESULTS.md).
+"Built for agents" is measured, not asserted: a 1,020-run benchmark (17 scenarios = 14 synthetic + 3 seeded from an anonymized real portal, × 3 tool-surface arms × 4 trials, across five models from three vendors, deterministic graders over final CRM state, τ-bench-style pass^k) shows the gated CLI surface beating raw CRM-API access on completion-under-policy for every model tested — and the tool-surface effect is monotonic and vendor-independent. Full matrix and methodology: [the leaderboard](./evals/crm/leaderboard/RESULTS.md).
+
+The design is **deterministic apply, governed suggest**: the parts that touch your CRM — the audit rules, the plan/apply contract, compare-and-set, the survivor/merge logic — are deterministic and replayable; the parts that read free text (`call parse`/`score`, `market classify`) are LLM-powered but bounded, with every quoted span mechanically verified against the source before it can drive a writeback. Nondeterministic suggestion, deterministic governance.
 
 ## Authentication: CLI-first, browser only at the consent moment
 

package/SECURITY.md

@@ -0,0 +1,69 @@
+# Security Policy
+
+fullstackgtm reads and writes live CRM data under the operator's own
+credentials. We take its security posture seriously and design the write path
+to fail closed. This document is the disclosure process and the trust model a
+security reviewer needs.
+
+## Reporting a vulnerability
+
+Email **security@fullstackgtm.com** with a description and, ideally, a
+reproduction. Please do not open a public issue for a security report. We aim
+to acknowledge within 3 business days and to ship a fix or mitigation before
+any public disclosure. There is no bounty program yet; credit is given in the
+changelog unless you prefer otherwise.
+
+Supported version: the latest published `0.x` release on npm. Fixes land on the
+newest version, not backported (the project is pre-1.0).
+
+## Trust model
+
+**Credentials.** API tokens are never accepted as command-line arguments
+(they would leak into the process table and shell history); they come from an
+environment variable or stdin only, and are stored `0600` under a `0700` home
+(`$FSGTM_HOME`, default `~/.fullstackgtm`), re-tightened on read. This is the
+same custody model as the `gcloud`/`aws` CLIs. The hosted broker
+(`login --via`) exists so a team can connect a CRM once, server-side, and hand
+laptops only a revocable pairing token instead of a long-lived super-admin key.
+
+**Writes are approval-gated.** Reads are safe by default. Every change is a
+typed patch operation in a dry-run plan that a human must approve before
+`apply`. `apply` writes only operations whose ids were explicitly approved,
+refuses operations carrying unresolved placeholder values, and uses
+compare-and-set against the live CRM so a value that drifted since the plan was
+built becomes a conflict, not a clobber. Irreversible operations (merge,
+archive) get a fresh-snapshot drift guard, and archiving a record that still
+shares an identity key with another is refused (it's a duplicate — merge it).
+
+**Approval integrity.** At approval time each operation's apply-relevant content
+is HMAC-signed with a per-install key (`$FSGTM_HOME/.plan-signing-key`, `0600`).
+`apply --plan-id` re-verifies; a plan edited after approval — by a synced copy,
+another process, or a compromised dependency — is refused rather than executed.
+The invariant: **what gets written equals what the human signed.** A plan
+approved on one machine cannot be applied on another (the key does not travel).
+Documented boundary: this defends the plan file, not an attacker who already
+holds the signing key (same directory and permissions as the credential store).
+
+**Scheduling never auto-approves.** Scheduled (cron) runs are restricted to a
+read/plan-side allowlist plus `apply --plan-id` whose approved status and
+signatures are re-checked at every firing. Arbitrary shell is not schedulable.
+
+**Untrusted input.** Competitor pages fetched by `market capture` are guarded
+against SSRF (scheme allowlist; private/loopback/link-local/metadata addresses
+refused; redirects re-validated). LLM-extracted call insights and market
+classifications are mechanically verified verbatim against the source text
+before they can drive a writeback, so a prompt-injected transcript or page
+cannot fabricate a grounded-looking change. CSV/formula-injection in ingested
+data is neutralized before it reaches a write.
+
+**Auditability.** `audit-log export` produces a hash-chained, install-signed
+record of every apply run for change-management/SIEM ingestion; `audit-log
+verify` detects any edit or reorder.
+
+## Data flows
+
+What leaves the machine, to whom, and for which command is enumerated in
+[DATA-FLOWS.md](./DATA-FLOWS.md). In brief: the core CLI is BYO-key and talks
+directly to your CRM and (only for LLM/enrichment verbs you invoke) to your
+chosen Anthropic/OpenAI/Apollo accounts — there is no fullstackgtm-operated
+data path for the open-source package.

package/dist/auditLog.d.ts

@@ -0,0 +1,58 @@
+import type { PatchPlanRun } from "./types.ts";
+import type { StoredPlan } from "./planStore.ts";
+/**
+ * Exportable, tamper-evident audit log.
+ *
+ * Every apply run is already recorded per-plan in the store, but a compliance /
+ * change-management process needs ONE portable artifact it can archive and
+ * later prove was not edited. `audit-log export` flattens every run across all
+ * plans into a hash-chained sequence: each entry carries the hash of the
+ * previous entry, so removing, reordering, or editing any entry breaks the
+ * chain at that point and `audit-log verify` reports exactly where. When a
+ * per-install signing key exists, the chain head is also HMAC-signed, so the
+ * export can be attributed to this installation, not just shown internally
+ * consistent.
+ *
+ * This is a point-in-time attestation of the stored run history; it is not a
+ * real-time append-only journal (that is future work). It answers "give me an
+ * auditable record of every change this tool applied, that my auditor can
+ * verify hasn't been doctored."
+ */
+export type AuditLogEntry = {
+    seq: number;
+    planId: string;
+    planTitle: string;
+    provider: string;
+    startedAt: string;
+    finishedAt: string;
+    status: PatchPlanRun["status"];
+    trigger: string;
+    /** operationId → status, the per-operation outcome of this run */
+    operations: Array<{
+        operationId: string;
+        status: string;
+        detail?: string;
+    }>;
+    prevHash: string;
+    hash: string;
+};
+export type AuditLogExport = {
+    version: 1;
+    generatedAt: string;
+    entryCount: number;
+    chainHead: string;
+    /** HMAC of chainHead with the per-install key, or null when no key exists. */
+    signature: string | null;
+    entries: AuditLogEntry[];
+};
+/** Flatten all runs from the stored plans, oldest first, into chained entries. */
+export declare function buildAuditLog(plans: StoredPlan[], generatedAt: string): AuditLogExport;
+export type AuditLogVerification = {
+    ok: boolean;
+    /** seq of the first entry whose hash does not verify, or null if the chain holds */
+    brokenAt: number | null;
+    signatureOk: boolean | null;
+    detail: string;
+};
+/** Recompute the chain (and the signature if a key is available). */
+export declare function verifyAuditLog(log: AuditLogExport): AuditLogVerification;

package/dist/auditLog.js

@@ -0,0 +1,112 @@
+import { createHash, createHmac } from "node:crypto";
+import { loadOrCreateSigningKey, loadSigningKey } from "./integrity.js";
+const GENESIS = "0".repeat(64);
+/** The content that the chain hash covers — everything but prevHash/hash. */
+function entryContent(entry) {
+    return JSON.stringify([
+        entry.seq,
+        entry.planId,
+        entry.planTitle,
+        entry.provider,
+        entry.startedAt,
+        entry.finishedAt,
+        entry.status,
+        entry.trigger,
+        entry.operations,
+    ]);
+}
+function chainHash(prevHash, content) {
+    return createHash("sha256").update(prevHash).update("\n").update(content).digest("hex");
+}
+/** Flatten all runs from the stored plans, oldest first, into chained entries. */
+export function buildAuditLog(plans, generatedAt) {
+    const runs = [];
+    for (const stored of plans) {
+        for (const run of stored.runs ?? [])
+            runs.push({ stored, run });
+    }
+    runs.sort((a, b) => a.run.finishedAt.localeCompare(b.run.finishedAt));
+    const entries = [];
+    let prevHash = GENESIS;
+    runs.forEach(({ stored, run }, index) => {
+        const base = {
+            seq: index,
+            planId: run.planId,
+            planTitle: stored.plan.title,
+            provider: run.provider,
+            startedAt: run.startedAt,
+            finishedAt: run.finishedAt,
+            status: run.status,
+            trigger: run.trigger ?? "manual",
+            operations: run.results.map((result) => ({
+                operationId: result.operationId,
+                status: result.status,
+                ...(result.detail ? { detail: result.detail } : {}),
+            })),
+        };
+        const hash = chainHash(prevHash, entryContent(base));
+        entries.push({ ...base, prevHash, hash });
+        prevHash = hash;
+    });
+    // Always sign — an unsigned export's keyless sha256 chain is self-recomputable
+    // (an attacker can edit entries and rebuild the chain from the public genesis),
+    // so the per-install HMAC is the only real tamper barrier. Bind the header
+    // fields into the signed material so metadata can't be altered either.
+    const key = loadOrCreateSigningKey();
+    const entryCount = entries.length;
+    return {
+        version: 1,
+        generatedAt,
+        entryCount,
+        chainHead: prevHash,
+        signature: signHead(key, 1, generatedAt, entryCount, prevHash),
+        entries,
+    };
+}
+function signHead(key, version, generatedAt, entryCount, chainHead) {
+    return createHmac("sha256", key).update(JSON.stringify([version, generatedAt, entryCount, chainHead])).digest("hex");
+}
+/** Recompute the chain (and the signature if a key is available). */
+export function verifyAuditLog(log) {
+    let prevHash = GENESIS;
+    for (const entry of log.entries) {
+        if (entry.prevHash !== prevHash) {
+            return { ok: false, brokenAt: entry.seq, signatureOk: null, detail: `Chain breaks at entry ${entry.seq}: prevHash does not match the previous entry's hash (an entry was removed, reordered, or edited).` };
+        }
+        const expected = chainHash(prevHash, entryContent(entry));
+        if (expected !== entry.hash) {
+            return { ok: false, brokenAt: entry.seq, signatureOk: null, detail: `Chain breaks at entry ${entry.seq}: its content was edited after export (hash mismatch).` };
+        }
+        prevHash = entry.hash;
+    }
+    if (prevHash !== log.chainHead) {
+        return { ok: false, brokenAt: log.entries.length, signatureOk: null, detail: "The recorded chainHead does not match the recomputed chain." };
+    }
+    // The keyless chain alone is self-recomputable, so a missing/stripped signature
+    // means the export is forgeable — refuse it. (Current exports are always
+    // signed; a null signature is an old/unsigned or a downgraded export.)
+    if (!log.signature) {
+        return {
+            ok: false,
+            brokenAt: null,
+            signatureOk: false,
+            detail: "Unsigned export: the hash chain alone is self-recomputable, so this log cannot be trusted (the signature is absent or was stripped). Re-export on the issuing install.",
+        };
+    }
+    const key = loadSigningKey();
+    if (!key) {
+        // A third party without the issuing install's key cannot verify attribution.
+        // The chain is internally consistent, but that is not proof of authenticity.
+        return {
+            ok: false,
+            brokenAt: null,
+            signatureOk: null,
+            detail: "Chain is internally consistent, but this machine has no signing key to verify the signature — authenticity is unattributed. Verify on the issuing install.",
+        };
+    }
+    const signatureOk = signHead(key, log.version, log.generatedAt, log.entryCount, prevHash) === log.signature;
+    if (!signatureOk) {
+        return { ok: false, brokenAt: null, signatureOk: false, detail: "Signature does not match this installation's key — the log was exported elsewhere, or its entries/metadata were altered after signing." };
+    }
+    return { ok: true, brokenAt: null, signatureOk: true, detail: `Verified ${log.entries.length} entries; chain intact and signature valid.` };
+}

package/dist/bulkUpdate.js

@@ -27,6 +27,7 @@
  * `account.ownerId`, `account.contactCount`; accounts get `contactCount`
  * and `openDealCount`.
  */
+import { recoverableFields } from "./dedupe.js";
 import { normalizeDomain } from "./merge.js";
 import { stableHash } from "./rules.js";
 const FIELD_PATTERN = "[a-zA-Z][a-zA-Z0-9_]*(?:\\.[a-zA-Z][a-zA-Z0-9_]*)?";
@@ -319,7 +320,11 @@ export function buildBulkUpdatePlan(snapshot, options) {
                 beforeValue: null,
                 afterValue: null,
                 riskLevel: "high",
-                rollback: "Archived records can be restored from the provider's recycle bin within its retention window.",
+                // Carry the human's explicit force decision to the apply-time guard, and
+                // snapshot the record so it can be recreated if the archive was wrong.
+                ...(options.forceArchiveDuplicates ? { forceArchiveDuplicate: true } : {}),
+                recoverySnapshot: [recoverableFields(record)],
+                rollback: "Archived records can be restored from the provider's recycle bin within its retention window; recoverySnapshot also retains the field values.",
             });
             continue;
         }

package/dist/cli.d.ts

@@ -33,7 +33,7 @@ export declare function doctorReport(env?: Record<string, string | undefined>):
     llm: {
         configured: boolean;
         provider: LlmProvider;
-        source: "env" | "stored";
+        source: "stored" | "env";
         detail?: undefined;
     } | {
         configured: boolean;

package/dist/cli.js

@@ -13,6 +13,8 @@ import { activeProfile, credentialsPath, DEFAULT_PROFILE, deleteCredential, getC
 import { generateDemoSnapshot } from "./demo.js";
 import { formatPatchPlanRun, patchPlanToMarkdown } from "./format.js";
 import { mergeSnapshots } from "./merge.js";
+import { verifyApprovalDigests } from "./integrity.js";
+import { buildAuditLog, verifyAuditLog } from "./auditLog.js";
 import { createFilePlanStore } from "./planStore.js";
 import { auditReportToHtml, auditReportToMarkdown } from "./report.js";
 import { builtinAuditRules } from "./rules.js";
@@ -22,6 +24,7 @@ import { captureMarket, computeFrontStates, createFileObservationStore, diffFron
 import { assessAxes, axesReportToText } from "./marketAxes.js";
 import { computeDirectives, computeOverlayStats, directivesToPlan, overlayToMarkdown, } from "./marketOverlay.js";
 import { computeScaleIndex, scaleReportToText } from "./marketScale.js";
+import { suggestMarketConfig } from "./marketTaxonomy.js";
 import { buildWorksheet, classifyMarket } from "./marketClassify.js";
 import { marketMapToHtml, marketMapToMarkdown } from "./marketReport.js";
 import { DEFAULT_RUBRIC, detectProviderFromKey, extractInsightsLlm, parseRubric, resolveLlmCredential, scoreCallLlm, validateLlmKey, } from "./llm.js";
@@ -153,6 +156,7 @@ Usage:
   fullstackgtm plans approve <id> --values-from <suggestions.json> [--min-confidence high|low] [--include-creates]
   fullstackgtm apply --plan-id <id> --provider <name>
   fullstackgtm apply --plan <path> --provider <name> --approve <ids|all> [options]
+  fullstackgtm audit-log export [--out <path>] | verify --in <path>   tamper-evident apply-run record
   fullstackgtm rules [--json]
   fullstackgtm profiles [--json]               list credential profiles
   fullstackgtm doctor [--json]                 check install, credentials, and next step
@@ -827,6 +831,8 @@ async function marketCommand(args) {
     if (!subcommand || subcommand === "--help" || subcommand === "-h" || rest.includes("--help") || rest.includes("-h")) {
         console.log(`Usage:
 market init --category <name> [--out <path>]   write a starter market.config.json
+market init --category <name> --auto --vendor <url> [--vendor <url>...] [--anchor <url>] [--max-claims n]
+                                               LLM-propose vendors + claim taxonomy from seed pages (needs an API key)
 market capture [--config <path>] [--run <label>]
 market classify [--run <label>] [--capture-run <label>] [--vendor <id>] [--model m] [--out <path>]
 market worksheet --vendor <id> [--capture-run <label>] [--out <path>]
@@ -877,6 +883,27 @@ recomputed deterministically on every invocation — never stored.`);
         const outPath = resolve(process.cwd(), option(rest, "--out") ?? "market.config.json");
         if (existsSync(outPath))
             throw new Error(`${outPath} already exists — refusing to overwrite`);
+        if (rest.includes("--auto")) {
+            const vendorUrls = repeatedOption(rest, "--vendor");
+            if (vendorUrls.length === 0) {
+                throw new Error("market init --auto requires at least one --vendor <url> (the competitor homepages to seed from)");
+            }
+            const anchorUrl = option(rest, "--anchor");
+            const credential = await requireLlmCredential("market classify");
+            console.error(`Capturing ${vendorUrls.length} seed page(s) and proposing a claim taxonomy with ${credential.provider}…`);
+            const { config, unreadableVendorIds, model } = await suggestMarketConfig({
+                category,
+                vendors: vendorUrls.map((url) => ({ url, anchor: anchorUrl ? url === anchorUrl : false })),
+                llm: { ...credential, model: option(rest, "--model") ?? undefined },
+                maxClaims: numericOption(rest, "--max-claims"),
+            });
+            writeFileSync(outPath, `${JSON.stringify(config, null, 2)}\n`);
+            if (unreadableVendorIds.length > 0) {
+                console.error(`Note: no readable text for ${unreadableVendorIds.join(", ")} — excluded from taxonomy grounding.`);
+            }
+            console.log(`Wrote ${outPath}: ${config.vendors.length} vendors, ${config.claims.length} proposed claims (${model}). Review it, then: fullstackgtm market refresh`);
+            return;
+        }
         writeFileSync(outPath, `${JSON.stringify(starterMarketConfig(category), null, 2)}\n`);
         console.log(`Wrote ${outPath}. Fill in vendors and claims, then: fullstackgtm market capture`);
         return;
@@ -2256,6 +2283,52 @@ function readSuggestionValues(path, minConfidence, includeCreates) {
     }
     return { overrides, skipped };
 }
+async function auditLogCommand(args) {
+    const [sub, ...rest] = args;
+    if (!sub || sub === "--help" || sub === "-h" || (sub !== "export" && sub !== "verify")) {
+        console.log(`Usage:
+audit-log export [--out <path>] [--json]   hash-chained, signed record of every apply run
+audit-log verify [--in <path>]             re-check an exported log's chain and signature
+
+export flattens every apply run across all stored plans (this profile) into a
+tamper-evident chain — each entry carries the prior entry's hash, and the chain
+head is HMAC-signed with this install's key — so a change-management process can
+archive one file and later prove it was not edited. verify recomputes the chain
+and (if the signing key is present) the signature.`);
+        return;
+    }
+    if (sub === "export") {
+        const plans = await createFilePlanStore().list();
+        const log = buildAuditLog(plans, new Date().toISOString());
+        const payload = `${JSON.stringify(log, null, 2)}\n`;
+        const outPath = option(rest, "--out");
+        if (outPath) {
+            writeFileSync(resolve(process.cwd(), outPath), payload);
+            console.log(`Wrote ${outPath}: ${log.entryCount} run(s), chain head ${log.chainHead.slice(0, 12)}${log.signature ? " (signed)" : " (unsigned — no signing key on this install)"}.`);
+        }
+        else if (rest.includes("--json")) {
+            console.log(payload);
+        }
+        else {
+            console.log(`${log.entryCount} apply run(s); chain head ${log.chainHead.slice(0, 12)}${log.signature ? ", signed" : ", unsigned"}. Pass --out <path> to archive, or --json to print.`);
+        }
+        return;
+    }
+    // verify
+    const inPath = option(rest, "--in");
+    if (!inPath)
+        throw new Error("audit-log verify requires --in <exported-log.json>");
+    const log = JSON.parse(readFileSync(resolve(process.cwd(), inPath), "utf8"));
+    const result = verifyAuditLog(log);
+    if (rest.includes("--json")) {
+        console.log(JSON.stringify(result, null, 2));
+    }
+    else {
+        console.log(result.ok ? `OK — ${result.detail}` : `TAMPERED — ${result.detail}`);
+    }
+    if (!result.ok)
+        process.exitCode = 2;
+}
 async function apply(args) {
     const provider = option(args, "--provider");
     if (!provider)
@@ -2277,7 +2350,32 @@ async function apply(args) {
         }
         plan = stored.plan;
         approvedOperationIds = stored.approvedOperationIds;
+        // Downgrade guard: an approved plan with no signatures is either pre-0.26
+        // (re-approve to gain them) or had its approvalDigests stripped to skip the
+        // integrity check. Either way, refuse rather than fall back to trusting the
+        // file. (A plan with zero approved operations has nothing to apply anyway.)
+        if (stored.approvedOperationIds.length > 0 && !stored.approvalDigests) {
+            throw new Error(`Refusing to apply plan ${planId}: it was approved without integrity signatures ` +
+                "(approved before 0.26.0, or its signatures were removed). Re-approve it with " +
+                `\`fullstackgtm plans approve ${planId} --operations <ids|all>\`.`);
+        }
+        // Integrity gate: the plan file is re-read from disk, so verify each approved
+        // operation still matches what was signed at approval. Verify against the
+        // EFFECTIVE overrides (stored ∪ apply-time --value): the invariant is "what
+        // gets written must equal what was signed", so an apply-time --value that
+        // changes a value the human did not approve is treated as tamper, not a live
+        // override. A mismatch means the plan/overrides were edited after approval —
+        // refuse the whole apply rather than write an unapproved value.
         valueOverrides = { ...stored.valueOverrides, ...parseValueOverrides(args) };
+        const verification = verifyApprovalDigests(stored.plan.operations, stored.approvedOperationIds, valueOverrides, stored.approvalDigests);
+        if (!verification.ok) {
+            const detail = verification.reason === "no_key"
+                ? "the plan-signing key is missing (was this plan approved on another machine?). Re-approve it here with `fullstackgtm plans approve`."
+                : `these operations differ from what was approved: ${verification.tampered.join(", ")}. ` +
+                    "If you changed a value at apply time, set it at approval instead (`plans approve --value <op>=<v>`) and re-approve; " +
+                    "otherwise the plan was edited after approval — review and re-approve.";
+            throw new Error(`Refusing to apply plan ${planId}: ${detail}`);
+        }
     }
     else {
         const approve = option(args, "--approve");
@@ -3003,6 +3101,10 @@ export async function runCli(argv) {
         await plansCommand(args);
         return;
     }
+    if (command === "audit-log") {
+        await auditLogCommand(args);
+        return;
+    }
     if (command === "apply") {
         await apply(args);
         return;