fullstackgtm 0.26.0 → 0.27.0

package/CHANGELOG.md

@@ -5,6 +5,51 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and the project adheres to [Semantic Versioning](https://semver.org/).
 The path to 1.0 is planned in [docs/roadmap-to-1.0.md](./docs/roadmap-to-1.0.md).
 
+## [0.27.0] — 2026-06-16
+
+Trust, compliance & transparency — the artifacts a skeptical buyer's security
+and procurement review asks for, plus an exportable audit trail and two
+content-grounding fixes. Security-relevant additions were re-attacked before
+release (the audit-log signing and the transcript gate each took two rounds).
+
+### Added
+
+- **`audit-log export` / `audit-log verify`** — a tamper-evident record of every
+  apply run, flattened across all plans into a hash chain, with the head
+  HMAC-signed by the per-install key. Exports are always signed; `verify`
+  recomputes the chain and refuses an edited, reordered, truncated, or
+  signature-stripped log (and reports it as unverifiable on a machine without
+  the key). The change-management/SIEM artifact the prior audit flagged as
+  missing.
+- **`SECURITY.md`** — disclosure address (security@fullstackgtm.com) and the
+  full trust model (credential custody, approval gating, approval-integrity
+  signing, scheduling, untrusted-input handling, auditability).
+- **`DATA-FLOWS.md`** — exactly what data leaves the machine, to which endpoint,
+  for which command, and under whose account; the "CLI is BYO-key, no
+  vendor data path, no sub-processors" statement procurement needs; and how to
+  run the whole loop with zero third-party calls.
+- **Company-of-record** — `package.json` author and a `NOTICE` file now name
+  Full Stack GTM with a contact; LICENSE unchanged (Apache-2.0).
+
+### Security
+
+- **Call-transcript insight grounding.** LLM-extracted call insights are now
+  mechanically verified: the evidence quote must be a non-trivial verbatim span
+  of the transcript, and for `next_step` (the only insight whose text is written
+  to the CRM) the written action itself must be grounded in that quote — every
+  number/amount must appear in the quote, and the action's distinctive terms
+  must overlap it. This closes the prompt-injection path where a transcript
+  fabricates a malicious next step accompanied by an innocuous real quote. (This
+  is defense-in-depth on a human-approved path; a determined paraphrase-style
+  injection still surfaces to the approver as the proposed value.)
+
+### Changed
+
+- README now states the design as **deterministic apply, governed suggest** and
+  cites the current 1,020-run / five-model benchmark (was a stale 612-run line);
+  a CI guard fails if the documented synthetic-scenario count drifts from the
+  code.
+
 ## [0.26.0] — 2026-06-15
 
 Write-path integrity — the "no write without approval" guarantee now binds to

package/DATA-FLOWS.md

@@ -0,0 +1,52 @@
+# Data flows & trust boundary
+
+A procurement / security review needs to know exactly what data leaves the
+machine, to which endpoint, and under whose account. This is that enumeration
+for the open-source `fullstackgtm` CLI. The short version: **the CLI is
+bring-your-own-key and talks directly to services you already control — there
+is no fullstackgtm-operated server in the data path for the open package.**
+
+## What stays local
+
+- CRM snapshots, patch plans, approvals, apply-run records, market captures and
+  observations, enrich run state, and the signing/credential stores all live
+  under `$FSGTM_HOME` (default `~/.fullstackgtm`), `0600`/`0700`. Nothing is
+  uploaded to Full Stack GTM.
+- No telemetry, analytics, or phone-home. The core package has zero runtime
+  dependencies; the only network calls are the ones listed below, all to
+  endpoints you configure.
+
+## What leaves the machine, by command
+
+| Command(s) | Destination | Data sent | Auth |
+|---|---|---|---|
+| `snapshot`, `audit`, `apply`, `resolve`, `bulk-update`, `dedupe`, `reassign`, `fix`, `enrich` (writeback) | **Your CRM** (HubSpot / Salesforce / Stripe API) | Reads: your CRM records. Writes: only approved patch operations. | Your CRM token (env / stored / broker) |
+| `call parse`, `call score`, `market classify`, `market refresh` | **Your LLM provider** (api.anthropic.com or api.openai.com) | The call transcript / captured competitor page text you point at, plus the extraction prompt | Your `ANTHROPIC_API_KEY` / `OPENAI_API_KEY` (BYO) |
+| `enrich append --source apollo`, `enrich refresh` | **Apollo** (api.apollo.io) | The company domain / contact email being enriched | Your `APOLLO_API_KEY` (BYO) |
+| `market capture`, `market refresh` | **Public vendor websites** you list in `market.config.json` | An HTTP GET (no data sent beyond the request); SSRF-guarded to public hosts only | none |
+| `login --via <url>` (optional) | **Your hosted deployment's broker** | A pairing handshake; the broker mints short-lived CRM tokens | broker pairing token |
+
+Commands not listed (`plans`, `rules`, `doctor`, `schedule`, `audit-log`,
+`diff`, `merge`, report rendering) make **no network calls**.
+
+## Avoiding third-party data egress
+
+- **LLM verbs are optional.** `call parse --deterministic` uses a free,
+  offline keyword baseline (no LLM call). `market worksheet` lets an agent or
+  human classify without the CLI making an LLM call. A regulated deployment can
+  run the full audit → plan → apply loop with **zero third-party calls** —
+  CRM-only.
+- **No data is sent for training.** Anthropic, OpenAI, and Apollo are reached
+  with your own API keys under your own agreements; their data-handling terms
+  (and any DPA you have with them) govern that traffic. Full Stack GTM is not
+  in that path and is not a sub-processor for the open-source CLI.
+
+## Sub-processors
+
+For the **open-source CLI**: none (BYO-key, direct-to-service). The data
+controllers are you and the providers whose keys you supply.
+
+For the **hosted application** (a separate, proprietary product — not this
+package): a sub-processor list and DPA are provided through that product's
+agreement. If you are evaluating the hosted product, request them from
+security@fullstackgtm.com.

package/NOTICE

@@ -0,0 +1,5 @@
+fullstackgtm
+Copyright 2026 Full Stack GTM
+
+This product is developed and maintained by Full Stack GTM (https://fullstackgtm.com).
+Licensed under the Apache License, Version 2.0 (see LICENSE).

package/README.md

@@ -219,7 +219,9 @@ fullstackgtm diff --before old.json --after new.json --fail-on-new-findings
 - `--demo` (with `--seed`) generates a realistic mid-market CRM with injected real-world failure modes — departed owners, unlinked deals, orphan accounts, stale pipeline — so agents and CI can exercise the full snapshot → audit → apply pipeline with zero credentials.
 - Exit codes: `0` success, `1` error, `2` findings at/above `--fail-on`.
 
-"Built for agents" is measured, not asserted: a 612-run benchmark (17 scenarios × 3 tool-surface arms × 4 trials, deterministic graders over final CRM state, τ-bench-style pass^k) shows the gated CLI surface beating raw CRM-API access on completion-under-policy for every model tested. Full matrix and methodology: [the leaderboard](./evals/crm/leaderboard/RESULTS.md).
+"Built for agents" is measured, not asserted: a 1,020-run benchmark (17 scenarios = 14 synthetic + 3 seeded from an anonymized real portal, × 3 tool-surface arms × 4 trials, across five models from three vendors, deterministic graders over final CRM state, τ-bench-style pass^k) shows the gated CLI surface beating raw CRM-API access on completion-under-policy for every model tested — and the tool-surface effect is monotonic and vendor-independent. Full matrix and methodology: [the leaderboard](./evals/crm/leaderboard/RESULTS.md).
+
+The design is **deterministic apply, governed suggest**: the parts that touch your CRM — the audit rules, the plan/apply contract, compare-and-set, the survivor/merge logic — are deterministic and replayable; the parts that read free text (`call parse`/`score`, `market classify`) are LLM-powered but bounded, with every quoted span mechanically verified against the source before it can drive a writeback. Nondeterministic suggestion, deterministic governance.
 
 ## Authentication: CLI-first, browser only at the consent moment
 

package/SECURITY.md

@@ -0,0 +1,69 @@
+# Security Policy
+
+fullstackgtm reads and writes live CRM data under the operator's own
+credentials. We take its security posture seriously and design the write path
+to fail closed. This document is the disclosure process and the trust model a
+security reviewer needs.
+
+## Reporting a vulnerability
+
+Email **security@fullstackgtm.com** with a description and, ideally, a
+reproduction. Please do not open a public issue for a security report. We aim
+to acknowledge within 3 business days and to ship a fix or mitigation before
+any public disclosure. There is no bounty program yet; credit is given in the
+changelog unless you prefer otherwise.
+
+Supported version: the latest published `0.x` release on npm. Fixes land on the
+newest version, not backported (the project is pre-1.0).
+
+## Trust model
+
+**Credentials.** API tokens are never accepted as command-line arguments
+(they would leak into the process table and shell history); they come from an
+environment variable or stdin only, and are stored `0600` under a `0700` home
+(`$FSGTM_HOME`, default `~/.fullstackgtm`), re-tightened on read. This is the
+same custody model as the `gcloud`/`aws` CLIs. The hosted broker
+(`login --via`) exists so a team can connect a CRM once, server-side, and hand
+laptops only a revocable pairing token instead of a long-lived super-admin key.
+
+**Writes are approval-gated.** Reads are safe by default. Every change is a
+typed patch operation in a dry-run plan that a human must approve before
+`apply`. `apply` writes only operations whose ids were explicitly approved,
+refuses operations carrying unresolved placeholder values, and uses
+compare-and-set against the live CRM so a value that drifted since the plan was
+built becomes a conflict, not a clobber. Irreversible operations (merge,
+archive) get a fresh-snapshot drift guard, and archiving a record that still
+shares an identity key with another is refused (it's a duplicate — merge it).
+
+**Approval integrity.** At approval time each operation's apply-relevant content
+is HMAC-signed with a per-install key (`$FSGTM_HOME/.plan-signing-key`, `0600`).
+`apply --plan-id` re-verifies; a plan edited after approval — by a synced copy,
+another process, or a compromised dependency — is refused rather than executed.
+The invariant: **what gets written equals what the human signed.** A plan
+approved on one machine cannot be applied on another (the key does not travel).
+Documented boundary: this defends the plan file, not an attacker who already
+holds the signing key (same directory and permissions as the credential store).
+
+**Scheduling never auto-approves.** Scheduled (cron) runs are restricted to a
+read/plan-side allowlist plus `apply --plan-id` whose approved status and
+signatures are re-checked at every firing. Arbitrary shell is not schedulable.
+
+**Untrusted input.** Competitor pages fetched by `market capture` are guarded
+against SSRF (scheme allowlist; private/loopback/link-local/metadata addresses
+refused; redirects re-validated). LLM-extracted call insights and market
+classifications are mechanically verified verbatim against the source text
+before they can drive a writeback, so a prompt-injected transcript or page
+cannot fabricate a grounded-looking change. CSV/formula-injection in ingested
+data is neutralized before it reaches a write.
+
+**Auditability.** `audit-log export` produces a hash-chained, install-signed
+record of every apply run for change-management/SIEM ingestion; `audit-log
+verify` detects any edit or reorder.
+
+## Data flows
+
+What leaves the machine, to whom, and for which command is enumerated in
+[DATA-FLOWS.md](./DATA-FLOWS.md). In brief: the core CLI is BYO-key and talks
+directly to your CRM and (only for LLM/enrichment verbs you invoke) to your
+chosen Anthropic/OpenAI/Apollo accounts — there is no fullstackgtm-operated
+data path for the open-source package.

package/dist/auditLog.d.ts

@@ -0,0 +1,58 @@
+import type { PatchPlanRun } from "./types.ts";
+import type { StoredPlan } from "./planStore.ts";
+/**
+ * Exportable, tamper-evident audit log.
+ *
+ * Every apply run is already recorded per-plan in the store, but a compliance /
+ * change-management process needs ONE portable artifact it can archive and
+ * later prove was not edited. `audit-log export` flattens every run across all
+ * plans into a hash-chained sequence: each entry carries the hash of the
+ * previous entry, so removing, reordering, or editing any entry breaks the
+ * chain at that point and `audit-log verify` reports exactly where. When a
+ * per-install signing key exists, the chain head is also HMAC-signed, so the
+ * export can be attributed to this installation, not just shown internally
+ * consistent.
+ *
+ * This is a point-in-time attestation of the stored run history; it is not a
+ * real-time append-only journal (that is future work). It answers "give me an
+ * auditable record of every change this tool applied, that my auditor can
+ * verify hasn't been doctored."
+ */
+export type AuditLogEntry = {
+    seq: number;
+    planId: string;
+    planTitle: string;
+    provider: string;
+    startedAt: string;
+    finishedAt: string;
+    status: PatchPlanRun["status"];
+    trigger: string;
+    /** operationId → status, the per-operation outcome of this run */
+    operations: Array<{
+        operationId: string;
+        status: string;
+        detail?: string;
+    }>;
+    prevHash: string;
+    hash: string;
+};
+export type AuditLogExport = {
+    version: 1;
+    generatedAt: string;
+    entryCount: number;
+    chainHead: string;
+    /** HMAC of chainHead with the per-install key, or null when no key exists. */
+    signature: string | null;
+    entries: AuditLogEntry[];
+};
+/** Flatten all runs from the stored plans, oldest first, into chained entries. */
+export declare function buildAuditLog(plans: StoredPlan[], generatedAt: string): AuditLogExport;
+export type AuditLogVerification = {
+    ok: boolean;
+    /** seq of the first entry whose hash does not verify, or null if the chain holds */
+    brokenAt: number | null;
+    signatureOk: boolean | null;
+    detail: string;
+};
+/** Recompute the chain (and the signature if a key is available). */
+export declare function verifyAuditLog(log: AuditLogExport): AuditLogVerification;

package/dist/auditLog.js

@@ -0,0 +1,112 @@
+import { createHash, createHmac } from "node:crypto";
+import { loadOrCreateSigningKey, loadSigningKey } from "./integrity.js";
+const GENESIS = "0".repeat(64);
+/** The content that the chain hash covers — everything but prevHash/hash. */
+function entryContent(entry) {
+    return JSON.stringify([
+        entry.seq,
+        entry.planId,
+        entry.planTitle,
+        entry.provider,
+        entry.startedAt,
+        entry.finishedAt,
+        entry.status,
+        entry.trigger,
+        entry.operations,
+    ]);
+}
+function chainHash(prevHash, content) {
+    return createHash("sha256").update(prevHash).update("\n").update(content).digest("hex");
+}
+/** Flatten all runs from the stored plans, oldest first, into chained entries. */
+export function buildAuditLog(plans, generatedAt) {
+    const runs = [];
+    for (const stored of plans) {
+        for (const run of stored.runs ?? [])
+            runs.push({ stored, run });
+    }
+    runs.sort((a, b) => a.run.finishedAt.localeCompare(b.run.finishedAt));
+    const entries = [];
+    let prevHash = GENESIS;
+    runs.forEach(({ stored, run }, index) => {
+        const base = {
+            seq: index,
+            planId: run.planId,
+            planTitle: stored.plan.title,
+            provider: run.provider,
+            startedAt: run.startedAt,
+            finishedAt: run.finishedAt,
+            status: run.status,
+            trigger: run.trigger ?? "manual",
+            operations: run.results.map((result) => ({
+                operationId: result.operationId,
+                status: result.status,
+                ...(result.detail ? { detail: result.detail } : {}),
+            })),
+        };
+        const hash = chainHash(prevHash, entryContent(base));
+        entries.push({ ...base, prevHash, hash });
+        prevHash = hash;
+    });
+    // Always sign — an unsigned export's keyless sha256 chain is self-recomputable
+    // (an attacker can edit entries and rebuild the chain from the public genesis),
+    // so the per-install HMAC is the only real tamper barrier. Bind the header
+    // fields into the signed material so metadata can't be altered either.
+    const key = loadOrCreateSigningKey();
+    const entryCount = entries.length;
+    return {
+        version: 1,
+        generatedAt,
+        entryCount,
+        chainHead: prevHash,
+        signature: signHead(key, 1, generatedAt, entryCount, prevHash),
+        entries,
+    };
+}
+function signHead(key, version, generatedAt, entryCount, chainHead) {
+    return createHmac("sha256", key).update(JSON.stringify([version, generatedAt, entryCount, chainHead])).digest("hex");
+}
+/** Recompute the chain (and the signature if a key is available). */
+export function verifyAuditLog(log) {
+    let prevHash = GENESIS;
+    for (const entry of log.entries) {
+        if (entry.prevHash !== prevHash) {
+            return { ok: false, brokenAt: entry.seq, signatureOk: null, detail: `Chain breaks at entry ${entry.seq}: prevHash does not match the previous entry's hash (an entry was removed, reordered, or edited).` };
+        }
+        const expected = chainHash(prevHash, entryContent(entry));
+        if (expected !== entry.hash) {
+            return { ok: false, brokenAt: entry.seq, signatureOk: null, detail: `Chain breaks at entry ${entry.seq}: its content was edited after export (hash mismatch).` };
+        }
+        prevHash = entry.hash;
+    }
+    if (prevHash !== log.chainHead) {
+        return { ok: false, brokenAt: log.entries.length, signatureOk: null, detail: "The recorded chainHead does not match the recomputed chain." };
+    }
+    // The keyless chain alone is self-recomputable, so a missing/stripped signature
+    // means the export is forgeable — refuse it. (Current exports are always
+    // signed; a null signature is an old/unsigned or a downgraded export.)
+    if (!log.signature) {
+        return {
+            ok: false,
+            brokenAt: null,
+            signatureOk: false,
+            detail: "Unsigned export: the hash chain alone is self-recomputable, so this log cannot be trusted (the signature is absent or was stripped). Re-export on the issuing install.",
+        };
+    }
+    const key = loadSigningKey();
+    if (!key) {
+        // A third party without the issuing install's key cannot verify attribution.
+        // The chain is internally consistent, but that is not proof of authenticity.
+        return {
+            ok: false,
+            brokenAt: null,
+            signatureOk: null,
+            detail: "Chain is internally consistent, but this machine has no signing key to verify the signature — authenticity is unattributed. Verify on the issuing install.",
+        };
+    }
+    const signatureOk = signHead(key, log.version, log.generatedAt, log.entryCount, prevHash) === log.signature;
+    if (!signatureOk) {
+        return { ok: false, brokenAt: null, signatureOk: false, detail: "Signature does not match this installation's key — the log was exported elsewhere, or its entries/metadata were altered after signing." };
+    }
+    return { ok: true, brokenAt: null, signatureOk: true, detail: `Verified ${log.entries.length} entries; chain intact and signature valid.` };
+}

package/dist/cli.d.ts

@@ -33,7 +33,7 @@ export declare function doctorReport(env?: Record<string, string | undefined>):
     llm: {
         configured: boolean;
         provider: LlmProvider;
-        source: "env" | "stored";
+        source: "stored" | "env";
         detail?: undefined;
     } | {
         configured: boolean;

package/dist/cli.js

@@ -14,6 +14,7 @@ import { generateDemoSnapshot } from "./demo.js";
 import { formatPatchPlanRun, patchPlanToMarkdown } from "./format.js";
 import { mergeSnapshots } from "./merge.js";
 import { verifyApprovalDigests } from "./integrity.js";
+import { buildAuditLog, verifyAuditLog } from "./auditLog.js";
 import { createFilePlanStore } from "./planStore.js";
 import { auditReportToHtml, auditReportToMarkdown } from "./report.js";
 import { builtinAuditRules } from "./rules.js";
@@ -155,6 +156,7 @@ Usage:
   fullstackgtm plans approve <id> --values-from <suggestions.json> [--min-confidence high|low] [--include-creates]
   fullstackgtm apply --plan-id <id> --provider <name>
   fullstackgtm apply --plan <path> --provider <name> --approve <ids|all> [options]
+  fullstackgtm audit-log export [--out <path>] | verify --in <path>   tamper-evident apply-run record
   fullstackgtm rules [--json]
   fullstackgtm profiles [--json]               list credential profiles
   fullstackgtm doctor [--json]                 check install, credentials, and next step
@@ -2281,6 +2283,52 @@ function readSuggestionValues(path, minConfidence, includeCreates) {
     }
     return { overrides, skipped };
 }
+async function auditLogCommand(args) {
+    const [sub, ...rest] = args;
+    if (!sub || sub === "--help" || sub === "-h" || (sub !== "export" && sub !== "verify")) {
+        console.log(`Usage:
+audit-log export [--out <path>] [--json]   hash-chained, signed record of every apply run
+audit-log verify [--in <path>]             re-check an exported log's chain and signature
+
+export flattens every apply run across all stored plans (this profile) into a
+tamper-evident chain — each entry carries the prior entry's hash, and the chain
+head is HMAC-signed with this install's key — so a change-management process can
+archive one file and later prove it was not edited. verify recomputes the chain
+and (if the signing key is present) the signature.`);
+        return;
+    }
+    if (sub === "export") {
+        const plans = await createFilePlanStore().list();
+        const log = buildAuditLog(plans, new Date().toISOString());
+        const payload = `${JSON.stringify(log, null, 2)}\n`;
+        const outPath = option(rest, "--out");
+        if (outPath) {
+            writeFileSync(resolve(process.cwd(), outPath), payload);
+            console.log(`Wrote ${outPath}: ${log.entryCount} run(s), chain head ${log.chainHead.slice(0, 12)}${log.signature ? " (signed)" : " (unsigned — no signing key on this install)"}.`);
+        }
+        else if (rest.includes("--json")) {
+            console.log(payload);
+        }
+        else {
+            console.log(`${log.entryCount} apply run(s); chain head ${log.chainHead.slice(0, 12)}${log.signature ? ", signed" : ", unsigned"}. Pass --out <path> to archive, or --json to print.`);
+        }
+        return;
+    }
+    // verify
+    const inPath = option(rest, "--in");
+    if (!inPath)
+        throw new Error("audit-log verify requires --in <exported-log.json>");
+    const log = JSON.parse(readFileSync(resolve(process.cwd(), inPath), "utf8"));
+    const result = verifyAuditLog(log);
+    if (rest.includes("--json")) {
+        console.log(JSON.stringify(result, null, 2));
+    }
+    else {
+        console.log(result.ok ? `OK — ${result.detail}` : `TAMPERED — ${result.detail}`);
+    }
+    if (!result.ok)
+        process.exitCode = 2;
+}
 async function apply(args) {
     const provider = option(args, "--provider");
     if (!provider)
@@ -3053,6 +3101,10 @@ export async function runCli(argv) {
         await plansCommand(args);
         return;
     }
+    if (command === "audit-log") {
+        await auditLogCommand(args);
+        return;
+    }
     if (command === "apply") {
         await apply(args);
         return;

package/dist/index.d.ts

@@ -17,6 +17,7 @@ export { diffFindings, diffSnapshots, diffToMarkdown, type CollectionDiff, type
 export { mergeSnapshots, type MergeConflict, type MergeMatch, type MergeReport, type MergeSuggestion, } from "./merge.ts";
 export { createFilePlanStore, type PlanStore, type StoredPlan } from "./planStore.ts";
 export { computeApprovalDigests, loadOrCreateSigningKey, loadSigningKey, signApproval, verifyApprovalDigests, type ApprovalVerification, } from "./integrity.ts";
+export { buildAuditLog, verifyAuditLog, type AuditLogEntry, type AuditLogExport, type AuditLogVerification, } from "./auditLog.ts";
 export { formatPatchPlanRun, patchPlanToMarkdown } from "./format.ts";
 export { auditReportToHtml, auditReportToMarkdown, type ReportOptions } from "./report.ts";
 export { HUBSPOT_DEFAULT_FIELD_MAPPINGS, SALESFORCE_DEFAULT_FIELD_MAPPINGS, mappedField, mappedFields, normalizeFieldMappings, readMappedValue, type CrmObjectType, type FieldMappings, } from "./mappings.ts";

package/dist/index.js

@@ -17,6 +17,7 @@ export { diffFindings, diffSnapshots, diffToMarkdown, } from "./diff.js";
 export { mergeSnapshots, } from "./merge.js";
 export { createFilePlanStore } from "./planStore.js";
 export { computeApprovalDigests, loadOrCreateSigningKey, loadSigningKey, signApproval, verifyApprovalDigests, } from "./integrity.js";
+export { buildAuditLog, verifyAuditLog, } from "./auditLog.js";
 export { formatPatchPlanRun, patchPlanToMarkdown } from "./format.js";
 export { auditReportToHtml, auditReportToMarkdown } from "./report.js";
 export { HUBSPOT_DEFAULT_FIELD_MAPPINGS, SALESFORCE_DEFAULT_FIELD_MAPPINGS, mappedField, mappedFields, normalizeFieldMappings, readMappedValue, } from "./mappings.js";

package/dist/llm.js

@@ -70,8 +70,23 @@ export async function extractInsightsLlm(transcript, options) {
     const text = truncateTranscript(transcript);
     const prompt = `${EXTRACT_INSTRUCTIONS}\n\n${options.title ? `Call: ${options.title}\n` : ""}Transcript:\n${text}`;
     const result = (await forcedToolCall(prompt, "extract_call_insights", EXTRACT_SCHEMA, model, options));
+    const normalizedTranscript = normalizeSpan(text);
     const insights = (result.insights ?? [])
         .filter((insight) => INSIGHT_TYPES.includes(insight.type))
+        // Mechanical verbatim gate (mirrors market classify): the prompt asks for a
+        // verbatim quote, but a prompt-injected or hallucinated transcript could
+        // fabricate a grounded-looking insight that drives a governed writeback.
+        // (1) The evidence quote must be a non-trivial verbatim span of the transcript.
+        .filter((insight) => {
+        const quote = normalizeSpan(insight.evidence ?? "");
+        return quote.length >= 12 && normalizedTranscript.includes(quote);
+    })
+        // (2) For next_step — the only insight type whose `text` is WRITTEN to the CRM
+        // (set_field nextStep / create_task body) — the written action must itself be
+        // grounded in the verified quote, not just accompanied by an innocuous one.
+        // This closes the decoupling attack: a prompt-injected transcript that emits a
+        // malicious `text` while quoting an unrelated real span no longer survives.
+        .filter((insight) => insight.type !== "next_step" || actionGroundedInEvidence(insight.text, insight.evidence ?? ""))
         .map((insight) => ({
         ...insight,
         title: insight.type.replace(/_/g, " "),
@@ -81,6 +96,39 @@ export async function extractInsightsLlm(transcript, options) {
         .sort((a, b) => b.importance - a.importance || b.confidence - a.confidence);
     return { insights, model };
 }
+/** Whitespace/punctuation-spacing-normalized match (same rule as market spans). */
+function normalizeSpan(value) {
+    return value
+        .replace(/\s+([.,;:!?])/g, "$1")
+        .replace(/\s+/g, " ")
+        .trim()
+        .toLowerCase();
+}
+/**
+ * Is the written next-step action grounded in its (already transcript-verified)
+ * evidence quote? A legitimate next step paraphrases the quote, so it reuses the
+ * quote's salient terms; a prompt-injected action ("wire $50,000 to account
+ * 1234") quoting an unrelated innocuous span does not. Two checks: every
+ * number/amount in the action must appear in the evidence (defeats the
+ * financial-exfil class cleanly), and a meaningful share of the action's
+ * distinctive (≥4-char) words must appear in the evidence.
+ */
+function actionGroundedInEvidence(text, evidence) {
+    const action = normalizeSpan(text);
+    const quote = normalizeSpan(evidence);
+    if (!action)
+        return false;
+    const numbers = action.match(/\d[\d,.]*/g) ?? [];
+    for (const n of numbers) {
+        if (!quote.includes(n))
+            return false; // an ungrounded amount/account/id is a red flag
+    }
+    const distinctive = [...new Set(action.split(/[^a-z0-9$]+/).filter((token) => token.length >= 4))];
+    if (distinctive.length === 0)
+        return true; // nothing distinctive to ground (a short generic step)
+    const grounded = distinctive.filter((token) => quote.includes(token)).length;
+    return grounded / distinctive.length >= 0.4;
+}
 export const DEFAULT_RUBRIC = {
     scale: 5,
     dimensions: [

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "fullstackgtm",
-  "version": "0.26.0",
+  "version": "0.27.0",
   "description": "Open-source agentic GTM ops framework: canonical GTM data model, pluggable deterministic audits, reviewable dry-run patch plans, approval-gated write-back with conflict detection, and cross-system entity resolution. HubSpot, Salesforce, and Stripe connectors included.",
   "license": "Apache-2.0",
-  "author": "Full Stack GTM",
+  "author": "Full Stack GTM <security@fullstackgtm.com> (https://fullstackgtm.com)",
   "homepage": "https://github.com/fullstackgtm/core#readme",
   "bugs": {
     "url": "https://github.com/fullstackgtm/core/issues"
@@ -31,7 +31,10 @@
     "INSTALL_FOR_AGENTS.md",
     "llms.txt",
     "skills",
-    "LICENSE"
+    "LICENSE",
+    "NOTICE",
+    "SECURITY.md",
+    "DATA-FLOWS.md"
   ],
   "scripts": {
     "build": "tsc -p tsconfig.build.json",

package/src/auditLog.ts

@@ -0,0 +1,173 @@
+import { createHash, createHmac } from "node:crypto";
+import { loadOrCreateSigningKey, loadSigningKey } from "./integrity.ts";
+import type { PatchPlanRun } from "./types.ts";
+import type { StoredPlan } from "./planStore.ts";
+
+/**
+ * Exportable, tamper-evident audit log.
+ *
+ * Every apply run is already recorded per-plan in the store, but a compliance /
+ * change-management process needs ONE portable artifact it can archive and
+ * later prove was not edited. `audit-log export` flattens every run across all
+ * plans into a hash-chained sequence: each entry carries the hash of the
+ * previous entry, so removing, reordering, or editing any entry breaks the
+ * chain at that point and `audit-log verify` reports exactly where. When a
+ * per-install signing key exists, the chain head is also HMAC-signed, so the
+ * export can be attributed to this installation, not just shown internally
+ * consistent.
+ *
+ * This is a point-in-time attestation of the stored run history; it is not a
+ * real-time append-only journal (that is future work). It answers "give me an
+ * auditable record of every change this tool applied, that my auditor can
+ * verify hasn't been doctored."
+ */
+
+export type AuditLogEntry = {
+  seq: number;
+  planId: string;
+  planTitle: string;
+  provider: string;
+  startedAt: string;
+  finishedAt: string;
+  status: PatchPlanRun["status"];
+  trigger: string;
+  /** operationId → status, the per-operation outcome of this run */
+  operations: Array<{ operationId: string; status: string; detail?: string }>;
+  prevHash: string;
+  hash: string;
+};
+
+export type AuditLogExport = {
+  version: 1;
+  generatedAt: string;
+  entryCount: number;
+  chainHead: string;
+  /** HMAC of chainHead with the per-install key, or null when no key exists. */
+  signature: string | null;
+  entries: AuditLogEntry[];
+};
+
+const GENESIS = "0".repeat(64);
+
+/** The content that the chain hash covers — everything but prevHash/hash. */
+function entryContent(entry: Omit<AuditLogEntry, "prevHash" | "hash">): string {
+  return JSON.stringify([
+    entry.seq,
+    entry.planId,
+    entry.planTitle,
+    entry.provider,
+    entry.startedAt,
+    entry.finishedAt,
+    entry.status,
+    entry.trigger,
+    entry.operations,
+  ]);
+}
+
+function chainHash(prevHash: string, content: string): string {
+  return createHash("sha256").update(prevHash).update("\n").update(content).digest("hex");
+}
+
+/** Flatten all runs from the stored plans, oldest first, into chained entries. */
+export function buildAuditLog(plans: StoredPlan[], generatedAt: string): AuditLogExport {
+  const runs: Array<{ stored: StoredPlan; run: PatchPlanRun }> = [];
+  for (const stored of plans) {
+    for (const run of stored.runs ?? []) runs.push({ stored, run });
+  }
+  runs.sort((a, b) => a.run.finishedAt.localeCompare(b.run.finishedAt));
+
+  const entries: AuditLogEntry[] = [];
+  let prevHash = GENESIS;
+  runs.forEach(({ stored, run }, index) => {
+    const base = {
+      seq: index,
+      planId: run.planId,
+      planTitle: stored.plan.title,
+      provider: run.provider,
+      startedAt: run.startedAt,
+      finishedAt: run.finishedAt,
+      status: run.status,
+      trigger: (run as { trigger?: string }).trigger ?? "manual",
+      operations: run.results.map((result) => ({
+        operationId: result.operationId,
+        status: result.status,
+        ...(result.detail ? { detail: result.detail } : {}),
+      })),
+    };
+    const hash = chainHash(prevHash, entryContent(base));
+    entries.push({ ...base, prevHash, hash });
+    prevHash = hash;
+  });
+
+  // Always sign — an unsigned export's keyless sha256 chain is self-recomputable
+  // (an attacker can edit entries and rebuild the chain from the public genesis),
+  // so the per-install HMAC is the only real tamper barrier. Bind the header
+  // fields into the signed material so metadata can't be altered either.
+  const key = loadOrCreateSigningKey();
+  const entryCount = entries.length;
+  return {
+    version: 1,
+    generatedAt,
+    entryCount,
+    chainHead: prevHash,
+    signature: signHead(key, 1, generatedAt, entryCount, prevHash),
+    entries,
+  };
+}
+
+function signHead(key: Buffer, version: number, generatedAt: string, entryCount: number, chainHead: string): string {
+  return createHmac("sha256", key).update(JSON.stringify([version, generatedAt, entryCount, chainHead])).digest("hex");
+}
+
+export type AuditLogVerification = {
+  ok: boolean;
+  /** seq of the first entry whose hash does not verify, or null if the chain holds */
+  brokenAt: number | null;
+  signatureOk: boolean | null; // null = no signature present / no key to check
+  detail: string;
+};
+
+/** Recompute the chain (and the signature if a key is available). */
+export function verifyAuditLog(log: AuditLogExport): AuditLogVerification {
+  let prevHash = GENESIS;
+  for (const entry of log.entries) {
+    if (entry.prevHash !== prevHash) {
+      return { ok: false, brokenAt: entry.seq, signatureOk: null, detail: `Chain breaks at entry ${entry.seq}: prevHash does not match the previous entry's hash (an entry was removed, reordered, or edited).` };
+    }
+    const expected = chainHash(prevHash, entryContent(entry));
+    if (expected !== entry.hash) {
+      return { ok: false, brokenAt: entry.seq, signatureOk: null, detail: `Chain breaks at entry ${entry.seq}: its content was edited after export (hash mismatch).` };
+    }
+    prevHash = entry.hash;
+  }
+  if (prevHash !== log.chainHead) {
+    return { ok: false, brokenAt: log.entries.length, signatureOk: null, detail: "The recorded chainHead does not match the recomputed chain." };
+  }
+  // The keyless chain alone is self-recomputable, so a missing/stripped signature
+  // means the export is forgeable — refuse it. (Current exports are always
+  // signed; a null signature is an old/unsigned or a downgraded export.)
+  if (!log.signature) {
+    return {
+      ok: false,
+      brokenAt: null,
+      signatureOk: false,
+      detail: "Unsigned export: the hash chain alone is self-recomputable, so this log cannot be trusted (the signature is absent or was stripped). Re-export on the issuing install.",
+    };
+  }
+  const key = loadSigningKey();
+  if (!key) {
+    // A third party without the issuing install's key cannot verify attribution.
+    // The chain is internally consistent, but that is not proof of authenticity.
+    return {
+      ok: false,
+      brokenAt: null,
+      signatureOk: null,
+      detail: "Chain is internally consistent, but this machine has no signing key to verify the signature — authenticity is unattributed. Verify on the issuing install.",
+    };
+  }
+  const signatureOk = signHead(key, log.version, log.generatedAt, log.entryCount, prevHash) === log.signature;
+  if (!signatureOk) {
+    return { ok: false, brokenAt: null, signatureOk: false, detail: "Signature does not match this installation's key — the log was exported elsewhere, or its entries/metadata were altered after signing." };
+  }
+  return { ok: true, brokenAt: null, signatureOk: true, detail: `Verified ${log.entries.length} entries; chain intact and signature valid.` };
+}

package/src/cli.ts

@@ -35,6 +35,7 @@ import { generateDemoSnapshot } from "./demo.ts";
 import { formatPatchPlanRun, patchPlanToMarkdown } from "./format.ts";
 import { mergeSnapshots } from "./merge.ts";
 import { verifyApprovalDigests } from "./integrity.ts";
+import { buildAuditLog, verifyAuditLog } from "./auditLog.ts";
 import { createFilePlanStore } from "./planStore.ts";
 import { auditReportToHtml, auditReportToMarkdown, type ReportOptions } from "./report.ts";
 import { builtinAuditRules } from "./rules.ts";
@@ -254,6 +255,7 @@ Usage:
   fullstackgtm plans approve <id> --values-from <suggestions.json> [--min-confidence high|low] [--include-creates]
   fullstackgtm apply --plan-id <id> --provider <name>
   fullstackgtm apply --plan <path> --provider <name> --approve <ids|all> [options]
+  fullstackgtm audit-log export [--out <path>] | verify --in <path>   tamper-evident apply-run record
   fullstackgtm rules [--json]
   fullstackgtm profiles [--json]               list credential profiles
   fullstackgtm doctor [--json]                 check install, credentials, and next step
@@ -2558,6 +2560,50 @@ function readSuggestionValues(path: string, minConfidence: string, includeCreate
   return { overrides, skipped };
 }
 
+async function auditLogCommand(args: string[]) {
+  const [sub, ...rest] = args;
+  if (!sub || sub === "--help" || sub === "-h" || (sub !== "export" && sub !== "verify")) {
+    console.log(`Usage:
+audit-log export [--out <path>] [--json]   hash-chained, signed record of every apply run
+audit-log verify [--in <path>]             re-check an exported log's chain and signature
+
+export flattens every apply run across all stored plans (this profile) into a
+tamper-evident chain — each entry carries the prior entry's hash, and the chain
+head is HMAC-signed with this install's key — so a change-management process can
+archive one file and later prove it was not edited. verify recomputes the chain
+and (if the signing key is present) the signature.`);
+    return;
+  }
+
+  if (sub === "export") {
+    const plans = await createFilePlanStore().list();
+    const log = buildAuditLog(plans, new Date().toISOString());
+    const payload = `${JSON.stringify(log, null, 2)}\n`;
+    const outPath = option(rest, "--out");
+    if (outPath) {
+      writeFileSync(resolve(process.cwd(), outPath), payload);
+      console.log(`Wrote ${outPath}: ${log.entryCount} run(s), chain head ${log.chainHead.slice(0, 12)}${log.signature ? " (signed)" : " (unsigned — no signing key on this install)"}.`);
+    } else if (rest.includes("--json")) {
+      console.log(payload);
+    } else {
+      console.log(`${log.entryCount} apply run(s); chain head ${log.chainHead.slice(0, 12)}${log.signature ? ", signed" : ", unsigned"}. Pass --out <path> to archive, or --json to print.`);
+    }
+    return;
+  }
+
+  // verify
+  const inPath = option(rest, "--in");
+  if (!inPath) throw new Error("audit-log verify requires --in <exported-log.json>");
+  const log = JSON.parse(readFileSync(resolve(process.cwd(), inPath), "utf8")) as Parameters<typeof verifyAuditLog>[0];
+  const result = verifyAuditLog(log);
+  if (rest.includes("--json")) {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.log(result.ok ? `OK — ${result.detail}` : `TAMPERED — ${result.detail}`);
+  }
+  if (!result.ok) process.exitCode = 2;
+}
+
 async function apply(args: string[]) {
   const provider = option(args, "--provider");
   if (!provider) throw new Error("apply requires --provider <name>");
@@ -3416,6 +3462,10 @@ export async function runCli(argv: string[]) {
     await plansCommand(args);
     return;
   }
+  if (command === "audit-log") {
+    await auditLogCommand(args);
+    return;
+  }
   if (command === "apply") {
     await apply(args);
     return;

package/src/index.ts

@@ -123,6 +123,13 @@ export {
   verifyApprovalDigests,
   type ApprovalVerification,
 } from "./integrity.ts";
+export {
+  buildAuditLog,
+  verifyAuditLog,
+  type AuditLogEntry,
+  type AuditLogExport,
+  type AuditLogVerification,
+} from "./auditLog.ts";
 export { formatPatchPlanRun, patchPlanToMarkdown } from "./format.ts";
 export { auditReportToHtml, auditReportToMarkdown, type ReportOptions } from "./report.ts";
 export {

package/src/llm.ts

@@ -109,8 +109,23 @@ export async function extractInsightsLlm(
   const result = (await forcedToolCall(prompt, "extract_call_insights", EXTRACT_SCHEMA, model, options)) as {
     insights?: LlmExtractedInsight[];
   };
+  const normalizedTranscript = normalizeSpan(text);
   const insights = (result.insights ?? [])
     .filter((insight) => INSIGHT_TYPES.includes(insight.type))
+    // Mechanical verbatim gate (mirrors market classify): the prompt asks for a
+    // verbatim quote, but a prompt-injected or hallucinated transcript could
+    // fabricate a grounded-looking insight that drives a governed writeback.
+    // (1) The evidence quote must be a non-trivial verbatim span of the transcript.
+    .filter((insight) => {
+      const quote = normalizeSpan(insight.evidence ?? "");
+      return quote.length >= 12 && normalizedTranscript.includes(quote);
+    })
+    // (2) For next_step — the only insight type whose `text` is WRITTEN to the CRM
+    // (set_field nextStep / create_task body) — the written action must itself be
+    // grounded in the verified quote, not just accompanied by an innocuous one.
+    // This closes the decoupling attack: a prompt-injected transcript that emits a
+    // malicious `text` while quoting an unrelated real span no longer survives.
+    .filter((insight) => insight.type !== "next_step" || actionGroundedInEvidence(insight.text, insight.evidence ?? ""))
     .map((insight) => ({
       ...insight,
       title: insight.type.replace(/_/g, " "),
@@ -121,6 +136,38 @@ export async function extractInsightsLlm(
   return { insights, model };
 }
 
+/** Whitespace/punctuation-spacing-normalized match (same rule as market spans). */
+function normalizeSpan(value: string): string {
+  return value
+    .replace(/\s+([.,;:!?])/g, "$1")
+    .replace(/\s+/g, " ")
+    .trim()
+    .toLowerCase();
+}
+
+/**
+ * Is the written next-step action grounded in its (already transcript-verified)
+ * evidence quote? A legitimate next step paraphrases the quote, so it reuses the
+ * quote's salient terms; a prompt-injected action ("wire $50,000 to account
+ * 1234") quoting an unrelated innocuous span does not. Two checks: every
+ * number/amount in the action must appear in the evidence (defeats the
+ * financial-exfil class cleanly), and a meaningful share of the action's
+ * distinctive (≥4-char) words must appear in the evidence.
+ */
+function actionGroundedInEvidence(text: string, evidence: string): boolean {
+  const action = normalizeSpan(text);
+  const quote = normalizeSpan(evidence);
+  if (!action) return false;
+  const numbers = action.match(/\d[\d,.]*/g) ?? [];
+  for (const n of numbers) {
+    if (!quote.includes(n)) return false; // an ungrounded amount/account/id is a red flag
+  }
+  const distinctive = [...new Set(action.split(/[^a-z0-9$]+/).filter((token) => token.length >= 4))];
+  if (distinctive.length === 0) return true; // nothing distinctive to ground (a short generic step)
+  const grounded = distinctive.filter((token) => quote.includes(token)).length;
+  return grounded / distinctive.length >= 0.4;
+}
+
 // ── Rubric scoring ─────────────────────────────────────────────────────────
 
 export type Rubric = {