fullstackgtm 0.26.0 → 0.28.0

package/src/keychain.ts

@@ -0,0 +1,112 @@
+import { execFileSync } from "node:child_process";
+import { platform } from "node:os";
+
+/**
+ * Optional OS-keychain backing for the credential store. Off by default;
+ * enabled with FSGTM_KEYCHAIN=1. When on, the credential blob is stored in the
+ * OS secret store instead of a 0600 file, so a cloned home, a restored backup,
+ * or another tool reading `~/.fullstackgtm/credentials.json` finds nothing.
+ *
+ * Backends shell out to the OS tool — no native dependency, so the package
+ * stays zero-dep:
+ *  - Linux: `secret-tool` (libsecret) — reads the secret from STDIN (no argv leak).
+ *  - macOS: `security` — `add-generic-password` only accepts the secret via the
+ *    `-w` argv flag, so it is briefly visible to same-user `ps` during the call.
+ *    That transient, same-user exposure is strictly smaller than a persistent
+ *    plaintext file (which the same processes can read at any time), but it is a
+ *    real caveat, documented in SECURITY.md.
+ *
+ * Keychain entries are NOT scoped by $FSGTM_HOME (the OS store is machine-wide),
+ * so the account name is derived from the credential file path to keep distinct
+ * homes/profiles from colliding. This is also why keychain is opt-in: defaulting
+ * it on would make throwaway-home test/eval runs write to the machine keychain.
+ */
+
+export type KeychainBackend = {
+  readonly name: string;
+  get(account: string): string | null;
+  set(account: string, secret: string): void;
+  delete(account: string): void;
+};
+
+const SERVICE = "fullstackgtm";
+
+function hasBinary(bin: string): boolean {
+  try {
+    execFileSync("/usr/bin/env", ["which", bin], { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+const macosBackend: KeychainBackend = {
+  name: "macos-keychain",
+  get(account) {
+    try {
+      return execFileSync("security", ["find-generic-password", "-s", SERVICE, "-a", account, "-w"], {
+        encoding: "utf8",
+        stdio: ["ignore", "pipe", "ignore"],
+      }).replace(/\n$/, "");
+    } catch {
+      return null; // not found → non-zero exit
+    }
+  },
+  set(account, secret) {
+    // -U updates if present. NOTE: the secret is in argv for the duration of
+    // this call (see the module comment); `security` has no stdin path.
+    execFileSync("security", ["add-generic-password", "-U", "-s", SERVICE, "-a", account, "-w", secret], {
+      stdio: "ignore",
+    });
+  },
+  delete(account) {
+    try {
+      execFileSync("security", ["delete-generic-password", "-s", SERVICE, "-a", account], { stdio: "ignore" });
+    } catch {
+      // already absent
+    }
+  },
+};
+
+const secretToolBackend: KeychainBackend = {
+  name: "linux-secret-tool",
+  get(account) {
+    try {
+      return execFileSync("secret-tool", ["lookup", "service", SERVICE, "account", account], {
+        encoding: "utf8",
+        stdio: ["ignore", "pipe", "ignore"],
+      });
+    } catch {
+      return null;
+    }
+  },
+  set(account, secret) {
+    // secret-tool reads the secret from STDIN — no argv exposure.
+    execFileSync("secret-tool", ["store", "--label", `${SERVICE} ${account}`, "service", SERVICE, "account", account], {
+      input: secret,
+      stdio: ["pipe", "ignore", "ignore"],
+    });
+  },
+  delete(account) {
+    try {
+      execFileSync("secret-tool", ["clear", "service", SERVICE, "account", account], { stdio: "ignore" });
+    } catch {
+      // already absent
+    }
+  },
+};
+
+let override: KeychainBackend | null | undefined;
+
+/** Test seam: force a backend (or null to force "none"). undefined = re-detect. */
+export function setKeychainBackendForTests(backend: KeychainBackend | null | undefined): void {
+  override = backend;
+}
+
+/** The active backend for this platform, or null if none is available. */
+export function detectKeychainBackend(): KeychainBackend | null {
+  if (override !== undefined) return override;
+  if (platform() === "darwin" && hasBinary("security")) return macosBackend;
+  if (platform() === "linux" && hasBinary("secret-tool")) return secretToolBackend;
+  return null;
+}

package/src/llm.ts

@@ -109,8 +109,23 @@ export async function extractInsightsLlm(
   const result = (await forcedToolCall(prompt, "extract_call_insights", EXTRACT_SCHEMA, model, options)) as {
     insights?: LlmExtractedInsight[];
   };
+  const normalizedTranscript = normalizeSpan(text);
   const insights = (result.insights ?? [])
     .filter((insight) => INSIGHT_TYPES.includes(insight.type))
+    // Mechanical verbatim gate (mirrors market classify): the prompt asks for a
+    // verbatim quote, but a prompt-injected or hallucinated transcript could
+    // fabricate a grounded-looking insight that drives a governed writeback.
+    // (1) The evidence quote must be a non-trivial verbatim span of the transcript.
+    .filter((insight) => {
+      const quote = normalizeSpan(insight.evidence ?? "");
+      return quote.length >= 12 && normalizedTranscript.includes(quote);
+    })
+    // (2) For next_step — the only insight type whose `text` is WRITTEN to the CRM
+    // (set_field nextStep / create_task body) — the written action must itself be
+    // grounded in the verified quote, not just accompanied by an innocuous one.
+    // This closes the decoupling attack: a prompt-injected transcript that emits a
+    // malicious `text` while quoting an unrelated real span no longer survives.
+    .filter((insight) => insight.type !== "next_step" || actionGroundedInEvidence(insight.text, insight.evidence ?? ""))
     .map((insight) => ({
       ...insight,
       title: insight.type.replace(/_/g, " "),
@@ -121,6 +136,38 @@ export async function extractInsightsLlm(
   return { insights, model };
 }
 
+/** Whitespace/punctuation-spacing-normalized match (same rule as market spans). */
+function normalizeSpan(value: string): string {
+  return value
+    .replace(/\s+([.,;:!?])/g, "$1")
+    .replace(/\s+/g, " ")
+    .trim()
+    .toLowerCase();
+}
+
+/**
+ * Is the written next-step action grounded in its (already transcript-verified)
+ * evidence quote? A legitimate next step paraphrases the quote, so it reuses the
+ * quote's salient terms; a prompt-injected action ("wire $50,000 to account
+ * 1234") quoting an unrelated innocuous span does not. Two checks: every
+ * number/amount in the action must appear in the evidence (defeats the
+ * financial-exfil class cleanly), and a meaningful share of the action's
+ * distinctive (≥4-char) words must appear in the evidence.
+ */
+function actionGroundedInEvidence(text: string, evidence: string): boolean {
+  const action = normalizeSpan(text);
+  const quote = normalizeSpan(evidence);
+  if (!action) return false;
+  const numbers = action.match(/\d[\d,.]*/g) ?? [];
+  for (const n of numbers) {
+    if (!quote.includes(n)) return false; // an ungrounded amount/account/id is a red flag
+  }
+  const distinctive = [...new Set(action.split(/[^a-z0-9$]+/).filter((token) => token.length >= 4))];
+  if (distinctive.length === 0) return true; // nothing distinctive to ground (a short generic step)
+  const grounded = distinctive.filter((token) => quote.includes(token)).length;
+  return grounded / distinctive.length >= 0.4;
+}
+
 // ── Rubric scoring ─────────────────────────────────────────────────────────
 
 export type Rubric = {

package/src/mcp.ts

@@ -15,8 +15,15 @@ async function importPeer<T>(specifier: string): Promise<T> {
     return (await import(specifier)) as T;
   } catch (error) {
     try {
+      // Last-resort fallback to the invoking project's node_modules (the npx
+      // landmine: peers there, fullstackgtm in the npx cache). This loads code
+      // from the current working directory, so make it VISIBLE — running the
+      // MCP server in an untrusted directory could otherwise silently load a
+      // malicious `zod`/SDK from its node_modules.
       const projectRequire = createRequire(join(process.cwd(), "package.json"));
-      return (await import(pathToFileURL(projectRequire.resolve(specifier)).href)) as T;
+      const resolved = projectRequire.resolve(specifier);
+      console.error(`fullstackgtm-mcp: loading peer "${specifier}" from the current directory (${resolved}). Only run the MCP server in a directory you trust.`);
+      return (await import(pathToFileURL(resolved).href)) as T;
     } catch {
       throw error; // the original error carries the missing-peer signal mcp-bin reports on
     }

package/src/types.ts

@@ -343,7 +343,16 @@ export type PatchPlan = {
    * Unlike per-operation preconditions, this enforces the FULL filter —
    * negations and relational pseudo-fields included.
    */
-  filter?: { objectType: "account" | "contact" | "deal"; where: string[] };
+  filter?: {
+    objectType: "account" | "contact" | "deal";
+    where: string[];
+    /**
+     * The date the filter's comparison `today` literal resolves to (ISO
+     * yyyy-mm-dd). Stored so apply-time re-verification resolves `today`
+     * identically to plan time; absent on plans built before comparison ops.
+     */
+    today?: string;
+  };
   /**
    * Plan-level guards re-evaluated against a FRESH snapshot at apply time.
    * If any guard fails, NO operation in the plan is applied. This is how a