fullstackgtm 0.27.0 → 0.28.1

package/CHANGELOG.md

@@ -5,6 +5,50 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and the project adheres to [Semantic Versioning](https://semver.org/).
 The path to 1.0 is planned in [docs/roadmap-to-1.0.md](./docs/roadmap-to-1.0.md).
 
+## [0.28.1] — 2026-06-16
+
+Company-of-record correction: the legal entity is **Full Stack GTM LLC** and the
+contact/disclosure address is **ryan@fullstackgtm.com** (package.json author,
+NOTICE copyright, SECURITY.md, DATA-FLOWS.md). No code changes.
+
+## [0.28.0] — 2026-06-16
+
+Connectors, credentials & supply chain — the last of the hardening train.
+Each security change was re-attacked; the keychain and supply-chain gates each
+took two rounds (the re-attack found the stale-plaintext-on-migration gap and
+the orphan-dist gap that round 1 left open).
+
+### Added
+
+- **Opt-in OS-keychain credential storage** (`FSGTM_KEYCHAIN=1`). The credential
+  blob is stored in the macOS Keychain (`security`) or Linux libsecret
+  (`secret-tool`) instead of a 0600 file — no native dependency. Enabling it on
+  an existing install migrates `credentials.json` into the keychain and removes
+  the plaintext file. Default (unset) is unchanged: the 0600 file. macOS caveat
+  (transient argv exposure during the keychain write) documented in SECURITY.md.
+
+### Security
+
+- **Broker URL must be https.** `login --via` and the token-mint path refuse a
+  cleartext/non-https broker (localhost dev excepted), and the device
+  verification URL is only auto-opened when it shares the `--via` origin — so a
+  long-lived pairing bearer and minted live-CRM tokens can't go over cleartext
+  or to an attacker-redirected URL.
+- **Supply-chain: published dist is provably from source.** `npm run build` now
+  cleans first; release rebuilds from source and refuses to publish if the
+  committed `dist/` doesn't match (catching a poisoned or *orphaned* dist file),
+  and a CI `dist-integrity` job enforces the same on every push — protecting
+  `npm install github:` consumers who run the committed dist unbuilt.
+- npx peer resolution from the current directory is now logged (running the MCP
+  server in an untrusted directory could otherwise silently load a peer from it).
+
+### Changed
+
+- **Salesforce merge is documented as unsupported**, with a connector
+  capability matrix in the README — no REST merge exists (SOAP/Apex only), so
+  `merge_records` is refused honestly; deduplicate in the UI or archive the
+  non-survivors. No silent half-merge, no demo surprise.
+
 ## [0.27.0] — 2026-06-16
 
 Trust, compliance & transparency — the artifacts a skeptical buyer's security

package/DATA-FLOWS.md

@@ -38,8 +38,8 @@ Commands not listed (`plans`, `rules`, `doctor`, `schedule`, `audit-log`,
   CRM-only.
 - **No data is sent for training.** Anthropic, OpenAI, and Apollo are reached
   with your own API keys under your own agreements; their data-handling terms
-  (and any DPA you have with them) govern that traffic. Full Stack GTM is not
-  in that path and is not a sub-processor for the open-source CLI.
+  (and any DPA you have with them) govern that traffic. Full Stack GTM LLC is
+  not in that path and is not a sub-processor for the open-source CLI.
 
 ## Sub-processors
 
@@ -49,4 +49,4 @@ controllers are you and the providers whose keys you supply.
 For the **hosted application** (a separate, proprietary product — not this
 package): a sub-processor list and DPA are provided through that product's
 agreement. If you are evaluating the hosted product, request them from
-security@fullstackgtm.com.
+ryan@fullstackgtm.com.

package/NOTICE

@@ -1,5 +1,5 @@
 fullstackgtm
-Copyright 2026 Full Stack GTM
+Copyright 2026 Full Stack GTM LLC
 
-This product is developed and maintained by Full Stack GTM (https://fullstackgtm.com).
+This product is developed and maintained by Full Stack GTM LLC (https://fullstackgtm.com).
 Licensed under the Apache License, Version 2.0 (see LICENSE).

package/README.md

@@ -127,7 +127,7 @@ fullstackgtm reassign --from 411 --to 902 --except-deal-stage closing --save   #
 fullstackgtm fix --rule missing-deal-owner --provider hubspot --yes  # audit one rule → suggest → approve → apply, one command
 ```
 
-`bulk-update` filters the snapshot (`=`, `!=`, `~` substring, `!~` not-substring, `:empty`/`:notempty`, `|` any-of, relational pseudo-fields like `account.domain` or `openDealStages`) into a dry-run patch plan — and **the full filter is re-verified per record at apply time**, with mid-apply rechecks, so a record that stopped matching between audit and apply is skipped, not clobbered. Equality filters double as preconditions; `--require` adds explicit ones; `--guard` asserts cross-record conditions; `--max-operations` caps blast radius. `--set field=from:<sourceField>` derives values per record; `--create-task <text>` is the third change mode, emitting approval-gated `create_task` operations instead of field writes; `--archive` refuses records whose identity key (account domain, contact email) is shared with another record — that's a duplicate, and duplicates are merged with `dedupe`, not archived around (`--force-archive-duplicates` overrides that refusal explicitly).
+`bulk-update` filters the snapshot (`=`, `!=`, `~` substring, `!~` not-substring, `:empty`/`:notempty`, type-aware comparisons `<` `>` `<=` `>=` where `today` resolves to the policy date — e.g. `closeDate<today` — and date/numeric fields coerce by value form, `|` any-of, relational pseudo-fields like `account.domain` or `openDealStages`) into a dry-run patch plan — and **the full filter is re-verified per record at apply time**, with mid-apply rechecks, so a record that stopped matching between audit and apply is skipped, not clobbered. For date/count hygiene (past close dates, stale deals, missing accounts, duplicates), prefer the rule-backed `fix --rule <id>` — the rule encodes the open-deal + date logic deterministically; use `bulk-update` only when no rule covers the task. Equality filters double as preconditions; `--require` adds explicit ones; `--guard` asserts cross-record conditions; `--max-operations` caps blast radius. `--set field=from:<sourceField>` derives values per record; `--create-task <text>` is the third change mode, emitting approval-gated `create_task` operations instead of field writes; `--archive` refuses records whose identity key (account domain, contact email) is shared with another record — that's a duplicate, and duplicates are merged with `dedupe`, not archived around (`--force-archive-duplicates` overrides that refusal explicitly).
 
 `dedupe` finds duplicate groups by normalized identity key and emits one `merge_records` operation per group with a deterministic survivor (`richest` = most populated fields, ties to lowest id; `oldest`). Merges stay irreversible-and-therefore-low-confidence-capped on approval, exactly like merge suggestions from the audit. `reassign` is the ownership-handoff playbook: one plan per object type, extra scoping account-lifted to deals and contacts, and `--except-deal-stage` excludes both deals in that stage and every record whose account has an open deal in it. `fix` is the one-shot composite for a single rule: audit → save → suggest → approve suggestion-backed operations at the confidence bar → with `--yes`, apply and print the stage-by-stage summary; without it, stop after approval and print the apply command.
 
@@ -271,6 +271,20 @@ A direct `login hubspot` always wins over a broker pairing, so an operator can o
 
 What each provider actually requires before `audit --provider <name>` works on your data.
 
+### Connector capabilities
+
+Connectors differ in what the provider's API allows — stated up front so nothing surprises you mid-evaluation:
+
+| Operation | HubSpot | Salesforce | Stripe |
+| --- | --- | --- | --- |
+| Read / snapshot / audit | ✅ | ✅ | ✅ (read-only) |
+| Field writes (`set_field`, `clear_field`, `link_record`) | ✅ | ✅ | — |
+| `create_task` | ✅ | ✅ | — |
+| `archive_record` | ✅ | ✅ | — |
+| `merge_records` (`dedupe`) | ✅ | ❌ **not supported** | — |
+
+**Salesforce merge** has no REST resource — it exists only in the SOAP API / Apex (Lead, Contact, Account, Case; max 3 records). This connector refuses a Salesforce `merge_records` operation honestly rather than half-merging; on Salesforce, deduplicate in the UI (or via SOAP/Apex), or use `bulk-update --archive` for the non-survivors. Native Salesforce merge is tracked future work, not a silent gap.
+
 ### HubSpot: create a private app (~2 minutes, needs super-admin)
 
 1. In HubSpot: **Settings → Integrations → Private Apps → Create a private app.**

package/SECURITY.md

@@ -7,7 +7,7 @@ security reviewer needs.
 
 ## Reporting a vulnerability
 
-Email **security@fullstackgtm.com** with a description and, ideally, a
+Email **ryan@fullstackgtm.com** with a description and, ideally, a
 reproduction. Please do not open a public issue for a security report. We aim
 to acknowledge within 3 business days and to ship a fix or mitigation before
 any public disclosure. There is no bounty program yet; credit is given in the
@@ -24,7 +24,20 @@ environment variable or stdin only, and are stored `0600` under a `0700` home
 (`$FSGTM_HOME`, default `~/.fullstackgtm`), re-tightened on read. This is the
 same custody model as the `gcloud`/`aws` CLIs. The hosted broker
 (`login --via`) exists so a team can connect a CRM once, server-side, and hand
-laptops only a revocable pairing token instead of a long-lived super-admin key.
+laptops only a revocable pairing token instead of a long-lived super-admin key;
+the broker URL must be https (cleartext is refused except for localhost dev).
+
+**OS keychain (opt-in).** Set `FSGTM_KEYCHAIN=1` to store the credential blob
+in the OS secret store instead of a plaintext file — macOS Keychain (via
+`security`) or Linux libsecret (via `secret-tool`); no native dependency. When
+enabled, a pre-existing `credentials.json` is migrated into the keychain and the
+plaintext file is removed, so a cloned home or restored backup finds no token at
+rest. Caveat: on macOS, `security add-generic-password` only accepts the secret
+via an argv flag, so it is briefly visible to a same-user `ps` during the write
+— a transient exposure strictly smaller than a persistent plaintext file, but a
+real one (Linux `secret-tool` reads the secret from stdin, with no such window).
+Backups or clones taken *before* enabling keychain already captured the file;
+rotate those credentials if that is a concern.
 
 **Writes are approval-gated.** Reads are safe by default. Every change is a
 typed patch operation in a dry-run plan that a human must approve before

package/dist/bulkUpdate.d.ts

@@ -33,10 +33,17 @@ export type BulkUpdateOptions = {
     reason?: string;
     /** refuse to build plans larger than this (default 500 operations) */
     maxOperations?: number;
+    /**
+     * Date the comparison `today` literal resolves to (ISO yyyy-mm-dd). Set from
+     * the policy/--today date at the CLI; defaults to the system date. Stored on
+     * plan.filter so apply-time filter re-verification resolves `today`
+     * identically to plan time.
+     */
+    today?: string;
 };
 type WhereClause = {
     field: string;
-    op: "eq" | "neq" | "contains" | "notcontains" | "empty" | "notempty";
+    op: "eq" | "neq" | "contains" | "notcontains" | "empty" | "notempty" | "lt" | "gt" | "lte" | "gte";
     value?: string;
     raw: string;
 };
@@ -44,9 +51,14 @@ export declare function parseWhere(expr: string): WhereClause;
 /** True when `field` is filterable for this object type (relational pseudo-fields included). */
 export declare function isFilterableField(objectType: BulkUpdateOptions["objectType"], field: string): boolean;
 export declare function parseGuard(raw: string): PlanGuard;
-/** Ids of records matching a filter — used for apply-time filter re-verification. */
-export declare function eligibleIds(snapshot: CanonicalGtmSnapshot, objectType: BulkUpdateOptions["objectType"], where: string[]): Set<string>;
+/**
+ * Ids of records matching a filter — used for apply-time filter
+ * re-verification. `today` resolves the comparison `today` literal; apply-time
+ * callers pass the value the plan was built with (stored on plan.filter.today)
+ * so re-verification uses the SAME today, defaulting to the system date.
+ */
+export declare function eligibleIds(snapshot: CanonicalGtmSnapshot, objectType: BulkUpdateOptions["objectType"], where: string[], today?: string): Set<string>;
 /** Evaluate a plan guard against a snapshot. Returns null when satisfied, else a failure detail. */
-export declare function evaluateGuard(snapshot: CanonicalGtmSnapshot, guard: PlanGuard): string | null;
+export declare function evaluateGuard(snapshot: CanonicalGtmSnapshot, guard: PlanGuard, today?: string): string | null;
 export declare function buildBulkUpdatePlan(snapshot: CanonicalGtmSnapshot, options: BulkUpdateOptions): PatchPlan;
 export {};

package/dist/bulkUpdate.js

@@ -18,8 +18,21 @@
  *   field=value     case-insensitive equality
  *   field!=value    case-insensitive inequality
  *   field~value     case-insensitive substring
+ *   field!~value    case-insensitive not-substring
  *   field:empty     unset or empty string
  *   field:notempty  set and non-empty
+ *   field<value     type-aware less-than (date or numeric)
+ *   field>value     type-aware greater-than
+ *   field<=value    type-aware less-than-or-equal
+ *   field>=value    type-aware greater-than-or-equal
+ *
+ * Comparison operators (`<` `>` `<=` `>=`) are type-aware, unlike the string
+ * operators above: if both the field value and the RHS parse as finite dates
+ * they compare as dates; else if both parse as finite numbers they compare
+ * numerically; otherwise the clause does not match (never throws at match
+ * time). The bare literal `today` on the RHS resolves to the policy/today date
+ * (`--today`, defaulting to the system date) and forces a date comparison —
+ * so `closeDate<today` is the canonical "past close date" filter.
  *
  * Fields are canonical (ownerId, stage, closeDate, amount, domain, name,
  * email, isClosed, accountId, …). Relational pseudo-fields are available in
@@ -31,7 +44,49 @@ import { recoverableFields } from "./dedupe.js";
 import { normalizeDomain } from "./merge.js";
 import { stableHash } from "./rules.js";
 const FIELD_PATTERN = "[a-zA-Z][a-zA-Z0-9_]*(?:\\.[a-zA-Z][a-zA-Z0-9_]*)?";
+/**
+ * Is a comparison RHS (a single `|`-alternative) authorable for comparison?
+ * Accept `today`, OR a plain number, OR a date-SHAPED string — using the exact
+ * same `isPlainNumber`/`isDateLike` predicates the match-time branch uses, so
+ * the parse-time authoring check and the runtime branch cannot diverge. The
+ * intentional asymmetry: parse-time validates one literal in isolation (EITHER
+ * number OR date is fine), whereas match-time's `compareValues` additionally
+ * requires the FIELD and the RHS to agree on type (BOTH number, or BOTH date).
+ * Requiring a date *shape* here (not bare `Date.parse`-finite) means a prose
+ * typo like `July 4` or a stray `<5` fails loudly at parse instead of silently
+ * matching nothing. `isDateLike`/`isPlainNumber` are hoisted function decls.
+ */
+function isComparableValue(rhs) {
+    const trimmed = rhs.trim();
+    if (trimmed === "today")
+        return true;
+    if (isPlainNumber(trimmed))
+        return true;
+    if (isDateLike(trimmed))
+        return true;
+    return false;
+}
+/**
+ * Catch the "multiple conditions crammed into one --where" footgun: a weak
+ * agent writes `--where 'stage!=closedwon AND stage!=closedlost'`, which the
+ * grammar would otherwise parse as a single neq clause whose VALUE is the
+ * literal string `closedwon AND stage!=closedlost` — matching almost nothing
+ * (or, with `!=`, almost EVERYTHING), so the gate faithfully applies a
+ * wildly-wrong-but-authorized plan.
+ *
+ * Fire only when a connector ` AND `/` OR ` is followed by a clause-LIKE
+ * structure (a field name + an operator), so incidental prose in a value —
+ * `name~Procter AND Gamble`, `name~research and development` — is NOT
+ * rejected (the word after the connector has no operator). Case-insensitive.
+ */
+const INLINE_CONJUNCTION = new RegExp(`\\s(and|or)\\s+${FIELD_PATTERN}\\s*(!=|<=|>=|!~|=|<|>|~|:(empty|notempty)\\b)`, "i");
 export function parseWhere(expr) {
+    if (INLINE_CONJUNCTION.test(expr)) {
+        throw new Error(`Cannot parse "${expr}": looks like multiple conditions in one clause. ` +
+            `AND is implicit — use a SEPARATE --where for each condition ` +
+            `(e.g. --where stage!=closedwon --where stage!=closedlost). ` +
+            `For OR within one field, use value1|value2 (e.g. --where stage=closedwon|closedlost).`);
+    }
     const empty = expr.match(new RegExp(`^(${FIELD_PATTERN}):(empty|notempty)$`));
     if (empty)
         return { field: empty[1], op: empty[2], raw: expr };
@@ -41,13 +96,44 @@ export function parseWhere(expr) {
     const notContains = expr.match(new RegExp(`^(${FIELD_PATTERN})!~(.*)$`));
     if (notContains)
         return { field: notContains[1], op: "notcontains", value: notContains[2], raw: expr };
+    // Comparison operators: two-char tokens (`<=`/`>=`) MUST be tried before the
+    // one-char ones (`<`/`>`) so a prefix isn't stolen (`field<=5` → lte, not
+    // lt + stray `=`). They slot in after `!=`/`!~` and before `~`/`=` (different
+    // lead chars, no collision). The RHS is validated at parse time: an
+    // un-comparable literal (neither today, number, nor date) is a static
+    // authoring error and throws here, so a typo never silently matches nothing.
+    const lte = expr.match(new RegExp(`^(${FIELD_PATTERN})<=(.*)$`));
+    if (lte)
+        return assertComparable({ field: lte[1], op: "lte", value: lte[2], raw: expr });
+    const gte = expr.match(new RegExp(`^(${FIELD_PATTERN})>=(.*)$`));
+    if (gte)
+        return assertComparable({ field: gte[1], op: "gte", value: gte[2], raw: expr });
+    const lt = expr.match(new RegExp(`^(${FIELD_PATTERN})<(.*)$`));
+    if (lt)
+        return assertComparable({ field: lt[1], op: "lt", value: lt[2], raw: expr });
+    const gt = expr.match(new RegExp(`^(${FIELD_PATTERN})>(.*)$`));
+    if (gt)
+        return assertComparable({ field: gt[1], op: "gt", value: gt[2], raw: expr });
     const contains = expr.match(new RegExp(`^(${FIELD_PATTERN})~(.*)$`));
     if (contains)
         return { field: contains[1], op: "contains", value: contains[2], raw: expr };
     const eq = expr.match(new RegExp(`^(${FIELD_PATTERN})=(.*)$`));
     if (eq)
         return { field: eq[1], op: "eq", value: eq[2], raw: expr };
-    throw new Error(`Cannot parse --where "${expr}". Use field=value, field!=value, field~substring, field!~substring, field:empty, or field:notempty.`);
+    throw new Error(`Cannot parse --where "${expr}". Use field=value, field!=value, field~substring, field!~substring, field:empty, field:notempty, field<value, field>value, field<=value, or field>=value.`);
+}
+/**
+ * Parse-time validity for a comparison clause: every `|`-alternative of the
+ * RHS must be a comparable literal (today / number / date). An un-comparable
+ * value (e.g. `amount>`, `closeDate<garbage`) throws here — a comparison that
+ * can never coerce is an authoring error, not a silent empty match.
+ */
+function assertComparable(clause) {
+    const alternatives = (clause.value ?? "").split("|");
+    if (alternatives.some((a) => !isComparableValue(a))) {
+        throw new Error(`Cannot parse --where "${clause.raw}": the comparison value must be a number, an ISO date, or "today" (got "${clause.value ?? ""}").`);
+    }
+    return clause;
 }
 function fieldValue(view, field) {
     const value = view[field];
@@ -55,7 +141,57 @@ function fieldValue(view, field) {
         return "";
     return String(value);
 }
-function matches(view, clause) {
+/** System date as ISO yyyy-mm-dd — the default `today` when none is threaded. */
+function systemToday() {
+    return new Date().toISOString().slice(0, 10);
+}
+/** A non-empty trimmed string that parses as a finite JS number. */
+function isPlainNumber(value) {
+    const trimmed = value.trim();
+    return trimmed !== "" && Number.isFinite(Number(trimmed));
+}
+/**
+ * "Looks like a date": Date.parse-finite AND not a plain number. The guard
+ * against plain numbers is essential — `Date.parse("5000")` is finite (it reads
+ * as the YEAR 5000), so without it `closeDate<5000` and `amount>2026-04-30`
+ * would silently take the date branch and produce wrong, broad matches. Pure
+ * numbers are numbers; only date-SHAPED strings (with `-`/`/`/`T`, like the
+ * canonical ISO `2026-04-30`) are dates. Mirrors the ISO-date assumption the
+ * past-close-date rule already makes (rules.ts compareDate).
+ */
+function isDateLike(value) {
+    // Require an ISO-ish date separator (`-`/`/`/`T`/`:`) in addition to a finite
+    // Date.parse: excludes plain numbers (`Date.parse("5000")` = year 5000) AND
+    // locale-fragile prose (`Date.parse("July 4")` is finite but is not a date we
+    // want to accept). Canonical dates are ISO (`2026-04-30`), so this never
+    // rejects real data; it only rejects authoring typos.
+    return !isPlainNumber(value) && /[-/T:]/.test(value) && Number.isFinite(Date.parse(value));
+}
+/**
+ * Type-aware comparison for a single (un-lowercased) field value against one
+ * resolved RHS alternative. Date-first, then numeric; any non-coercible side
+ * (including empty/unset, type mismatch) yields null (caller → no match). Never
+ * throws. `today` is already resolved to a date string by the caller.
+ * Returns a<0 / 0 / a>0 in the chosen type's space, or null when not comparable.
+ */
+function compareValues(rawField, rhs) {
+    if (rawField.trim() === "")
+        return null; // empty/unset is "not comparable", never epoch-0
+    // Date comparison when BOTH sides are date-shaped (mirrors compareDate in rules.ts).
+    if (isDateLike(rawField) && isDateLike(rhs)) {
+        return Date.parse(rawField) - Date.parse(rhs);
+    }
+    // Numeric comparison when BOTH sides are plain finite numbers.
+    if (isPlainNumber(rawField) && isPlainNumber(rhs)) {
+        return Number(rawField) - Number(rhs);
+    }
+    return null; // type mismatch / non-parseable → no match (caller returns false)
+}
+/**
+ * `today` is threaded from the policy/--today date (default: system date), so
+ * plan-time and apply-time re-verification resolve the literal identically.
+ */
+function matches(view, clause, today) {
     const actual = fieldValue(view, clause.field).toLowerCase();
     // `|` alternation: eq/contains match ANY alternative; neq/notcontains
     // must hold against ALL alternatives.
@@ -73,6 +209,35 @@ function matches(view, clause) {
             return actual === "";
         case "notempty":
             return actual !== "";
+        // Comparison ops are type-aware and use the RAW (un-lowercased) field
+        // value, not `actual` — lowercasing an ISO date still parses, but the
+        // helper must read from fieldValue() directly (see §6.3 risk 2). `today`
+        // resolves to the threaded policy date. Alternation is OR for all four
+        // (`some`): each alternative is coerced independently; one that fails
+        // coercion contributes false.
+        case "lt":
+        case "gt":
+        case "lte":
+        case "gte": {
+            const rawField = fieldValue(view, clause.field);
+            const rawAlternatives = (clause.value ?? "").split("|");
+            return rawAlternatives.some((a) => {
+                const rhs = a.trim() === "today" ? today : a;
+                const cmp = compareValues(rawField, rhs);
+                if (cmp === null)
+                    return false;
+                switch (clause.op) {
+                    case "lt":
+                        return cmp < 0;
+                    case "gt":
+                        return cmp > 0;
+                    case "lte":
+                        return cmp <= 0;
+                    case "gte":
+                        return cmp >= 0;
+                }
+            });
+        }
     }
 }
 const COLLECTIONS = {
@@ -169,17 +334,22 @@ export function parseGuard(raw) {
     assertValidFields(objectType, where.map(parseWhere), "--guard");
     return { objectType: objectType, where, expect: expect, description: raw };
 }
-/** Ids of records matching a filter — used for apply-time filter re-verification. */
-export function eligibleIds(snapshot, objectType, where) {
+/**
+ * Ids of records matching a filter — used for apply-time filter
+ * re-verification. `today` resolves the comparison `today` literal; apply-time
+ * callers pass the value the plan was built with (stored on plan.filter.today)
+ * so re-verification uses the SAME today, defaulting to the system date.
+ */
+export function eligibleIds(snapshot, objectType, where, today = systemToday()) {
     const clauses = where.map(parseWhere);
     const views = buildViews(snapshot, objectType);
-    return new Set(views.filter(({ view }) => clauses.every((c) => matches(view, c))).map(({ record }) => String(record.id)));
+    return new Set(views.filter(({ view }) => clauses.every((c) => matches(view, c, today))).map(({ record }) => String(record.id)));
 }
 /** Evaluate a plan guard against a snapshot. Returns null when satisfied, else a failure detail. */
-export function evaluateGuard(snapshot, guard) {
+export function evaluateGuard(snapshot, guard, today = systemToday()) {
     const clauses = guard.where.map(parseWhere);
     const views = buildViews(snapshot, guard.objectType);
-    const matchCount = views.filter(({ view }) => clauses.every((c) => matches(view, c))).length;
+    const matchCount = views.filter(({ view }) => clauses.every((c) => matches(view, c, today))).length;
     const ok = guard.expect === "none" ? matchCount === 0 : matchCount > 0;
     if (ok)
         return null;
@@ -187,6 +357,10 @@ export function evaluateGuard(snapshot, guard) {
 }
 export function buildBulkUpdatePlan(snapshot, options) {
     const maxOperations = options.maxOperations ?? 500;
+    // Resolve `today` once: the comparison `today` literal in both --where and
+    // --guard binds to this value at plan time, and it is stored on plan.filter
+    // so apply-time re-verification (eligibleIds) resolves it identically.
+    const today = options.today ?? systemToday();
     if (options.where.length === 0) {
         throw new Error("bulk-update requires at least one --where filter — refusing to build an unscoped mass write.");
     }
@@ -197,6 +371,10 @@ export function buildBulkUpdatePlan(snapshot, options) {
     }
     const clauses = options.where.map(parseWhere);
     assertValidFields(options.objectType, clauses, "--where");
+    // Whether any comparison clause references the `today` literal — drives
+    // whether the resolved `today` is persisted on plan.filter (see below).
+    const isComparisonOp = (op) => op === "lt" || op === "gt" || op === "lte" || op === "gte";
+    const referencesToday = clauses.some((c) => isComparisonOp(c.op) && (c.value ?? "").split("|").some((a) => a.trim() === "today"));
     const WRITABLE_BLOCKLIST = new Set(["id", "crmId", "contactCount", "openDealCount", "openDealStages"]);
     // `from:<sourceField>` values resolve per record from the filter view —
     // the source is validated with the same strictness as filters (relational
@@ -218,7 +396,7 @@ export function buildBulkUpdatePlan(snapshot, options) {
         }
     }
     const views = buildViews(snapshot, options.objectType);
-    const matched = views.filter(({ view }) => clauses.every((c) => matches(view, c)));
+    const matched = views.filter(({ view }) => clauses.every((c) => matches(view, c, today)));
     if (matched.length > maxOperations) {
         throw new Error(`Filter matched ${matched.length} ${COLLECTIONS[options.objectType]} — above the ${maxOperations}-record safety cap. Narrow the --where filter or raise --max-operations explicitly.`);
     }
@@ -381,10 +559,20 @@ export function buildBulkUpdatePlan(snapshot, options) {
     // guards must hold at plan time too — building a plan whose guard already
     // fails is a footgun, surface it immediately
     for (const guard of guards) {
-        const failure = evaluateGuard(snapshot, guard);
+        const failure = evaluateGuard(snapshot, guard, today);
         if (failure)
             throw new Error(`${failure} The guard already fails against the current snapshot — the plan would never apply.`);
     }
+    // A `today` literal inside a --guard (not just --where) must also pin
+    // plan.filter.today: connector.ts re-evaluates guards at apply time and,
+    // without the persisted date, would resolve `today` to the apply-day system
+    // date — silently drifting a fail-closed guard. Persist `today` if EITHER a
+    // --where or a --guard clause references the literal.
+    const guardReferencesToday = guards.some((g) => g.where.some((raw) => {
+        const c = parseWhere(raw);
+        return isComparisonOp(c.op) && (c.value ?? "").split("|").some((a) => a.trim() === "today");
+    }));
+    const persistToday = referencesToday || guardReferencesToday;
     const skippedText = [...skippedBySource.entries()]
         .map(([sourceField, count]) => ` ${count} skipped: empty ${sourceField}.`)
         .join("");
@@ -397,7 +585,18 @@ export function buildBulkUpdatePlan(snapshot, options) {
         summary: `${matched.length} ${COLLECTIONS[options.objectType]} matched (${whereText}); ${operations.length} proposed dry-run operations (${action}).${skippedText}${guards.length > 0 ? ` ${guards.length} apply-time guard(s).` : ""}`,
         findings: [],
         operations,
-        filter: { objectType: options.objectType, where: options.where },
+        // Persist the resolved `today` ONLY when a filter clause actually
+        // references the `today` literal, so apply-time re-verification (eligibleIds
+        // in connector.ts) resolves it to the same date the plan was built with —
+        // the apply command carries no --today of its own. Plans without `today`
+        // (the vast majority — equality filters, reassign, etc.) keep the original
+        // `{ objectType, where }` shape unchanged; eligibleIds defaults to the
+        // system date for them, which never affects a non-`today` filter.
+        filter: {
+            objectType: options.objectType,
+            where: options.where,
+            ...(persistToday ? { today } : {}),
+        },
         ...(guards.length > 0 ? { guards } : {}),
     };
 }

package/dist/cli.d.ts

@@ -1,4 +1,11 @@
 import { type LlmProvider } from "./llm.ts";
+/**
+ * The broker channel carries a long-lived pairing bearer and receives freshly
+ * minted live-CRM tokens, so it must be TLS unless it's an explicit localhost
+ * dev target. Refuse http:// (and non-http schemes) otherwise — single-quote
+ * shell escaping does nothing for a token sent in cleartext.
+ */
+export declare function assertSecureBrokerUrl(raw: string): URL;
 type ProviderDoctorStatus = {
     source: "env" | "stored" | "broker" | "none";
     detail: string;

package/dist/cli.js

@@ -2029,6 +2029,9 @@ async function bulkUpdateCommand(args) {
         guard: repeatedOption(rest, "--guard"),
         reason: option(rest, "--reason") ?? undefined,
         maxOperations: numericOption(rest, "--max-operations"),
+        // --today resolves the comparison `today` literal (e.g. closeDate<today);
+        // defaults to the system date inside buildBulkUpdatePlan when omitted.
+        today: option(rest, "--today") ?? undefined,
     });
     await emitPlan(plan, rest);
 }
@@ -2618,7 +2621,30 @@ function rejectArgvSecret(args, ...flags) {
         }
     }
 }
+/**
+ * The broker channel carries a long-lived pairing bearer and receives freshly
+ * minted live-CRM tokens, so it must be TLS unless it's an explicit localhost
+ * dev target. Refuse http:// (and non-http schemes) otherwise — single-quote
+ * shell escaping does nothing for a token sent in cleartext.
+ */
+export function assertSecureBrokerUrl(raw) {
+    let url;
+    try {
+        url = new URL(raw);
+    }
+    catch {
+        throw new Error(`--via must be a full URL (e.g. https://gtm.yourco.com), got "${raw}".`);
+    }
+    const isLocalhost = url.hostname === "localhost" || url.hostname === "127.0.0.1" || url.hostname === "::1" || url.hostname === "[::1]";
+    if (url.protocol === "https:")
+        return url;
+    if (url.protocol === "http:" && isLocalhost)
+        return url; // local dev only
+    throw new Error(`Refusing to pair over ${url.protocol}//${url.host}: the broker exchanges a long-lived token and mints live CRM ` +
+        "credentials, so it must use https (http is allowed only for localhost dev).");
+}
 async function brokerLogin(baseUrl) {
+    const viaUrl = assertSecureBrokerUrl(baseUrl);
     const base = baseUrl.replace(/\/$/, "");
     const os = await import("node:os");
     // Self-reported, shown to the approver so they can recognize this request
@@ -2640,8 +2666,22 @@ async function brokerLogin(baseUrl) {
         throw new Error(`Could not start pairing with ${base} (${startResponse.status}). Is this a FullStackGTM deployment?`);
     }
     const start = await startResponse.json();
+    // Only auto-open a verification URL that belongs to the --via origin the user
+    // typed — a malicious/typo'd deployment cannot redirect the browser elsewhere.
+    let sameOrigin = false;
+    try {
+        sameOrigin = new URL(start.verificationUrl).origin === viaUrl.origin;
+    }
+    catch {
+        sameOrigin = false;
+    }
     console.error(`\nPairing code: ${start.userCode}\n\nApprove this CLI ("${requesterLabel}") in your dashboard:\n\n  ${start.verificationUrl}\n`);
-    void openInBrowser(start.verificationUrl);
+    if (sameOrigin) {
+        void openInBrowser(start.verificationUrl);
+    }
+    else {
+        console.error(`(Not auto-opening: the verification URL is not on ${viaUrl.origin}. Open it manually only if you trust it.)`);
+    }
     const deadline = Date.now() + (start.expiresInSeconds ?? 600) * 1000;
     const intervalMs = Math.max(0, (start.intervalSeconds ?? 3) * 1000);
     while (Date.now() < deadline) {

package/dist/connector.js

@@ -117,7 +117,11 @@ export async function applyPatchPlan(connector, plan, options) {
         const { evaluateGuard, eligibleIds } = await import("./bulkUpdate.js");
         const liveSnapshot = await connector.fetchSnapshot();
         if (plan.filter) {
-            const stillEligible = eligibleIds(liveSnapshot, plan.filter.objectType, plan.filter.where);
+            // Resolve the comparison `today` literal to the date the plan was built
+            // with (stored on plan.filter), so apply-time re-verification of a
+            // `closeDate<today`-style filter agrees with plan time. eligibleIds
+            // defaults to the system date when the plan predates comparison ops.
+            const stillEligible = eligibleIds(liveSnapshot, plan.filter.objectType, plan.filter.where, plan.filter.today);
             staleIds.clear();
             for (const operation of plan.operations) {
                 if (!stillEligible.has(operation.objectId))
@@ -135,7 +139,7 @@ export async function applyPatchPlan(connector, plan, options) {
             }
         }
         for (const guard of plan.guards ?? []) {
-            const failure = evaluateGuard(liveSnapshot, guard);
+            const failure = evaluateGuard(liveSnapshot, guard, plan.filter?.today);
             if (failure) {
                 guardFailure = failure;
                 return;