fullstackgtm 0.34.0 → 0.37.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/cli.js CHANGED
@@ -12,6 +12,7 @@ import { pollSalesforceDeviceLogin, startSalesforceDeviceLogin, validateSalesfor
12
12
  import { activeProfile, credentialsPath, DEFAULT_PROFILE, deleteCredential, getCredential, listProfiles, resolveHubspotConnection, resolveSalesforceConnection, setActiveProfile, storeCredential, } from "./credentials.js";
13
13
  import { generateDemoSnapshot } from "./demo.js";
14
14
  import { formatPatchPlanRun, patchPlanToMarkdown } from "./format.js";
15
+ import { appendHealthEntry, computeHealth, healthToMarkdown, readHealthTimeline, saveWorkspaceSnapshot, summarizeHealth, activeWorkspaceProfile, } from "./health.js";
15
16
  import { mergeSnapshots } from "./merge.js";
16
17
  import { verifyApprovalDigests } from "./integrity.js";
17
18
  import { buildAuditLog, verifyAuditLog } from "./auditLog.js";
@@ -29,7 +30,11 @@ import { suggestMarketConfig } from "./marketTaxonomy.js";
29
30
  import { buildWorksheet, classifyMarket } from "./marketClassify.js";
30
31
  import { marketMapToHtml, marketMapToMarkdown } from "./marketReport.js";
31
32
  import { DEFAULT_RUBRIC, classifyCallLlm, detectProviderFromKey, extractInsightsLlm, parseRubric, resolveLlmCredential, scoreCallLlm, validateLlmKey, } from "./llm.js";
32
- import { buildEnrichPlan, createFileEnrichRunStore, DEFAULT_STALE_DAYS, ENRICH_CONFIG_FILE_NAME, enrichRunId, inferIngestObjectType, latestStamps, loadEnrichConfig, parseCsv, resolveCrmField, selectStaleWork, stagedSourceRecords, staleDaysFor, } from "./enrich.js";
33
+ import { buildAcquirePlan, buildEnrichPlan, createFileEnrichRunStore, DEFAULT_STALE_DAYS, ENRICH_CONFIG_FILE_NAME, builtinAcquirePreset, builtinEnrichPreset, enrichRunId, inferIngestObjectType, latestStamps, loadEnrichConfig, parseCsv, resolveCrmField, selectStaleWork, stagedSourceRecords, staleDaysFor, } from "./enrich.js";
34
+ import { loadMeter, recordConsumption, remaining, } from "./acquireMeter.js";
35
+ import { crmContactKeys, fetchExploriumProspects, fetchPipe0CrustdataProspects, partitionFreshProspects, pipe0ResolveWorkEmails, prospectIdentityKeys, } from "./connectors/prospectSources.js";
36
+ import { loadSeen, recordSeen } from "./acquireSeen.js";
37
+ import { fitThreshold, icpFromAnswers, icpToCrustdataFilters, icpToExploriumFilters, parseIcp, scoreProspectAgainstIcp, INTERVIEW_SPEC, } from "./icp.js";
33
38
  import { apolloPullKeysForAppend, apolloPullKeysForRefresh, createApolloClient, pullApolloRecords, } from "./enrichApollo.js";
34
39
  import { computeMissedFirings, createFileScheduleRunStore, createFileScheduleStore, nextCronFiring, parseCron, renderManagedBlock, replaceManagedBlock, assertSingleLineLabel, hasControlChar, scheduleId, systemCrontabIo, tokenizeCommand, validateSchedulableArgv, } from "./schedule.js";
35
40
  import { resolveRecord } from "./resolve.js";
@@ -49,7 +54,7 @@ Usage:
49
54
  fullstackgtm login salesforce --instance-url <url> [--no-validate]
50
55
  fullstackgtm login stripe [--no-validate]
51
56
  fullstackgtm login anthropic | openai store an LLM API key for call parse/score
52
- fullstackgtm login apollo store an Apollo API key for enrich pulls\n fullstackgtm logout <hubspot|salesforce|stripe|anthropic|openai|apollo|broker>
57
+ fullstackgtm login apollo store an Apollo API key for enrich pulls\n fullstackgtm login pipe0 | explorium store a discovery-provider key for enrich acquire\n fullstackgtm logout <hubspot|salesforce|stripe|anthropic|openai|apollo|pipe0|explorium|broker>
53
58
 
54
59
  Secrets (tokens, client secrets) are NEVER passed as flags — they leak via
55
60
  the process list and shell history. Pipe them on stdin or enter them at the
@@ -232,6 +237,267 @@ Safety:
232
237
  Audits are read-only. Apply writes only operations you explicitly approve,
233
238
  and never writes requires_human_* placeholders without a --value override.`;
234
239
  }
240
+ const HELP = {
241
+ // Setup & health
242
+ login: {
243
+ summary: "connect a provider or LLM key (secrets via stdin/env, never argv)",
244
+ phase: "Setup",
245
+ synopsis: [
246
+ "fullstackgtm login --via <hosted url> pair with a team deployment",
247
+ "fullstackgtm login hubspot | salesforce | stripe",
248
+ "fullstackgtm login anthropic | openai | apollo",
249
+ ],
250
+ detail: "Secrets are NEVER passed as flags (they leak via the process list and shell history) — pipe on stdin or enter at the prompt: `echo \"$TOKEN\" | fullstackgtm login hubspot`.",
251
+ seeAlso: ["doctor", "logout", "profiles"],
252
+ },
253
+ logout: {
254
+ summary: "remove stored credentials for a provider",
255
+ phase: "Setup",
256
+ synopsis: ["fullstackgtm logout <hubspot|salesforce|stripe|anthropic|openai|apollo|pipe0|explorium|broker>"],
257
+ seeAlso: ["login", "doctor"],
258
+ },
259
+ doctor: {
260
+ summary: "check install, credentials, and the next step",
261
+ phase: "Setup",
262
+ synopsis: ["fullstackgtm doctor [--json]"],
263
+ detail: "Verifies Node version, the credential store, MCP peers, and prints what to run next.",
264
+ seeAlso: ["login", "audit"],
265
+ },
266
+ profiles: {
267
+ summary: "list credential profiles (one per client org)",
268
+ phase: "Setup",
269
+ synopsis: ["fullstackgtm profiles [--json]"],
270
+ detail: "`--profile <name>` (or FULLSTACKGTM_PROFILE) scopes credentials AND stored plans per org, so a plan proposed against one CRM can't be applied through another's credentials.",
271
+ seeAlso: ["login", "plans", "health"],
272
+ },
273
+ health: {
274
+ summary: "CRM health score + trend for the active profile (read-only)",
275
+ phase: "Detect",
276
+ synopsis: ["fullstackgtm health [--json]"],
277
+ detail: "The engagement-workspace rollup. Each `audit --save` stamps a deterministic 0–100 hygiene score (100 / (1 + severity-weighted findings per record)) onto the profile's timeline; `health` reports the current score, the change since the last audit, and per-rule deltas — turning episodic audits into a continuous record. Scope per client with `--profile <name>`.",
278
+ seeAlso: ["audit", "profiles", "report"],
279
+ },
280
+ // Detect — read-only
281
+ snapshot: {
282
+ summary: "pull a canonical GTM snapshot (read-only)",
283
+ phase: "Detect",
284
+ synopsis: ["fullstackgtm snapshot [source options] [--since <iso>] [--out <path> | --archive <dir>]"],
285
+ detail: "Materializes the provider's records as canonical JSON — the input every audit and write verb reads.",
286
+ options: [
287
+ ["--provider <name>", "hubspot | salesforce | stripe (read-only)"],
288
+ ["--demo", "realistic generated CRM with injected hygiene issues"],
289
+ ["--out <path>", "write the snapshot JSON to a file"],
290
+ ],
291
+ seeAlso: ["audit", "diff"],
292
+ },
293
+ audit: {
294
+ summary: "read-only hygiene audit → reviewable dry-run patch plan",
295
+ phase: "Detect",
296
+ synopsis: ["fullstackgtm audit [source options] [audit options] [--save]"],
297
+ detail: "The Detect layer of the loop. Runs deterministic rules over a snapshot and proposes a typed patch plan — nothing is written. Prints a summary (rule table + counts) by default; `--full` shows every operation. `--save` persists the plan for the suggest → approve → apply spine. For a client-ready writeup use `report`; for machine output add `--json`.",
298
+ options: [
299
+ ["--provider <name>", "live snapshot: hubspot | salesforce | stripe"],
300
+ ["--demo", "try it with zero credentials on a messy generated CRM"],
301
+ ["--full", "show every operation, not just the rule summary"],
302
+ ["--rules <ids>", "comma-separated rule ids (default: all; see `rules`)"],
303
+ ["--fail-on <sev>", "exit 2 if any finding ≥ info|warning|critical"],
304
+ ["--save", "persist the dry-run plan for approve → apply"],
305
+ ["--json / --out <p>", "machine-readable plan to stdout / file"],
306
+ ],
307
+ seeAlso: ["report", "suggest", "plans", "apply", "diff"],
308
+ },
309
+ report: {
310
+ summary: "render an audit as a client-ready deliverable (md/html)",
311
+ phase: "Detect",
312
+ synopsis: ["fullstackgtm report [source options] [audit options] [report options]"],
313
+ detail: "The human-readable counterpart to `audit` — a clean summary instead of the full per-operation dump.",
314
+ options: [
315
+ ["--plan <path>", "render an existing plan JSON instead of re-auditing"],
316
+ ["--client <name>", "organization name in the heading/summary"],
317
+ ["--format <fmt>", "markdown (default) or self-contained html"],
318
+ ["--out <path>", "write to a file (html inferred from .html)"],
319
+ ],
320
+ seeAlso: ["audit"],
321
+ },
322
+ diff: {
323
+ summary: "compare two snapshots/plans; gate on new findings",
324
+ phase: "Detect",
325
+ synopsis: ["fullstackgtm diff --before <a.json> --after <b.json> [--json] [--fail-on-new-findings]"],
326
+ detail: "The regression primitive. Exit 2 when a (rule, record) pair fires that didn't before — wire it into CI to catch CRM rot.",
327
+ seeAlso: ["audit", "snapshot", "merge"],
328
+ },
329
+ rules: {
330
+ summary: "list the audit rule registry",
331
+ phase: "Detect",
332
+ synopsis: ["fullstackgtm rules [--json]"],
333
+ seeAlso: ["audit"],
334
+ },
335
+ // Prevent — gate writes before they happen
336
+ resolve: {
337
+ summary: "the create gate: exit 0 = safe to create, 2 = match exists",
338
+ phase: "Prevent",
339
+ synopsis: ["fullstackgtm resolve <account|contact|deal> [--name N] [--domain D] [--email E] [source options] [--json]"],
340
+ detail: "Prevention, not cleanup. Call before ANY record creation — a sync job, webhook, agent, or script. Returns exists/ambiguous/safe_to_create with matches and reasons; exit 2 = do not create.",
341
+ seeAlso: ["dedupe", "audit"],
342
+ },
343
+ // Remediate — governed writes (all produce plans; nothing writes outside approve → apply)
344
+ fix: {
345
+ summary: "one-shot composite: audit one rule → suggest → approve → apply",
346
+ phase: "Remediate",
347
+ synopsis: ["fullstackgtm fix --rule <ruleId> --provider <name> [--min-confidence high|low] [--include-creates] [--yes]"],
348
+ detail: "The whole governed loop for a single rule in one command. Without `--yes` it stops after approval and prints the apply command; with `--yes` it applies suggestion-backed operations meeting the confidence bar and prints a stage-by-stage summary.",
349
+ seeAlso: ["audit", "suggest", "plans", "apply"],
350
+ },
351
+ dedupe: {
352
+ summary: "merge duplicate groups by identity key (irreversible on apply)",
353
+ phase: "Remediate",
354
+ synopsis: ["fullstackgtm dedupe <account|contact|deal> --key <domain|email|name> [--keep richest|oldest] [--save] [--json]"],
355
+ detail: "Builds a dry-run plan of one merge_records op per duplicate group with a deterministic survivor (richest = most populated fields; oldest = lowest id). Approve and apply like any plan; merges are IRREVERSIBLE on apply.",
356
+ seeAlso: ["resolve", "plans", "apply"],
357
+ },
358
+ reassign: {
359
+ summary: "ownership handoff: one plan per object type",
360
+ phase: "Remediate",
361
+ synopsis: ["fullstackgtm reassign --from <ownerId> --to <ownerId> [--objects account,contact,deal] [--where <expr> …] [--save] [--json]"],
362
+ detail: "Extra `--where` scoping is account-lifted for deals/contacts. `--except-deal-stage <stage>` excludes that stage and any record whose account has an open deal in it, re-verified per record at apply.",
363
+ seeAlso: ["bulk-update", "plans", "apply"],
364
+ },
365
+ enrich: {
366
+ summary: "governed third-party enrichment (Apollo/Clay), fill-blanks-only",
367
+ phase: "Remediate",
368
+ synopsis: ["fullstackgtm enrich append|refresh|ingest|status … (run `enrich --help` for full options)"],
369
+ detail: "Pull (Apollo) or stage (Clay) data, match it to CRM records deterministically, and emit a fill-blanks-only patch plan through the normal dry-run → approve → apply gate. `refresh` re-checks stale stamped fields.",
370
+ seeAlso: ["plans", "apply", "schedule"],
371
+ },
372
+ // Calls → evidence
373
+ call: {
374
+ summary: "transcripts → evidence, rubric scores, deal links, governed writes",
375
+ phase: "Remediate",
376
+ synopsis: ["fullstackgtm call parse|classify|score|link|plan … (run `call --help` for full options)"],
377
+ detail: "`parse` normalizes any transcript into canonical segments + evidence (LLM by default, bring your own key; `--deterministic` for the free baseline). `classify` picks the call type, `score` rates it against the type's rubric, `link` finds the deal, `plan` proposes governed next-step writes.",
378
+ seeAlso: ["plans", "apply"],
379
+ },
380
+ // Govern — the plan/apply spine
381
+ suggest: {
382
+ summary: "derive values for requires_human_* placeholders (evidence-backed)",
383
+ phase: "Govern",
384
+ synopsis: ["fullstackgtm suggest --plan-id <id> | --plan <path> [source options] [--json] [--out <path>]"],
385
+ detail: "Read-only. Proposes concrete values with confidence + reasons from snapshot evidence; feed the output to `plans approve --values-from`. Never guesses — low/create/none-confidence entries are left to the human.",
386
+ seeAlso: ["audit", "plans", "apply"],
387
+ },
388
+ plans: {
389
+ summary: "plan lifecycle: list / show / approve / reject saved plans",
390
+ phase: "Govern",
391
+ synopsis: [
392
+ "fullstackgtm plans list [--status <s>] | show <id> | reject <id>",
393
+ "fullstackgtm plans approve <id> --operations <ids|all> [--value <opId>=<v>]",
394
+ "fullstackgtm plans approve <id> --values-from <suggestions.json> [--min-confidence high|low]",
395
+ ],
396
+ detail: "Approval is explicit and per-operation; placeholders need a concrete --value or a suggestion to be approvable.",
397
+ seeAlso: ["audit", "suggest", "apply"],
398
+ },
399
+ apply: {
400
+ summary: "write ONLY explicitly approved operations to a provider",
401
+ phase: "Govern / Verify",
402
+ synopsis: [
403
+ "fullstackgtm apply --plan-id <id> --provider <name>",
404
+ "fullstackgtm apply --plan <path> --provider <name> --approve <ids|all> [--value <opId>=<v>]",
405
+ ],
406
+ detail: "The only verb that mutates a CRM. Writes only operations approved via `plans approve` or `--approve`, with compare-and-set and readback. Never writes requires_human_* placeholders without a --value override.",
407
+ seeAlso: ["plans", "suggest", "audit-log"],
408
+ },
409
+ "audit-log": {
410
+ summary: "tamper-evident record of apply runs (export / verify)",
411
+ phase: "Verify",
412
+ synopsis: ["fullstackgtm audit-log export [--out <path>] | verify --in <path>"],
413
+ detail: "The Verify/Attribute layer — a signed, append-only record of every applied write.",
414
+ seeAlso: ["apply"],
415
+ },
416
+ merge: {
417
+ summary: "merge multiple plan/snapshot JSONs into one",
418
+ phase: "Govern",
419
+ synopsis: ["fullstackgtm merge --input <a.json> --input <b.json> [...] --out <merged.json> [--json]"],
420
+ seeAlso: ["diff", "audit"],
421
+ },
422
+ // Continuous
423
+ schedule: {
424
+ summary: "declare a cadence for read/plan-side commands (never auto-approves)",
425
+ phase: "Continuous",
426
+ synopsis: ["fullstackgtm schedule add|list|remove|enable|disable|run|install|status … (run `schedule --help` for full options)"],
427
+ detail: "Makes the loop continuous instead of episodic. Read/plan-side allowlist only (audit, snapshot, enrich, market, suggest, report, doctor). Scheduling NEVER auto-approves: apply is schedulable only as `apply --plan-id <id>`, re-checked approved at run time.",
428
+ seeAlso: ["audit", "enrich", "apply"],
429
+ },
430
+ // Market intelligence
431
+ market: {
432
+ summary: "live competitive category map (capture → classify → drift → report)",
433
+ phase: "Intelligence",
434
+ synopsis: ["fullstackgtm market init|capture|classify|worksheet|observe|fronts|axes|overlay|scale|report|refresh … (run `market --help` for full options)"],
435
+ detail: "Capture vendor pages (content-addressed), classify intensity per claim (LLM bring-your-own-key, or fill the worksheet with any agent), then compute deterministic front states and drift. Every quoted span is verified verbatim against the stored capture before it's accepted.",
436
+ seeAlso: [],
437
+ },
438
+ };
439
+ // Verbs that print their own richer multi-subcommand help; runCli routes their
440
+ // `--help` to themselves, so commandHelp() only renders these via `help <verb>`.
441
+ const BESPOKE_HELP = ["call", "market", "enrich", "bulk-update", "schedule"];
442
+ // Lifecycle-grouped front door. One line per verb, organized by the
443
+ // Prevent→Detect→Remediate→Verify loop so a new user sees ~6 jobs, not 22 verbs.
444
+ function shortUsage() {
445
+ const groups = [
446
+ ["Setup & health", ["login", "logout", "doctor", "profiles", "health"]],
447
+ ["Detect — read-only", ["audit", "report", "snapshot", "diff", "rules"]],
448
+ ["Prevent — gate writes", ["resolve"]],
449
+ ["Remediate — governed writes", ["fix", "bulk-update", "dedupe", "reassign", "enrich"]],
450
+ ["Calls → evidence", ["call"]],
451
+ ["Govern — the plan/apply spine", ["suggest", "plans", "apply", "audit-log", "merge"]],
452
+ ["Market intelligence", ["market"]],
453
+ ["Schedule — make it continuous", ["schedule"]],
454
+ ];
455
+ const pad = Math.max(...Object.keys(HELP).map((k) => k.length)) + 2;
456
+ const lines = [
457
+ "FullStackGTM — plan/apply for your GTM stack.",
458
+ "Audit CRM data, propose reviewable patch plans, apply only what you approve.",
459
+ "",
460
+ "Usage: fullstackgtm <command> [options]",
461
+ "",
462
+ ];
463
+ for (const [title, cmds] of groups) {
464
+ lines.push(`${title}:`);
465
+ for (const cmd of cmds) {
466
+ const entry = HELP[cmd];
467
+ if (!entry)
468
+ continue;
469
+ lines.push(` ${cmd.padEnd(pad)}${entry.summary}`);
470
+ }
471
+ lines.push("");
472
+ }
473
+ lines.push("Zoom in: fullstackgtm <command> --help focused help for one command", "Full ref: fullstackgtm help --full every flag and option", "Try it: fullstackgtm audit --demo zero-credential demo CRM", "", "Safety: audits are read-only; apply writes only operations you approve.");
474
+ return lines.join("\n");
475
+ }
476
+ // Focused help for a single command. Falls back to shortUsage() for anything
477
+ // unknown so `--help` never dead-ends on the full wall.
478
+ function commandHelp(command) {
479
+ const entry = HELP[command];
480
+ if (!entry)
481
+ return shortUsage();
482
+ const lines = [`fullstackgtm ${command} — ${entry.summary}`, "", "Usage:"];
483
+ for (const s of entry.synopsis)
484
+ lines.push(` ${s}`);
485
+ if (entry.detail)
486
+ lines.push("", entry.detail);
487
+ if (entry.options?.length) {
488
+ lines.push("", "Options:");
489
+ const pad = Math.max(...entry.options.map(([f]) => f.length)) + 2;
490
+ for (const [flag, desc] of entry.options)
491
+ lines.push(` ${flag.padEnd(pad)}${desc}`);
492
+ }
493
+ lines.push("", `Lifecycle phase: ${entry.phase}`);
494
+ if (entry.seeAlso?.length)
495
+ lines.push(`See also: ${entry.seeAlso.join(", ")}`);
496
+ if (BESPOKE_HELP.includes(command))
497
+ lines.push("", `Run \`fullstackgtm ${command} --help\` for the full subcommand reference.`);
498
+ lines.push("", "Full reference: fullstackgtm help --full");
499
+ return lines.join("\n");
500
+ }
235
501
  function option(args, name) {
236
502
  const index = args.indexOf(name);
237
503
  if (index === -1)
@@ -322,9 +588,14 @@ async function readSnapshot(args) {
322
588
  today: option(args, "--today") ?? undefined,
323
589
  });
324
590
  }
325
- const input = option(args, "--input");
326
- if (!input || args.includes("--sample"))
591
+ if (args.includes("--sample"))
327
592
  return sampleSnapshot;
593
+ const input = option(args, "--input");
594
+ if (!input) {
595
+ throw new Error("No data source. Pass one of: --provider <hubspot|salesforce|stripe> (live, read-only), " +
596
+ "--input <snapshot.json> (a saved snapshot), --demo (a generated messy CRM), or " +
597
+ "--sample (the tiny built-in fixture). Refusing to silently audit sample data.");
598
+ }
328
599
  const path = resolve(process.cwd(), input);
329
600
  return JSON.parse(readFileSync(path, "utf8"));
330
601
  }
@@ -396,6 +667,49 @@ async function snapshotCommand(args) {
396
667
  console.log(serialized.trimEnd());
397
668
  }
398
669
  }
670
+ // #2 (dx-punch-list): every read verb points forward. `audit` is the keystone —
671
+ // `audit --demo` is the most-run first command and used to dead-end on a blank
672
+ // line. Context-aware guidance mirrors doctor's "Next step" and fix's chaining,
673
+ // stepping the user along Detect → Govern → apply. Printed to stderr so stdout
674
+ // stays clean for pipes/--out; suppressed under --json (machine/agent context).
675
+ function auditNextStep(args, plan) {
676
+ const provider = option(args, "--provider");
677
+ const usingLiveData = Boolean(provider) || Boolean(option(args, "--input"));
678
+ const saved = args.includes("--save");
679
+ const count = plan.findings.length;
680
+ if (count === 0) {
681
+ return [
682
+ "✓ No findings — this snapshot is clean. Nothing to apply.",
683
+ " Keep it clean: gate new records with `fullstackgtm resolve`,",
684
+ " and schedule a recurring check with `fullstackgtm schedule add ...`.",
685
+ ].join("\n");
686
+ }
687
+ const head = `${count} finding${count === 1 ? "" : "s"} — a dry-run plan. Nothing was written.`;
688
+ if (!usingLiveData) {
689
+ return [
690
+ head,
691
+ "Next:",
692
+ " • Client-ready writeup: fullstackgtm report --demo",
693
+ " • Run on your CRM: fullstackgtm login hubspot → fullstackgtm audit --provider hubspot --save",
694
+ ].join("\n");
695
+ }
696
+ if (!saved) {
697
+ return [
698
+ head,
699
+ "Next: persist it with --save, then suggest → approve → apply:",
700
+ ` fullstackgtm audit --provider ${provider ?? "<name>"} --save`,
701
+ ].join("\n");
702
+ }
703
+ // --save already confirmed the plan id above; chain the governed spine.
704
+ const providerFlag = provider ? ` --provider ${provider}` : "";
705
+ return [
706
+ head,
707
+ "Next: derive values, approve the safe ones, apply:",
708
+ ` fullstackgtm suggest --plan-id ${plan.id}${providerFlag} --out suggestions.json`,
709
+ ` fullstackgtm plans approve ${plan.id} --values-from suggestions.json`,
710
+ ` fullstackgtm apply --plan-id ${plan.id}${providerFlag}`,
711
+ ].join("\n");
712
+ }
399
713
  async function audit(args) {
400
714
  const threshold = failOnThreshold(args);
401
715
  const loaded = loadConfig(option(args, "--config") ?? undefined);
@@ -415,19 +729,51 @@ async function audit(args) {
415
729
  }
416
730
  if (args.includes("--save")) {
417
731
  await createFilePlanStore().save(plan);
418
- console.error(`Saved plan ${plan.id}. Review with \`fullstackgtm plans show ${plan.id}\`, approve with \`fullstackgtm plans approve ${plan.id} --operations <ids|all>\`.`);
732
+ // Engagement workspace: stamp the per-profile health timeline + snapshot so
733
+ // the org accrues a continuous record from the verb people already run.
734
+ // Honor --today (audit is deterministic under it); fall back to wall-clock.
735
+ const health = computeHealth(plan, snapshot, today ?? new Date().toISOString());
736
+ appendHealthEntry(health);
737
+ saveWorkspaceSnapshot(plan.id, snapshot);
738
+ console.error(`Saved plan ${plan.id}. Health ${health.score}/100 recorded (\`fullstackgtm health\`). ` +
739
+ `Review with \`fullstackgtm plans show ${plan.id}\`, approve with \`fullstackgtm plans approve ${plan.id} --operations <ids|all>\`.`);
419
740
  }
420
741
  if (args.includes("--json")) {
421
742
  console.log(JSON.stringify(plan, null, 2));
422
743
  }
423
744
  else {
424
- console.log(patchPlanToMarkdown(plan));
745
+ // Default to the summary view (rule table + counts); the full per-operation
746
+ // dump is opt-in via --full or, for a deliverable, `report`. (dx-punch-list #3)
747
+ console.log(patchPlanToMarkdown(plan, { summary: !args.includes("--full") }));
748
+ console.error(`\n${auditNextStep(args, plan)}`);
425
749
  }
426
750
  if (threshold &&
427
751
  plan.findings.some((finding) => SEVERITY_RANK[finding.severity] >= SEVERITY_RANK[threshold])) {
428
752
  process.exitCode = 2;
429
753
  }
430
754
  }
755
+ /**
756
+ * Roll up the active profile's health timeline (accrued by `audit --save`):
757
+ * current deterministic score, change since the last audit, and per-rule
758
+ * deltas. Read-only — it only reads `health.jsonl`, never re-audits.
759
+ */
760
+ function healthCommand(args) {
761
+ const profile = activeWorkspaceProfile();
762
+ const rollup = summarizeHealth(readHealthTimeline(), profile);
763
+ if (!rollup) {
764
+ if (args.includes("--json")) {
765
+ console.log(JSON.stringify({ profile, auditCount: 0 }, null, 2));
766
+ }
767
+ else {
768
+ console.log(`No audits recorded yet for profile "${profile}".\n` +
769
+ "Start the timeline: `fullstackgtm audit --provider <name> --save`" +
770
+ (profile === "default" ? "" : ` --profile ${profile}`) +
771
+ ".");
772
+ }
773
+ return;
774
+ }
775
+ console.log(args.includes("--json") ? JSON.stringify(rollup, null, 2) : healthToMarkdown(rollup));
776
+ }
431
777
  /**
432
778
  * Render an audit as a client-facing deliverable. Same sources and audit
433
779
  * options as `audit`; `--plan` instead renders an existing plan JSON without
@@ -1253,8 +1599,17 @@ enrich append [--source apollo] [--objects companies,contacts] [--save] [--conf
1253
1599
  enrich refresh [--source apollo] [--stale-days <n>] [--save] [--config <path>]
1254
1600
  [source options] [--run-label <label>] [--json]
1255
1601
  enrich ingest <file.csv|payload.json> --source clay [--run-label <label>] [--objects companies|contacts] [--config <path>]
1602
+ enrich acquire [--source <id>] [--max <n>] [--save] [--config <path>] [--json]
1256
1603
  enrich status [--runs] [--source <id>] [--config <path>] [--json]
1257
1604
 
1605
+ acquire creates NET-NEW leads from a staged prospect list (ingest first):
1606
+ it dedupes each sourced row against the CRM, skips matches and ambiguities
1607
+ (resolve-first never creates over a possible duplicate), and proposes a
1608
+ \`create_record\` op per confirmed net-new row — capped by the acquire meter's
1609
+ remaining budget (records + spend, per day and per month; whichever is hit
1610
+ first). Approval-gated like every write: \`--save\` → plans approve → apply.
1611
+ The meter is charged only when a create actually lands at apply.
1612
+
1258
1613
  append pulls from an api source (Apollo — BYO key via \`login apollo\` or
1259
1614
  APOLLO_API_KEY) or reads data staged by \`enrich ingest\` (Clay CSV exports,
1260
1615
  webhook payload JSON), matches source records to CRM records via the ordered
@@ -1278,8 +1633,8 @@ re-touches fields its own ledger proves it stamped. system-only and always
1278
1633
  are phase 2. Recurring execution is the scheduler's job; enrich has no cron.`);
1279
1634
  return;
1280
1635
  }
1281
- if (!["append", "refresh", "ingest", "status"].includes(subcommand)) {
1282
- throw new Error(`Unknown enrich subcommand: ${subcommand} (try: append, refresh, ingest, status)`);
1636
+ if (!["append", "refresh", "ingest", "status", "acquire"].includes(subcommand)) {
1637
+ throw new Error(`Unknown enrich subcommand: ${subcommand} (try: append, refresh, ingest, status, acquire)`);
1283
1638
  }
1284
1639
  const configPath = () => resolve(process.cwd(), option(rest, "--config") ?? ENRICH_CONFIG_FILE_NAME);
1285
1640
  const store = createFileEnrichRunStore();
@@ -1287,12 +1642,137 @@ are phase 2. Recurring execution is the scheduler's job; enrich has no cron.`);
1287
1642
  await enrichStatus(store, rest, configPath());
1288
1643
  return;
1289
1644
  }
1290
- const config = loadEnrichConfig(configPath());
1645
+ // Config resolution: an explicit --config or an on-disk default always wins
1646
+ // (and validates). Only when neither exists do we fall back to a built-in
1647
+ // preset for the source (e.g. `--source clay`), so the common Mode-A loop
1648
+ // needs no hand-authored config. A present-but-invalid config still errors.
1649
+ const explicitConfig = option(rest, "--config");
1650
+ const configFile = configPath();
1651
+ // No config file + no --config → fall back to a built-in preset so the common
1652
+ // paths need zero hand-authored config: `acquire` gets the zero-config acquire
1653
+ // preset (targeted/deduped/metered out the gate); other verbs get the source
1654
+ // preset (e.g. clay ingest). An explicit/on-disk config always wins.
1655
+ const presetFor = (src) => subcommand === "acquire" ? builtinAcquirePreset(src) : builtinEnrichPreset(src);
1656
+ const config = !explicitConfig && !existsSync(configFile)
1657
+ ? (presetFor(option(rest, "--source") ?? undefined) ?? loadEnrichConfig(configFile))
1658
+ : loadEnrichConfig(configFile);
1659
+ // `enrich ingest` stages rows. If the same command also names a CRM source
1660
+ // (--input/--provider), collapse the two-step into one: stage, then run the
1661
+ // append against the just-staged data so `enrich ingest clay.csv --source clay
1662
+ // --input snap.json` returns the hygiene verdict end-to-end. Without a CRM
1663
+ // source it stays stage-only (the existing two-step is preserved).
1291
1664
  if (subcommand === "ingest") {
1292
- await enrichIngest(store, config, rest);
1665
+ const autoAppend = Boolean(option(rest, "--provider") || option(rest, "--input"));
1666
+ await enrichIngest(store, config, rest, autoAppend);
1667
+ if (!autoAppend)
1668
+ return;
1669
+ }
1670
+ if (subcommand === "acquire") {
1671
+ if (!config.acquire) {
1672
+ throw new Error('enrich acquire: config has no "acquire" section. Add e.g. { "acquire": { "create": { "contact": { "matchKey": "email", "properties": { "email": "email", "firstname": "first_name", "lastname": "last_name" } } }, "budget": { "records": { "perDay": 50, "perMonth": 500 } }, "costPerRecord": { "clay": 0.10 } } } to enrich.config.json.');
1673
+ }
1674
+ const source = resolveEnrichSource(config, rest);
1675
+ const sourceConfig = config.sources[source];
1676
+ const save = rest.includes("--save");
1677
+ const today = new Date().toISOString().slice(0, 10);
1678
+ // Prospects come from an API source (net-new discovery, e.g. Explorium +
1679
+ // pipe0 work-email) or a staged ingest list (Clay/CSV/webhook).
1680
+ const snapshot = await readSnapshot(rest);
1681
+ const icp = loadIcp(rest);
1682
+ if (sourceConfig.kind === "api" && !icp) {
1683
+ console.error("⚠ No ICP loaded — discovery will use the raw discovery.filters and skip fit scoring. " +
1684
+ "Develop one with `fullstackgtm icp interview` (or pass --icp <path>) so leads map to your ICP.");
1685
+ }
1686
+ // Recommend the strong dedup key when the CRM carries no LinkedIn URLs:
1687
+ // without them, pre-email dedup falls back to the weaker name+domain match.
1688
+ if (sourceConfig.kind === "api" && !(snapshot.contacts ?? []).some((c) => c.linkedin)) {
1689
+ console.error("⚠ No LinkedIn URLs found on your contacts — pre-email dedup falls back to name+domain (weaker). " +
1690
+ "Populate the HubSpot \"LinkedIn URL\" (hs_linkedin_url) property for exact dedup; " +
1691
+ "acquire writes it on every new contact it creates, so coverage grows automatically.");
1692
+ }
1693
+ const seen = loadSeen();
1694
+ let records;
1695
+ let apiSkippedCrm = 0;
1696
+ let apiSkippedSeen = 0;
1697
+ let apiProcessedKeys = [];
1698
+ if (sourceConfig.kind === "api") {
1699
+ const api = await acquireFromApi(config, source, rest, icp, snapshot, seen);
1700
+ records = api.records;
1701
+ apiSkippedCrm = api.skippedCrm;
1702
+ apiSkippedSeen = api.skippedSeen;
1703
+ apiProcessedKeys = api.processedKeys;
1704
+ }
1705
+ else {
1706
+ const stagedLabel = option(rest, "--staged-run");
1707
+ const stagedRun = stagedLabel
1708
+ ? await store.get(stagedLabel)
1709
+ : await store.latest({ source, mode: "ingest" });
1710
+ if (!stagedRun || stagedRun.mode !== "ingest") {
1711
+ throw new Error(`No staged data for source "${source}". Stage prospects first: fullstackgtm enrich ingest <prospects.csv|payload.json> --source ${source}`);
1712
+ }
1713
+ records = stagedSourceRecords(config, source, stagedRun);
1714
+ }
1715
+ // Meter: how many MORE leads may we create right now? --max is an
1716
+ // additional per-run ceiling, never a way to exceed the budget.
1717
+ const now = new Date();
1718
+ const costPerRecord = config.acquire.costPerRecord?.[source] ?? 0;
1719
+ if (apiSkippedCrm || apiSkippedSeen) {
1720
+ console.error(`Pre-email dedup: skipped ${apiSkippedCrm} already-in-CRM + ${apiSkippedSeen} seen before paying for emails ` +
1721
+ `(≈$${((apiSkippedCrm + apiSkippedSeen) * costPerRecord).toFixed(2)} enrichment saved).`);
1722
+ }
1723
+ const headroom = remaining(loadMeter(now), config.acquire.budget, costPerRecord, now);
1724
+ const explicitMax = numericOption(rest, "--max");
1725
+ let cap = headroom.maxRecords;
1726
+ if (explicitMax !== undefined)
1727
+ cap = cap === null ? explicitMax : Math.min(cap, explicitMax);
1728
+ const result = buildAcquirePlan({
1729
+ config,
1730
+ source,
1731
+ snapshot,
1732
+ records,
1733
+ runLabel: option(rest, "--run-label") ?? `acquire-${source}-${today}`,
1734
+ maxRecords: cap,
1735
+ });
1736
+ const meterLine = formatAcquireMeter(headroom, costPerRecord);
1737
+ if (!save) {
1738
+ if (rest.includes("--json")) {
1739
+ console.log(JSON.stringify({ plan: result.plan, counts: result.counts, estCostUsd: result.estCostUsd, meter: headroom }, null, 2));
1740
+ }
1741
+ else {
1742
+ console.log(patchPlanToMarkdown(result.plan));
1743
+ console.log(meterLine);
1744
+ console.log("\nDry run — nothing written. Re-run with --save to persist the plan, then approve + apply.");
1745
+ }
1746
+ return;
1747
+ }
1748
+ const run = await openEnrichRun(store, source, "append", option(rest, "--run-label"), today);
1749
+ const planIds = [];
1750
+ if (result.plan.operations.length > 0) {
1751
+ await createFilePlanStore().save(result.plan);
1752
+ planIds.push(result.plan.id);
1753
+ }
1754
+ await store.update({
1755
+ ...run,
1756
+ completedAt: new Date().toISOString(),
1757
+ cursor: null,
1758
+ planIds: [...(run.planIds ?? []), ...planIds],
1759
+ });
1760
+ // Remember everyone we email-resolved this run so the next run skips them
1761
+ // pre-email (cross-run credit saver). Committed (--save) runs only.
1762
+ if (apiProcessedKeys.length > 0)
1763
+ recordSeen(apiProcessedKeys, now);
1764
+ console.log(meterLine);
1765
+ if (planIds.length > 0) {
1766
+ console.log(`Saved plan ${result.plan.id} — ${result.counts.created} net-new lead(s), est. $${result.estCostUsd.toFixed(2)}. ` +
1767
+ `Review \`fullstackgtm plans show ${result.plan.id}\`, approve \`fullstackgtm plans approve ${result.plan.id} --operations all\`, ` +
1768
+ `then \`fullstackgtm apply --plan-id ${result.plan.id} --provider hubspot\`. The meter is charged only when a create lands at apply.`);
1769
+ }
1770
+ else {
1771
+ console.log("No net-new leads to create (everything sourced already matched, or was withheld by the meter).");
1772
+ }
1293
1773
  return;
1294
1774
  }
1295
- const mode = subcommand;
1775
+ const mode = subcommand === "refresh" ? "refresh" : "append";
1296
1776
  const source = resolveEnrichSource(config, rest);
1297
1777
  const sourceConfig = config.sources[source];
1298
1778
  const save = rest.includes("--save");
@@ -1423,6 +1903,165 @@ function formatEnrichCounts(counts, ambiguities) {
1423
1903
  `${counts.unmatched} unmatched · ${counts.ambiguous} ambiguous (${ambiguities} collision(s) recorded) · ` +
1424
1904
  `${counts.opsEmitted} operation(s) proposed`);
1425
1905
  }
1906
+ /** Best-effort enrich-config load for apply-time acquire-budget enforcement. */
1907
+ /** Provider API key: env override first, then the credential store (`login`). */
1908
+ function providerKey(provider) {
1909
+ const envName = provider === "explorium" ? "EXPLORIUM_API_KEY" : "PIPE0_API_KEY";
1910
+ if (process.env[envName])
1911
+ return process.env[envName];
1912
+ const stored = getCredential(provider);
1913
+ if (stored)
1914
+ return stored.accessToken;
1915
+ throw new Error(`No ${provider} credentials. Run \`echo "$KEY" | fullstackgtm login ${provider}\`, or set ${envName}.`);
1916
+ }
1917
+ /** Load the active ICP: --icp <path>, else ./icp.json. Undefined if none. */
1918
+ function loadIcp(args) {
1919
+ const explicit = option(args, "--icp");
1920
+ const path = resolve(process.cwd(), explicit ?? "icp.json");
1921
+ if (!existsSync(path)) {
1922
+ if (explicit)
1923
+ throw new Error(`--icp ${explicit}: file not found`);
1924
+ return undefined;
1925
+ }
1926
+ return parseIcp(readFileSync(path, "utf8"));
1927
+ }
1928
+ /**
1929
+ * `icp` — develop and inspect the Ideal Customer Profile that targets acquire.
1930
+ * The CLI can't run AskUserQuestion itself; `icp interview` emits the question
1931
+ * spec an agent (Claude Code / Codex) drives with its AskUserQuestion tool, then
1932
+ * `icp set` writes icp.json from the collected answers.
1933
+ */
1934
+ async function icpCommand(args) {
1935
+ const [sub, ...rest] = args;
1936
+ if (!sub || sub === "--help" || sub === "-h") {
1937
+ console.log(`Usage:
1938
+ fullstackgtm icp interview emit the interview spec (an agent drives it with AskUserQuestion)
1939
+ fullstackgtm icp set <answers.json> [--name <n>] [--out <path>] write icp.json from interview answers
1940
+ fullstackgtm icp show [--icp <path>] render the ICP + the discovery filters it produces
1941
+
1942
+ The ICP makes \`enrich acquire\` targeted, not random: it generates each
1943
+ provider's discovery filters (Explorium, pipe0/Crustdata) AND scores every
1944
+ discovered prospect for fit — only above-threshold leads become create_record
1945
+ ops. Develop one by interview, then \`enrich acquire\` picks up ./icp.json.`);
1946
+ return;
1947
+ }
1948
+ if (sub === "interview") {
1949
+ console.log(JSON.stringify({
1950
+ questions: INTERVIEW_SPEC,
1951
+ instructions: "Ask each question with AskUserQuestion (multiSelect per .multiSelect). For each answer, collect the chosen options' .value arrays and concat them under the question's .id. Then run `fullstackgtm icp set <answers.json>` with that flattened object.",
1952
+ }, null, 2));
1953
+ return;
1954
+ }
1955
+ if (sub === "set") {
1956
+ const file = rest.find((a) => !a.startsWith("--"));
1957
+ if (!file)
1958
+ throw new Error("Usage: fullstackgtm icp set <answers.json> [--name <n>] [--out <path>]");
1959
+ const answers = JSON.parse(readFileSync(resolve(process.cwd(), file), "utf8"));
1960
+ const icp = icpFromAnswers(option(rest, "--name") ?? "ICP", answers);
1961
+ const out = resolve(process.cwd(), option(rest, "--out") ?? "icp.json");
1962
+ writeFileSync(out, `${JSON.stringify(icp, null, 2)}\n`);
1963
+ console.log(`Wrote ${out} — ${icp.persona.titleKeywords?.length ?? 0} title keyword(s), ` +
1964
+ `${icp.firmographics.employeeBands?.length ?? 0} size band(s), fit threshold ${fitThreshold(icp)}.`);
1965
+ return;
1966
+ }
1967
+ if (sub === "show") {
1968
+ const icp = loadIcp(rest);
1969
+ if (!icp)
1970
+ throw new Error("No ICP found (icp.json in cwd, or pass --icp <path>). Build one: fullstackgtm icp interview.");
1971
+ console.log(JSON.stringify({
1972
+ icp,
1973
+ exploriumFilters: icpToExploriumFilters(icp),
1974
+ crustdataFilters: icpToCrustdataFilters(icp),
1975
+ fitThreshold: fitThreshold(icp),
1976
+ }, null, 2));
1977
+ return;
1978
+ }
1979
+ throw new Error(`Unknown icp subcommand: ${sub} (try: interview, set, show)`);
1980
+ }
1981
+ /**
1982
+ * Pull net-new prospects from an API acquire source into source records the
1983
+ * acquire builder dedupes + turns into create_record ops. Explorium discovers;
1984
+ * pipe0 (when resolveEmailsWith=pipe0) fills real work emails. Only rows that
1985
+ * carry the dedupe key (email) survive — you cannot resolve-first without it.
1986
+ */
1987
+ async function acquireFromApi(config, source, rest, icp, snapshot, seen) {
1988
+ const acquire = config.acquire;
1989
+ const disc = acquire.discovery?.[source];
1990
+ if (!disc) {
1991
+ throw new Error(`enrich acquire: api source "${source}" needs an "acquire.discovery.${source}" config (provider + size).`);
1992
+ }
1993
+ const matchKey = acquire.create.contact?.matchKey ?? "email";
1994
+ const maxOverride = numericOption(rest, "--max");
1995
+ const size = maxOverride !== undefined ? Math.min(maxOverride, disc.size ?? 25) : disc.size ?? 25;
1996
+ // 1. Discover. Filters come from the ICP when one is loaded (the whole point —
1997
+ // targeted, not random); otherwise from the hand-written disc.filters.
1998
+ let prospects;
1999
+ if (disc.provider === "explorium") {
2000
+ const filters = icp
2001
+ ? icpToExploriumFilters(icp)
2002
+ : (disc.filters ?? {});
2003
+ prospects = await fetchExploriumProspects({ apiKey: providerKey("explorium"), filters, size });
2004
+ }
2005
+ else if (disc.provider === "pipe0") {
2006
+ const filters = icp ? icpToCrustdataFilters(icp) : (disc.filters ?? {});
2007
+ prospects = await fetchPipe0CrustdataProspects({ apiKey: providerKey("pipe0"), filters, limit: size });
2008
+ }
2009
+ else {
2010
+ throw new Error(`enrich acquire: unknown discovery provider "${disc.provider}" (explorium | pipe0).`);
2011
+ }
2012
+ // 2. ICP fit scoring BEFORE paying for emails — only above-threshold prospects
2013
+ // proceed to (credit-spending) email resolution.
2014
+ if (icp) {
2015
+ const threshold = fitThreshold(icp);
2016
+ prospects = prospects
2017
+ .map((p) => ({ ...p, fitScore: scoreProspectAgainstIcp(p, icp).score }))
2018
+ .filter((p) => (p.fitScore ?? 0) >= threshold);
2019
+ }
2020
+ // 2.5 Pre-email dedup — drop prospects already in the CRM (name+domain match
2021
+ // vs the snapshot) or already processed in a prior run (the seen cache),
2022
+ // BEFORE paying pipe0 for emails. The email-level dedup (buildAcquirePlan)
2023
+ // and apply-time resolve-first remain the precise backstop.
2024
+ const { fresh, skippedCrm, skippedSeen } = partitionFreshProspects(prospects, crmContactKeys(snapshot), seen);
2025
+ prospects = fresh;
2026
+ // 3. Resolve real work emails (both providers need it: Explorium's email is
2027
+ // hashed, Crustdata search returns none). pipe0 waterfall, chunked.
2028
+ if (matchKey === "email") {
2029
+ prospects = await pipe0ResolveWorkEmails({ apiKey: providerKey("pipe0"), prospects });
2030
+ }
2031
+ const processedKeys = prospects.flatMap(prospectIdentityKeys);
2032
+ const records = prospects
2033
+ .map((p) => {
2034
+ const keyValue = p[matchKey];
2035
+ return {
2036
+ id: p.sourceId ?? `${source}:${keyValue ?? p.fullName ?? ""}`,
2037
+ objectType: "contact",
2038
+ keys: { [matchKey]: keyValue },
2039
+ payload: p,
2040
+ };
2041
+ })
2042
+ .filter((record) => Boolean(record.keys[matchKey]));
2043
+ return { records, skippedCrm, skippedSeen, processedKeys };
2044
+ }
2045
+ function tryLoadAcquireConfig(args) {
2046
+ try {
2047
+ const path = resolve(process.cwd(), option(args, "--config") ?? ENRICH_CONFIG_FILE_NAME);
2048
+ if (!existsSync(path))
2049
+ return undefined;
2050
+ return loadEnrichConfig(path);
2051
+ }
2052
+ catch {
2053
+ return undefined;
2054
+ }
2055
+ }
2056
+ function formatAcquireMeter(headroom, costPerRecord) {
2057
+ const n = (v) => (v === null ? "∞" : String(v));
2058
+ const money = (v) => (v === null ? "∞" : `$${v.toFixed(2)}`);
2059
+ const max = headroom.maxRecords === null ? "unlimited" : `${headroom.maxRecords}`;
2060
+ return (`Acquire meter — creatable now: ${max} lead(s). ` +
2061
+ `Records left: ${n(headroom.records.day)}/day, ${n(headroom.records.month)}/month · ` +
2062
+ `Spend left: ${money(headroom.spendUsd.day)}/day, ${money(headroom.spendUsd.month)}/month ` +
2063
+ `(≈$${costPerRecord.toFixed(2)}/lead).`);
2064
+ }
1426
2065
  function resolveEnrichSource(config, rest) {
1427
2066
  const requested = option(rest, "--source");
1428
2067
  const declared = Object.keys(config.sources);
@@ -1496,7 +2135,7 @@ async function openEnrichRun(store, source, mode, requestedLabel, today) {
1496
2135
  stamps: [],
1497
2136
  });
1498
2137
  }
1499
- async function enrichIngest(store, config, rest) {
2138
+ async function enrichIngest(store, config, rest, autoAppend = false) {
1500
2139
  const file = rest.find((arg) => !arg.startsWith("--") && !isOptionValue(rest, arg));
1501
2140
  if (!file)
1502
2141
  throw new Error("Usage: fullstackgtm enrich ingest <file.csv|payload.json> --source <id> [--run-label <label>]");
@@ -1560,8 +2199,10 @@ async function enrichIngest(store, config, rest) {
1560
2199
  staged: rows,
1561
2200
  stagedObjectType: objectType,
1562
2201
  });
1563
- console.log(`Staged ${rows.length} ${objectType} row(s) from ${file} as run ${label}. ` +
1564
- `Next: fullstackgtm enrich append --source ${source} [source options] [--save]`);
2202
+ console.log(autoAppend
2203
+ ? `Staged ${rows.length} ${objectType} row(s) from ${file} as run ${label}; matching against the CRM…`
2204
+ : `Staged ${rows.length} ${objectType} row(s) from ${file} as run ${label}. ` +
2205
+ `Next: fullstackgtm enrich append --source ${source} [source options] [--save]`);
1565
2206
  }
1566
2207
  function parseSingleObjectType(value) {
1567
2208
  const normalized = value.trim().toLowerCase();
@@ -2473,6 +3114,34 @@ async function apply(args) {
2473
3114
  : approve.split(",").map((id) => id.trim()).filter(Boolean);
2474
3115
  valueOverrides = parseValueOverrides(args);
2475
3116
  }
3117
+ // Acquire meter: create_record ops are budgeted. Refuse up-front if the
3118
+ // approved creates would exceed the current budget window (the plan was
3119
+ // capped when `enrich acquire` ran, but the budget may have been spent down
3120
+ // since), then charge the meter for what actually lands.
3121
+ const approvedSet = new Set(approvedOperationIds);
3122
+ const createOps = plan.operations.filter((op) => op.operation === "create_record" && approvedSet.has(op.id));
3123
+ const createSpend = (op) => (op.afterValue?.estCostUsd) ?? 0;
3124
+ if (createOps.length > 0) {
3125
+ const acquireConfig = tryLoadAcquireConfig(args)?.acquire;
3126
+ if (acquireConfig?.budget) {
3127
+ const now = new Date();
3128
+ const head = remaining(loadMeter(now), acquireConfig.budget, 0, now);
3129
+ const approvedSpend = createOps.reduce((sum, op) => sum + createSpend(op), 0);
3130
+ const refusals = [];
3131
+ if (head.records.day !== null && createOps.length > head.records.day)
3132
+ refusals.push(`${createOps.length} creates > ${head.records.day} record(s) left today`);
3133
+ if (head.records.month !== null && createOps.length > head.records.month)
3134
+ refusals.push(`${createOps.length} creates > ${head.records.month} record(s) left this month`);
3135
+ if (head.spendUsd.day !== null && approvedSpend > head.spendUsd.day)
3136
+ refusals.push(`$${approvedSpend.toFixed(2)} > $${head.spendUsd.day.toFixed(2)} spend left today`);
3137
+ if (head.spendUsd.month !== null && approvedSpend > head.spendUsd.month)
3138
+ refusals.push(`$${approvedSpend.toFixed(2)} > $${head.spendUsd.month.toFixed(2)} spend left this month`);
3139
+ if (refusals.length > 0) {
3140
+ throw new Error(`Refusing to apply: acquire budget exceeded (${refusals.join("; ")}). ` +
3141
+ "Re-run `fullstackgtm enrich acquire` to re-cap to the remaining budget, or wait for the window to reset.");
3142
+ }
3143
+ }
3144
+ }
2476
3145
  const connector = await connectorFor(provider, args);
2477
3146
  const run = await applyPatchPlan(connector, plan, {
2478
3147
  approvedOperationIds,
@@ -2481,6 +3150,15 @@ async function apply(args) {
2481
3150
  if (planId && store) {
2482
3151
  await store.recordRun(planId, run);
2483
3152
  }
3153
+ // Charge the acquire meter for the creates that actually landed.
3154
+ if (createOps.length > 0) {
3155
+ const appliedIds = new Set(run.results.filter((result) => result.status === "applied").map((result) => result.operationId));
3156
+ const landed = createOps.filter((op) => appliedIds.has(op.id));
3157
+ if (landed.length > 0) {
3158
+ const spend = landed.reduce((sum, op) => sum + createSpend(op), 0);
3159
+ recordConsumption(new Date(), landed.length, spend);
3160
+ }
3161
+ }
2484
3162
  if (args.includes("--json")) {
2485
3163
  console.log(JSON.stringify(run, null, 2));
2486
3164
  }
@@ -2925,8 +3603,20 @@ async function login(args) {
2925
3603
  console.log(`Stored Apollo API key in ${credentialsPath()}. \`fullstackgtm enrich append|refresh\` use it automatically.`);
2926
3604
  return;
2927
3605
  }
3606
+ if (provider === "pipe0" || provider === "explorium") {
3607
+ rejectArgvSecret(args, "--token", "--key", "--api-key");
3608
+ const key = await readSecret(`${provider} API key`);
3609
+ if (!key)
3610
+ throw new Error(`No ${provider} key provided.`);
3611
+ // No free auth-health endpoint; validating would spend credits, so the key
3612
+ // is stored as-is and validated on the first `enrich acquire` pull.
3613
+ const stamp = new Date().toISOString();
3614
+ storeCredential(provider, { kind: "api_key", accessToken: key, createdAt: stamp, updatedAt: stamp });
3615
+ console.log(`Stored ${provider} API key in ${credentialsPath()}. \`fullstackgtm enrich acquire\` uses it automatically (validated on first pull).`);
3616
+ return;
3617
+ }
2928
3618
  if (provider !== "hubspot") {
2929
- throw new Error("login supports: hubspot, salesforce, stripe, anthropic, openai, apollo, or --via <hosted url>. Usage: fullstackgtm login <provider> | fullstackgtm login --via https://gtm.example.com");
3619
+ throw new Error("login supports: hubspot, salesforce, stripe, anthropic, openai, apollo, pipe0, explorium, or --via <hosted url>. Usage: fullstackgtm login <provider> | fullstackgtm login --via https://gtm.example.com");
2930
3620
  }
2931
3621
  const now = new Date().toISOString();
2932
3622
  if (args.includes("--oauth")) {
@@ -3123,19 +3813,32 @@ function profilesCommand(args) {
3123
3813
  }
3124
3814
  export async function runCli(argv) {
3125
3815
  const [command, ...args] = extractProfile(argv);
3816
+ // Front door: the lifecycle-grouped map by default, the full reference on
3817
+ // --full. `help <command>` zooms into one verb. (docs/dx-punch-list.md #1)
3126
3818
  if (!command || command === "--help" || command === "-h") {
3127
- console.log(usage());
3819
+ console.log(args.includes("--full") ? usage() : shortUsage());
3820
+ return;
3821
+ }
3822
+ if (command === "help") {
3823
+ const [topic, ...rest] = args;
3824
+ if (topic && topic !== "--full" && !topic.startsWith("-")) {
3825
+ console.log(commandHelp(topic));
3826
+ }
3827
+ else {
3828
+ console.log(args.includes("--full") || topic === "--full" ? usage() : shortUsage());
3829
+ }
3128
3830
  return;
3129
3831
  }
3130
3832
  if (command === "--version" || command === "-v" || command === "version") {
3131
3833
  console.log(readPackageInfo().version);
3132
3834
  return;
3133
3835
  }
3134
- // Commands without bespoke help fall back to the top-level usage on --help
3135
- // instead of executing (audit used to silently run the sample audit).
3136
- // call/market/enrich/bulk-update/schedule print their own richer help.
3137
- if (!["call", "market", "enrich", "bulk-update", "schedule"].includes(command) && (args.includes("--help") || args.includes("-h"))) {
3138
- console.log(usage());
3836
+ // Commands without bespoke help get focused per-command help on --help
3837
+ // instead of executing (audit used to silently run the sample audit) or
3838
+ // dumping the whole surface. call/market/enrich/bulk-update/schedule print
3839
+ // their own richer help. `--full` always escapes to the complete reference.
3840
+ if (!BESPOKE_HELP.includes(command) && (args.includes("--help") || args.includes("-h"))) {
3841
+ console.log(args.includes("--full") ? usage() : commandHelp(command));
3139
3842
  return;
3140
3843
  }
3141
3844
  if (command === "login") {
@@ -3166,6 +3869,10 @@ export async function runCli(argv) {
3166
3869
  doctorCommand(args);
3167
3870
  return;
3168
3871
  }
3872
+ if (command === "health") {
3873
+ healthCommand(args);
3874
+ return;
3875
+ }
3169
3876
  if (command === "suggest") {
3170
3877
  await suggest(args);
3171
3878
  return;
@@ -3202,6 +3909,10 @@ export async function runCli(argv) {
3202
3909
  await enrichCommand(args);
3203
3910
  return;
3204
3911
  }
3912
+ if (command === "icp") {
3913
+ await icpCommand(args);
3914
+ return;
3915
+ }
3205
3916
  if (command === "schedule") {
3206
3917
  await scheduleCommand(args);
3207
3918
  return;