fullstackgtm 0.34.0 → 0.38.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/CHANGELOG.md +141 -0
  2. package/INSTALL_FOR_AGENTS.md +8 -0
  3. package/README.md +39 -0
  4. package/dist/acquireLinkedIn.d.ts +41 -0
  5. package/dist/acquireLinkedIn.js +57 -0
  6. package/dist/acquireMeter.d.ts +67 -0
  7. package/dist/acquireMeter.js +145 -0
  8. package/dist/acquireSeen.d.ts +5 -0
  9. package/dist/acquireSeen.js +54 -0
  10. package/dist/assign.d.ts +83 -0
  11. package/dist/assign.js +146 -0
  12. package/dist/bin.js +14 -2
  13. package/dist/cli.js +817 -26
  14. package/dist/connectors/hubspot.js +140 -0
  15. package/dist/connectors/linkedin.d.ts +78 -0
  16. package/dist/connectors/linkedin.js +199 -0
  17. package/dist/connectors/prospectSources.d.ts +91 -0
  18. package/dist/connectors/prospectSources.js +227 -0
  19. package/dist/enrich.d.ts +107 -0
  20. package/dist/enrich.js +315 -5
  21. package/dist/format.d.ts +3 -1
  22. package/dist/format.js +14 -2
  23. package/dist/health.d.ts +71 -0
  24. package/dist/health.js +172 -0
  25. package/dist/icp.d.ts +96 -0
  26. package/dist/icp.js +256 -0
  27. package/dist/index.d.ts +2 -0
  28. package/dist/index.js +2 -0
  29. package/dist/mappings.js +3 -0
  30. package/dist/reassign.d.ts +11 -2
  31. package/dist/reassign.js +13 -6
  32. package/dist/runReport.d.ts +9 -0
  33. package/dist/runReport.js +66 -0
  34. package/dist/types.d.ts +25 -1
  35. package/docs/api.md +53 -3
  36. package/docs/architecture.md +11 -1
  37. package/docs/dx-punch-list.md +87 -0
  38. package/docs/linkedin-connector-spec.md +87 -0
  39. package/llms.txt +38 -1
  40. package/package.json +1 -1
  41. package/skills/fullstackgtm/SKILL.md +5 -3
  42. package/src/acquireLinkedIn.ts +83 -0
  43. package/src/acquireMeter.ts +186 -0
  44. package/src/acquireSeen.ts +57 -0
  45. package/src/assign.ts +193 -0
  46. package/src/bin.ts +17 -4
  47. package/src/cli.ts +965 -25
  48. package/src/connectors/hubspot.ts +145 -0
  49. package/src/connectors/linkedin.ts +272 -0
  50. package/src/connectors/prospectSources.ts +324 -0
  51. package/src/enrich.ts +411 -5
  52. package/src/format.ts +20 -2
  53. package/src/health.ts +238 -0
  54. package/src/icp.ts +313 -0
  55. package/src/index.ts +18 -0
  56. package/src/mappings.ts +3 -0
  57. package/src/reassign.ts +24 -8
  58. package/src/runReport.ts +76 -0
  59. package/src/types.ts +32 -0
package/src/cli.ts CHANGED
@@ -33,6 +33,15 @@ import {
33
33
  } from "./credentials.ts";
34
34
  import { generateDemoSnapshot } from "./demo.ts";
35
35
  import { formatPatchPlanRun, patchPlanToMarkdown } from "./format.ts";
36
+ import {
37
+ appendHealthEntry,
38
+ computeHealth,
39
+ healthToMarkdown,
40
+ readHealthTimeline,
41
+ saveWorkspaceSnapshot,
42
+ summarizeHealth,
43
+ activeWorkspaceProfile,
44
+ } from "./health.ts";
36
45
  import { mergeSnapshots } from "./merge.ts";
37
46
  import { verifyApprovalDigests } from "./integrity.ts";
38
47
  import { buildAuditLog, verifyAuditLog } from "./auditLog.ts";
@@ -87,10 +96,13 @@ import {
87
96
  type Rubric,
88
97
  } from "./llm.ts";
89
98
  import {
99
+ buildAcquirePlan,
90
100
  buildEnrichPlan,
91
101
  createFileEnrichRunStore,
92
102
  DEFAULT_STALE_DAYS,
93
103
  ENRICH_CONFIG_FILE_NAME,
104
+ builtinAcquirePreset,
105
+ builtinEnrichPreset,
94
106
  enrichRunId,
95
107
  inferIngestObjectType,
96
108
  latestStamps,
@@ -107,6 +119,34 @@ import {
107
119
  type EnrichRunStore,
108
120
  type EnrichSourceRecord,
109
121
  } from "./enrich.ts";
122
+ import {
123
+ loadMeter,
124
+ recordConsumption,
125
+ remaining,
126
+ type AcquireRemaining,
127
+ } from "./acquireMeter.ts";
128
+ import {
129
+ crmContactKeys,
130
+ fetchExploriumProspects,
131
+ fetchPipe0CrustdataProspects,
132
+ partitionFreshProspects,
133
+ pipe0ResolveWorkEmails,
134
+ prospectIdentityKeys,
135
+ type Prospect,
136
+ } from "./connectors/prospectSources.ts";
137
+ import { loadSeen, recordSeen } from "./acquireSeen.ts";
138
+ import { reportCounts, reportEvent } from "./runReport.ts";
139
+ import { createLinkedInProvider, discoverLinkedInProspects } from "./acquireLinkedIn.ts";
140
+ import {
141
+ fitThreshold,
142
+ icpFromAnswers,
143
+ icpToCrustdataFilters,
144
+ icpToExploriumFilters,
145
+ parseIcp,
146
+ scoreProspectAgainstIcp,
147
+ INTERVIEW_SPEC,
148
+ type Icp,
149
+ } from "./icp.ts";
110
150
  import {
111
151
  apolloPullKeysForAppend,
112
152
  apolloPullKeysForRefresh,
@@ -141,7 +181,9 @@ import type { FieldMappings } from "./mappings.ts";
141
181
  import type {
142
182
  AuditFindingSeverity,
143
183
  CanonicalGtmSnapshot,
184
+ CreateRecordPayload,
144
185
  GtmConnector,
186
+ PatchOperation,
145
187
  PatchPlan,
146
188
  } from "./types.ts";
147
189
 
@@ -157,7 +199,7 @@ Usage:
157
199
  fullstackgtm login salesforce --instance-url <url> [--no-validate]
158
200
  fullstackgtm login stripe [--no-validate]
159
201
  fullstackgtm login anthropic | openai store an LLM API key for call parse/score
160
- fullstackgtm login apollo store an Apollo API key for enrich pulls\n fullstackgtm logout <hubspot|salesforce|stripe|anthropic|openai|apollo|broker>
202
+ fullstackgtm login apollo store an Apollo API key for enrich pulls\n fullstackgtm login pipe0 | explorium store a discovery-provider key for enrich acquire\n fullstackgtm login heyreach store a HeyReach key for enrich acquire --source linkedin\n fullstackgtm logout <hubspot|salesforce|stripe|anthropic|openai|apollo|pipe0|explorium|heyreach|broker>
161
203
 
162
204
  Secrets (tokens, client secrets) are NEVER passed as flags — they leak via
163
205
  the process list and shell history. Pipe them on stdin or enter them at the
@@ -232,9 +274,10 @@ Usage:
232
274
  deterministic survivor (richest = most populated data
233
275
  fields, ties to lowest id; oldest = lowest id). Approve and
234
276
  apply like any plan; merges are IRREVERSIBLE on apply.
235
- fullstackgtm reassign --from <ownerId> --to <ownerId> [--objects account,contact,deal] [--where <expr> …] [--except-deal-stage <stage>] [--include-closed-deals] [source options] [--save] [--json] [--out <path>]
277
+ fullstackgtm reassign (--from <ownerId> | --assign-unowned) --to <ownerId> [--objects account,contact,deal] [--where <expr> …] [--except-deal-stage <stage>] [--include-closed-deals] [source options] [--save] [--json] [--out <path>]
236
278
  ownership handoff playbook: one bulk-update-style plan per
237
- object type (ownerId=<from> → <to>). Extra --where scoping
279
+ object type (ownerId=<from> → <to>). --assign-unowned instead
280
+ claims every ownerless record (ownerId:empty) for --to. Extra --where scoping
238
281
  is account-lifted for deals/contacts (domain~.de becomes
239
282
  account.domain~.de); --except-deal-stage <stage> excludes
240
283
  deals in that stage AND every record whose account has an
@@ -341,6 +384,309 @@ Safety:
341
384
  and never writes requires_human_* placeholders without a --value override.`;
342
385
  }
343
386
 
387
+ // ── Progressive-disclosure help ─────────────────────────────────────────────
388
+ // usage() above is the full reference (`fullstackgtm help --full`). The default
389
+ // front door is shortUsage() — a lifecycle-grouped map, one line per verb — and
390
+ // commandHelp() gives focused per-verb help so `<verb> --help` zooms in instead
391
+ // of dumping the whole 22-verb / 87-flag surface. See docs/dx-punch-list.md
392
+ // (F1/F3). Commands with their own rich help (call/market/enrich/bulk-update/
393
+ // schedule) print it themselves; here they carry a one-line pointer.
394
+
395
+ type HelpEntry = {
396
+ summary: string; // one line, shown in the grouped map
397
+ phase: string; // where the verb sits in Prevent→Detect→Remediate→Verify
398
+ synopsis: string[]; // invocation form(s)
399
+ detail?: string; // a sentence or two on behavior
400
+ options?: Array<[string, string]>; // the flags that matter most
401
+ seeAlso?: string[]; // related verbs to chain
402
+ };
403
+
404
+ const HELP: Record<string, HelpEntry> = {
405
+ // Setup & health
406
+ login: {
407
+ summary: "connect a provider or LLM key (secrets via stdin/env, never argv)",
408
+ phase: "Setup",
409
+ synopsis: [
410
+ "fullstackgtm login --via <hosted url> pair with a team deployment",
411
+ "fullstackgtm login hubspot | salesforce | stripe",
412
+ "fullstackgtm login anthropic | openai | apollo",
413
+ ],
414
+ detail:
415
+ "Secrets are NEVER passed as flags (they leak via the process list and shell history) — pipe on stdin or enter at the prompt: `echo \"$TOKEN\" | fullstackgtm login hubspot`.",
416
+ seeAlso: ["doctor", "logout", "profiles"],
417
+ },
418
+ logout: {
419
+ summary: "remove stored credentials for a provider",
420
+ phase: "Setup",
421
+ synopsis: ["fullstackgtm logout <hubspot|salesforce|stripe|anthropic|openai|apollo|pipe0|explorium|broker>"],
422
+ seeAlso: ["login", "doctor"],
423
+ },
424
+ doctor: {
425
+ summary: "check install, credentials, and the next step",
426
+ phase: "Setup",
427
+ synopsis: ["fullstackgtm doctor [--json]"],
428
+ detail: "Verifies Node version, the credential store, MCP peers, and prints what to run next.",
429
+ seeAlso: ["login", "audit"],
430
+ },
431
+ profiles: {
432
+ summary: "list credential profiles (one per client org)",
433
+ phase: "Setup",
434
+ synopsis: ["fullstackgtm profiles [--json]"],
435
+ detail:
436
+ "`--profile <name>` (or FULLSTACKGTM_PROFILE) scopes credentials AND stored plans per org, so a plan proposed against one CRM can't be applied through another's credentials.",
437
+ seeAlso: ["login", "plans", "health"],
438
+ },
439
+ health: {
440
+ summary: "CRM health score + trend for the active profile (read-only)",
441
+ phase: "Detect",
442
+ synopsis: ["fullstackgtm health [--json]"],
443
+ detail:
444
+ "The engagement-workspace rollup. Each `audit --save` stamps a deterministic 0–100 hygiene score (100 / (1 + severity-weighted findings per record)) onto the profile's timeline; `health` reports the current score, the change since the last audit, and per-rule deltas — turning episodic audits into a continuous record. Scope per client with `--profile <name>`.",
445
+ seeAlso: ["audit", "profiles", "report"],
446
+ },
447
+
448
+ // Detect — read-only
449
+ snapshot: {
450
+ summary: "pull a canonical GTM snapshot (read-only)",
451
+ phase: "Detect",
452
+ synopsis: ["fullstackgtm snapshot [source options] [--since <iso>] [--out <path> | --archive <dir>]"],
453
+ detail: "Materializes the provider's records as canonical JSON — the input every audit and write verb reads.",
454
+ options: [
455
+ ["--provider <name>", "hubspot | salesforce | stripe (read-only)"],
456
+ ["--demo", "realistic generated CRM with injected hygiene issues"],
457
+ ["--out <path>", "write the snapshot JSON to a file"],
458
+ ],
459
+ seeAlso: ["audit", "diff"],
460
+ },
461
+ audit: {
462
+ summary: "read-only hygiene audit → reviewable dry-run patch plan",
463
+ phase: "Detect",
464
+ synopsis: ["fullstackgtm audit [source options] [audit options] [--save]"],
465
+ detail:
466
+ "The Detect layer of the loop. Runs deterministic rules over a snapshot and proposes a typed patch plan — nothing is written. Prints a summary (rule table + counts) by default; `--full` shows every operation. `--save` persists the plan for the suggest → approve → apply spine. For a client-ready writeup use `report`; for machine output add `--json`.",
467
+ options: [
468
+ ["--provider <name>", "live snapshot: hubspot | salesforce | stripe"],
469
+ ["--demo", "try it with zero credentials on a messy generated CRM"],
470
+ ["--full", "show every operation, not just the rule summary"],
471
+ ["--rules <ids>", "comma-separated rule ids (default: all; see `rules`)"],
472
+ ["--fail-on <sev>", "exit 2 if any finding ≥ info|warning|critical"],
473
+ ["--save", "persist the dry-run plan for approve → apply"],
474
+ ["--json / --out <p>", "machine-readable plan to stdout / file"],
475
+ ],
476
+ seeAlso: ["report", "suggest", "plans", "apply", "diff"],
477
+ },
478
+ report: {
479
+ summary: "render an audit as a client-ready deliverable (md/html)",
480
+ phase: "Detect",
481
+ synopsis: ["fullstackgtm report [source options] [audit options] [report options]"],
482
+ detail: "The human-readable counterpart to `audit` — a clean summary instead of the full per-operation dump.",
483
+ options: [
484
+ ["--plan <path>", "render an existing plan JSON instead of re-auditing"],
485
+ ["--client <name>", "organization name in the heading/summary"],
486
+ ["--format <fmt>", "markdown (default) or self-contained html"],
487
+ ["--out <path>", "write to a file (html inferred from .html)"],
488
+ ],
489
+ seeAlso: ["audit"],
490
+ },
491
+ diff: {
492
+ summary: "compare two snapshots/plans; gate on new findings",
493
+ phase: "Detect",
494
+ synopsis: ["fullstackgtm diff --before <a.json> --after <b.json> [--json] [--fail-on-new-findings]"],
495
+ detail:
496
+ "The regression primitive. Exit 2 when a (rule, record) pair fires that didn't before — wire it into CI to catch CRM rot.",
497
+ seeAlso: ["audit", "snapshot", "merge"],
498
+ },
499
+ rules: {
500
+ summary: "list the audit rule registry",
501
+ phase: "Detect",
502
+ synopsis: ["fullstackgtm rules [--json]"],
503
+ seeAlso: ["audit"],
504
+ },
505
+
506
+ // Prevent — gate writes before they happen
507
+ resolve: {
508
+ summary: "the create gate: exit 0 = safe to create, 2 = match exists",
509
+ phase: "Prevent",
510
+ synopsis: ["fullstackgtm resolve <account|contact|deal> [--name N] [--domain D] [--email E] [source options] [--json]"],
511
+ detail:
512
+ "Prevention, not cleanup. Call before ANY record creation — a sync job, webhook, agent, or script. Returns exists/ambiguous/safe_to_create with matches and reasons; exit 2 = do not create.",
513
+ seeAlso: ["dedupe", "audit"],
514
+ },
515
+
516
+ // Remediate — governed writes (all produce plans; nothing writes outside approve → apply)
517
+ fix: {
518
+ summary: "one-shot composite: audit one rule → suggest → approve → apply",
519
+ phase: "Remediate",
520
+ synopsis: ["fullstackgtm fix --rule <ruleId> --provider <name> [--min-confidence high|low] [--include-creates] [--yes]"],
521
+ detail:
522
+ "The whole governed loop for a single rule in one command. Without `--yes` it stops after approval and prints the apply command; with `--yes` it applies suggestion-backed operations meeting the confidence bar and prints a stage-by-stage summary.",
523
+ seeAlso: ["audit", "suggest", "plans", "apply"],
524
+ },
525
+ dedupe: {
526
+ summary: "merge duplicate groups by identity key (irreversible on apply)",
527
+ phase: "Remediate",
528
+ synopsis: ["fullstackgtm dedupe <account|contact|deal> --key <domain|email|name> [--keep richest|oldest] [--save] [--json]"],
529
+ detail:
530
+ "Builds a dry-run plan of one merge_records op per duplicate group with a deterministic survivor (richest = most populated fields; oldest = lowest id). Approve and apply like any plan; merges are IRREVERSIBLE on apply.",
531
+ seeAlso: ["resolve", "plans", "apply"],
532
+ },
533
+ reassign: {
534
+ summary: "ownership handoff: one plan per object type",
535
+ phase: "Remediate",
536
+ synopsis: ["fullstackgtm reassign (--from <ownerId> | --assign-unowned) --to <ownerId> [--objects account,contact,deal] [--where <expr> …] [--save] [--json]"],
537
+ detail:
538
+ "Extra `--where` scoping is account-lifted for deals/contacts. `--except-deal-stage <stage>` excludes that stage and any record whose account has an open deal in it, re-verified per record at apply.",
539
+ seeAlso: ["bulk-update", "plans", "apply"],
540
+ },
541
+ enrich: {
542
+ summary: "governed third-party enrichment (Apollo/Clay), fill-blanks-only",
543
+ phase: "Remediate",
544
+ synopsis: ["fullstackgtm enrich append|refresh|ingest|status … (run `enrich --help` for full options)"],
545
+ detail:
546
+ "Pull (Apollo) or stage (Clay) data, match it to CRM records deterministically, and emit a fill-blanks-only patch plan through the normal dry-run → approve → apply gate. `refresh` re-checks stale stamped fields.",
547
+ seeAlso: ["plans", "apply", "schedule"],
548
+ },
549
+
550
+ // Calls → evidence
551
+ call: {
552
+ summary: "transcripts → evidence, rubric scores, deal links, governed writes",
553
+ phase: "Remediate",
554
+ synopsis: ["fullstackgtm call parse|classify|score|link|plan … (run `call --help` for full options)"],
555
+ detail:
556
+ "`parse` normalizes any transcript into canonical segments + evidence (LLM by default, bring your own key; `--deterministic` for the free baseline). `classify` picks the call type, `score` rates it against the type's rubric, `link` finds the deal, `plan` proposes governed next-step writes.",
557
+ seeAlso: ["plans", "apply"],
558
+ },
559
+
560
+ // Govern — the plan/apply spine
561
+ suggest: {
562
+ summary: "derive values for requires_human_* placeholders (evidence-backed)",
563
+ phase: "Govern",
564
+ synopsis: ["fullstackgtm suggest --plan-id <id> | --plan <path> [source options] [--json] [--out <path>]"],
565
+ detail:
566
+ "Read-only. Proposes concrete values with confidence + reasons from snapshot evidence; feed the output to `plans approve --values-from`. Never guesses — low/create/none-confidence entries are left to the human.",
567
+ seeAlso: ["audit", "plans", "apply"],
568
+ },
569
+ plans: {
570
+ summary: "plan lifecycle: list / show / approve / reject saved plans",
571
+ phase: "Govern",
572
+ synopsis: [
573
+ "fullstackgtm plans list [--status <s>] | show <id> | reject <id>",
574
+ "fullstackgtm plans approve <id> --operations <ids|all> [--value <opId>=<v>]",
575
+ "fullstackgtm plans approve <id> --values-from <suggestions.json> [--min-confidence high|low]",
576
+ ],
577
+ detail: "Approval is explicit and per-operation; placeholders need a concrete --value or a suggestion to be approvable.",
578
+ seeAlso: ["audit", "suggest", "apply"],
579
+ },
580
+ apply: {
581
+ summary: "write ONLY explicitly approved operations to a provider",
582
+ phase: "Govern / Verify",
583
+ synopsis: [
584
+ "fullstackgtm apply --plan-id <id> --provider <name>",
585
+ "fullstackgtm apply --plan <path> --provider <name> --approve <ids|all> [--value <opId>=<v>]",
586
+ ],
587
+ detail:
588
+ "The only verb that mutates a CRM. Writes only operations approved via `plans approve` or `--approve`, with compare-and-set and readback. Never writes requires_human_* placeholders without a --value override.",
589
+ seeAlso: ["plans", "suggest", "audit-log"],
590
+ },
591
+ "audit-log": {
592
+ summary: "tamper-evident record of apply runs (export / verify)",
593
+ phase: "Verify",
594
+ synopsis: ["fullstackgtm audit-log export [--out <path>] | verify --in <path>"],
595
+ detail: "The Verify/Attribute layer — a signed, append-only record of every applied write.",
596
+ seeAlso: ["apply"],
597
+ },
598
+ merge: {
599
+ summary: "merge multiple plan/snapshot JSONs into one",
600
+ phase: "Govern",
601
+ synopsis: ["fullstackgtm merge --input <a.json> --input <b.json> [...] --out <merged.json> [--json]"],
602
+ seeAlso: ["diff", "audit"],
603
+ },
604
+
605
+ // Continuous
606
+ schedule: {
607
+ summary: "declare a cadence for read/plan-side commands (never auto-approves)",
608
+ phase: "Continuous",
609
+ synopsis: ["fullstackgtm schedule add|list|remove|enable|disable|run|install|status … (run `schedule --help` for full options)"],
610
+ detail:
611
+ "Makes the loop continuous instead of episodic. Read/plan-side allowlist only (audit, snapshot, enrich, market, suggest, report, doctor). Scheduling NEVER auto-approves: apply is schedulable only as `apply --plan-id <id>`, re-checked approved at run time.",
612
+ seeAlso: ["audit", "enrich", "apply"],
613
+ },
614
+
615
+ // Market intelligence
616
+ market: {
617
+ summary: "live competitive category map (capture → classify → drift → report)",
618
+ phase: "Intelligence",
619
+ synopsis: ["fullstackgtm market init|capture|classify|worksheet|observe|fronts|axes|overlay|scale|report|refresh … (run `market --help` for full options)"],
620
+ detail:
621
+ "Capture vendor pages (content-addressed), classify intensity per claim (LLM bring-your-own-key, or fill the worksheet with any agent), then compute deterministic front states and drift. Every quoted span is verified verbatim against the stored capture before it's accepted.",
622
+ seeAlso: [],
623
+ },
624
+ };
625
+
626
+ // Verbs that print their own richer multi-subcommand help; runCli routes their
627
+ // `--help` to themselves, so commandHelp() only renders these via `help <verb>`.
628
+ const BESPOKE_HELP = ["call", "market", "enrich", "bulk-update", "schedule"];
629
+
630
+ // Lifecycle-grouped front door. One line per verb, organized by the
631
+ // Prevent→Detect→Remediate→Verify loop so a new user sees ~6 jobs, not 22 verbs.
632
+ function shortUsage() {
633
+ const groups: Array<[string, string[]]> = [
634
+ ["Setup & health", ["login", "logout", "doctor", "profiles", "health"]],
635
+ ["Detect — read-only", ["audit", "report", "snapshot", "diff", "rules"]],
636
+ ["Prevent — gate writes", ["resolve"]],
637
+ ["Remediate — governed writes", ["fix", "bulk-update", "dedupe", "reassign", "enrich"]],
638
+ ["Calls → evidence", ["call"]],
639
+ ["Govern — the plan/apply spine", ["suggest", "plans", "apply", "audit-log", "merge"]],
640
+ ["Market intelligence", ["market"]],
641
+ ["Schedule — make it continuous", ["schedule"]],
642
+ ];
643
+ const pad = Math.max(...Object.keys(HELP).map((k) => k.length)) + 2;
644
+ const lines = [
645
+ "FullStackGTM — plan/apply for your GTM stack.",
646
+ "Audit CRM data, propose reviewable patch plans, apply only what you approve.",
647
+ "",
648
+ "Usage: fullstackgtm <command> [options]",
649
+ "",
650
+ ];
651
+ for (const [title, cmds] of groups) {
652
+ lines.push(`${title}:`);
653
+ for (const cmd of cmds) {
654
+ const entry = HELP[cmd];
655
+ if (!entry) continue;
656
+ lines.push(` ${cmd.padEnd(pad)}${entry.summary}`);
657
+ }
658
+ lines.push("");
659
+ }
660
+ lines.push(
661
+ "Zoom in: fullstackgtm <command> --help focused help for one command",
662
+ "Full ref: fullstackgtm help --full every flag and option",
663
+ "Try it: fullstackgtm audit --demo zero-credential demo CRM",
664
+ "",
665
+ "Safety: audits are read-only; apply writes only operations you approve.",
666
+ );
667
+ return lines.join("\n");
668
+ }
669
+
670
+ // Focused help for a single command. Falls back to shortUsage() for anything
671
+ // unknown so `--help` never dead-ends on the full wall.
672
+ function commandHelp(command: string) {
673
+ const entry = HELP[command];
674
+ if (!entry) return shortUsage();
675
+ const lines = [`fullstackgtm ${command} — ${entry.summary}`, "", "Usage:"];
676
+ for (const s of entry.synopsis) lines.push(` ${s}`);
677
+ if (entry.detail) lines.push("", entry.detail);
678
+ if (entry.options?.length) {
679
+ lines.push("", "Options:");
680
+ const pad = Math.max(...entry.options.map(([f]) => f.length)) + 2;
681
+ for (const [flag, desc] of entry.options) lines.push(` ${flag.padEnd(pad)}${desc}`);
682
+ }
683
+ lines.push("", `Lifecycle phase: ${entry.phase}`);
684
+ if (entry.seeAlso?.length) lines.push(`See also: ${entry.seeAlso.join(", ")}`);
685
+ if (BESPOKE_HELP.includes(command)) lines.push("", `Run \`fullstackgtm ${command} --help\` for the full subcommand reference.`);
686
+ lines.push("", "Full reference: fullstackgtm help --full");
687
+ return lines.join("\n");
688
+ }
689
+
344
690
  function option(args: string[], name: string) {
345
691
  const index = args.indexOf(name);
346
692
  if (index === -1) return null;
@@ -443,8 +789,15 @@ async function readSnapshot(args: string[]): Promise<CanonicalGtmSnapshot> {
443
789
  today: option(args, "--today") ?? undefined,
444
790
  });
445
791
  }
792
+ if (args.includes("--sample")) return sampleSnapshot;
446
793
  const input = option(args, "--input");
447
- if (!input || args.includes("--sample")) return sampleSnapshot;
794
+ if (!input) {
795
+ throw new Error(
796
+ "No data source. Pass one of: --provider <hubspot|salesforce|stripe> (live, read-only), " +
797
+ "--input <snapshot.json> (a saved snapshot), --demo (a generated messy CRM), or " +
798
+ "--sample (the tiny built-in fixture). Refusing to silently audit sample data.",
799
+ );
800
+ }
448
801
  const path = resolve(process.cwd(), input);
449
802
  return JSON.parse(readFileSync(path, "utf8")) as CanonicalGtmSnapshot;
450
803
  }
@@ -520,6 +873,52 @@ async function snapshotCommand(args: string[]) {
520
873
  }
521
874
  }
522
875
 
876
+ // #2 (dx-punch-list): every read verb points forward. `audit` is the keystone —
877
+ // `audit --demo` is the most-run first command and used to dead-end on a blank
878
+ // line. Context-aware guidance mirrors doctor's "Next step" and fix's chaining,
879
+ // stepping the user along Detect → Govern → apply. Printed to stderr so stdout
880
+ // stays clean for pipes/--out; suppressed under --json (machine/agent context).
881
+ function auditNextStep(args: string[], plan: PatchPlan): string {
882
+ const provider = option(args, "--provider");
883
+ const usingLiveData = Boolean(provider) || Boolean(option(args, "--input"));
884
+ const saved = args.includes("--save");
885
+ const count = plan.findings.length;
886
+
887
+ if (count === 0) {
888
+ return [
889
+ "✓ No findings — this snapshot is clean. Nothing to apply.",
890
+ " Keep it clean: gate new records with `fullstackgtm resolve`,",
891
+ " and schedule a recurring check with `fullstackgtm schedule add ...`.",
892
+ ].join("\n");
893
+ }
894
+
895
+ const head = `${count} finding${count === 1 ? "" : "s"} — a dry-run plan. Nothing was written.`;
896
+ if (!usingLiveData) {
897
+ return [
898
+ head,
899
+ "Next:",
900
+ " • Client-ready writeup: fullstackgtm report --demo",
901
+ " • Run on your CRM: fullstackgtm login hubspot → fullstackgtm audit --provider hubspot --save",
902
+ ].join("\n");
903
+ }
904
+ if (!saved) {
905
+ return [
906
+ head,
907
+ "Next: persist it with --save, then suggest → approve → apply:",
908
+ ` fullstackgtm audit --provider ${provider ?? "<name>"} --save`,
909
+ ].join("\n");
910
+ }
911
+ // --save already confirmed the plan id above; chain the governed spine.
912
+ const providerFlag = provider ? ` --provider ${provider}` : "";
913
+ return [
914
+ head,
915
+ "Next: derive values, approve the safe ones, apply:",
916
+ ` fullstackgtm suggest --plan-id ${plan.id}${providerFlag} --out suggestions.json`,
917
+ ` fullstackgtm plans approve ${plan.id} --values-from suggestions.json`,
918
+ ` fullstackgtm apply --plan-id ${plan.id}${providerFlag}`,
919
+ ].join("\n");
920
+ }
921
+
523
922
  async function audit(args: string[]) {
524
923
  const threshold = failOnThreshold(args);
525
924
  const loaded = loadConfig(option(args, "--config") ?? undefined);
@@ -533,20 +932,35 @@ async function audit(args: string[]) {
533
932
  if (staleDealDays !== undefined) policy.staleDealDays = staleDealDays;
534
933
 
535
934
  const plan = auditSnapshot(snapshot, policy, rules);
935
+ reportCounts({
936
+ findings: plan.findings.length,
937
+ critical: plan.findings.filter((f) => f.severity === "critical").length,
938
+ warning: plan.findings.filter((f) => f.severity === "warning").length,
939
+ });
536
940
  const out = option(args, "--out");
537
941
  if (out) {
538
942
  writeFileSync(resolve(process.cwd(), out), `${JSON.stringify(plan, null, 2)}\n`);
539
943
  }
540
944
  if (args.includes("--save")) {
541
945
  await createFilePlanStore().save(plan);
946
+ // Engagement workspace: stamp the per-profile health timeline + snapshot so
947
+ // the org accrues a continuous record from the verb people already run.
948
+ // Honor --today (audit is deterministic under it); fall back to wall-clock.
949
+ const health = computeHealth(plan, snapshot, today ?? new Date().toISOString());
950
+ appendHealthEntry(health);
951
+ saveWorkspaceSnapshot(plan.id, snapshot);
542
952
  console.error(
543
- `Saved plan ${plan.id}. Review with \`fullstackgtm plans show ${plan.id}\`, approve with \`fullstackgtm plans approve ${plan.id} --operations <ids|all>\`.`,
953
+ `Saved plan ${plan.id}. Health ${health.score}/100 recorded (\`fullstackgtm health\`). ` +
954
+ `Review with \`fullstackgtm plans show ${plan.id}\`, approve with \`fullstackgtm plans approve ${plan.id} --operations <ids|all>\`.`,
544
955
  );
545
956
  }
546
957
  if (args.includes("--json")) {
547
958
  console.log(JSON.stringify(plan, null, 2));
548
959
  } else {
549
- console.log(patchPlanToMarkdown(plan));
960
+ // Default to the summary view (rule table + counts); the full per-operation
961
+ // dump is opt-in via --full or, for a deliverable, `report`. (dx-punch-list #3)
962
+ console.log(patchPlanToMarkdown(plan, { summary: !args.includes("--full") }));
963
+ console.error(`\n${auditNextStep(args, plan)}`);
550
964
  }
551
965
 
552
966
  if (
@@ -557,6 +971,30 @@ async function audit(args: string[]) {
557
971
  }
558
972
  }
559
973
 
974
+ /**
975
+ * Roll up the active profile's health timeline (accrued by `audit --save`):
976
+ * current deterministic score, change since the last audit, and per-rule
977
+ * deltas. Read-only — it only reads `health.jsonl`, never re-audits.
978
+ */
979
+ function healthCommand(args: string[]) {
980
+ const profile = activeWorkspaceProfile();
981
+ const rollup = summarizeHealth(readHealthTimeline(), profile);
982
+ if (!rollup) {
983
+ if (args.includes("--json")) {
984
+ console.log(JSON.stringify({ profile, auditCount: 0 }, null, 2));
985
+ } else {
986
+ console.log(
987
+ `No audits recorded yet for profile "${profile}".\n` +
988
+ "Start the timeline: `fullstackgtm audit --provider <name> --save`" +
989
+ (profile === "default" ? "" : ` --profile ${profile}`) +
990
+ ".",
991
+ );
992
+ }
993
+ return;
994
+ }
995
+ console.log(args.includes("--json") ? JSON.stringify(rollup, null, 2) : healthToMarkdown(rollup));
996
+ }
997
+
560
998
  /**
561
999
  * Render an audit as a client-facing deliverable. Same sources and audit
562
1000
  * options as `audit`; `--plan` instead renders an existing plan JSON without
@@ -1447,8 +1885,27 @@ enrich append [--source apollo] [--objects companies,contacts] [--save] [--conf
1447
1885
  enrich refresh [--source apollo] [--stale-days <n>] [--save] [--config <path>]
1448
1886
  [source options] [--run-label <label>] [--json]
1449
1887
  enrich ingest <file.csv|payload.json> --source clay [--run-label <label>] [--objects companies|contacts] [--config <path>]
1888
+ enrich acquire [--source <id>] [--max <n>] [--list <id>] [--assign-owner <id>] [--save] [--config <path>] [--json]
1450
1889
  enrich status [--runs] [--source <id>] [--config <path>] [--json]
1451
1890
 
1891
+ acquire creates NET-NEW leads from a staged prospect list (ingest first):
1892
+ it dedupes each sourced row against the CRM, skips matches and ambiguities
1893
+ (resolve-first never creates over a possible duplicate), and proposes a
1894
+ \`create_record\` op per confirmed net-new row — capped by the acquire meter's
1895
+ remaining budget (records + spend, per day and per month; whichever is hit
1896
+ first). Approval-gated like every write: \`--save\` → plans approve → apply.
1897
+ The meter is charged only when a create actually lands at apply.
1898
+ Discovery sources (zero-config presets): explorium | pipe0 (ICP-driven search),
1899
+ and linkedin (reads a HeyReach lead list — pass --list <id>, key on the LinkedIn
1900
+ URL, $0/record; \`login heyreach\` or HEYREACH_API_KEY).
1901
+
1902
+ Leads are never born ownerless: set an \`acquire.assign\` policy (fixed /
1903
+ round-robin / territory / account-owner) to stamp an owner at create time, or
1904
+ pass \`--assign-owner <id>\`. With a single-owner portal and no policy, acquire
1905
+ defaults every lead to that owner; with several owners and no policy it warns
1906
+ and leaves them unassigned. Backfill existing ownerless records with
1907
+ \`reassign --assign-unowned --to <ownerId>\`.
1908
+
1452
1909
  append pulls from an api source (Apollo — BYO key via \`login apollo\` or
1453
1910
  APOLLO_API_KEY) or reads data staged by \`enrich ingest\` (Clay CSV exports,
1454
1911
  webhook payload JSON), matches source records to CRM records via the ordered
@@ -1473,8 +1930,8 @@ are phase 2. Recurring execution is the scheduler's job; enrich has no cron.`);
1473
1930
  return;
1474
1931
  }
1475
1932
 
1476
- if (!["append", "refresh", "ingest", "status"].includes(subcommand)) {
1477
- throw new Error(`Unknown enrich subcommand: ${subcommand} (try: append, refresh, ingest, status)`);
1933
+ if (!["append", "refresh", "ingest", "status", "acquire"].includes(subcommand)) {
1934
+ throw new Error(`Unknown enrich subcommand: ${subcommand} (try: append, refresh, ingest, status, acquire)`);
1478
1935
  }
1479
1936
 
1480
1937
  const configPath = () => resolve(process.cwd(), option(rest, "--config") ?? ENRICH_CONFIG_FILE_NAME);
@@ -1485,14 +1942,205 @@ are phase 2. Recurring execution is the scheduler's job; enrich has no cron.`);
1485
1942
  return;
1486
1943
  }
1487
1944
 
1488
- const config = loadEnrichConfig(configPath());
1489
-
1945
+ // Config resolution: an explicit --config or an on-disk default always wins
1946
+ // (and validates). Only when neither exists do we fall back to a built-in
1947
+ // preset for the source (e.g. `--source clay`), so the common Mode-A loop
1948
+ // needs no hand-authored config. A present-but-invalid config still errors.
1949
+ const explicitConfig = option(rest, "--config");
1950
+ const configFile = configPath();
1951
+ // No config file + no --config → fall back to a built-in preset so the common
1952
+ // paths need zero hand-authored config: `acquire` gets the zero-config acquire
1953
+ // preset (targeted/deduped/metered out the gate); other verbs get the source
1954
+ // preset (e.g. clay ingest). An explicit/on-disk config always wins.
1955
+ const presetFor = (src: string | undefined) =>
1956
+ subcommand === "acquire" ? builtinAcquirePreset(src) : builtinEnrichPreset(src);
1957
+ const config =
1958
+ !explicitConfig && !existsSync(configFile)
1959
+ ? (presetFor(option(rest, "--source") ?? undefined) ?? loadEnrichConfig(configFile))
1960
+ : loadEnrichConfig(configFile);
1961
+
1962
+ // `enrich ingest` stages rows. If the same command also names a CRM source
1963
+ // (--input/--provider), collapse the two-step into one: stage, then run the
1964
+ // append against the just-staged data so `enrich ingest clay.csv --source clay
1965
+ // --input snap.json` returns the hygiene verdict end-to-end. Without a CRM
1966
+ // source it stays stage-only (the existing two-step is preserved).
1490
1967
  if (subcommand === "ingest") {
1491
- await enrichIngest(store, config, rest);
1968
+ const autoAppend = Boolean(option(rest, "--provider") || option(rest, "--input"));
1969
+ await enrichIngest(store, config, rest, autoAppend);
1970
+ if (!autoAppend) return;
1971
+ }
1972
+
1973
+ if (subcommand === "acquire") {
1974
+ if (!config.acquire) {
1975
+ throw new Error(
1976
+ 'enrich acquire: config has no "acquire" section. Add e.g. { "acquire": { "create": { "contact": { "matchKey": "email", "properties": { "email": "email", "firstname": "first_name", "lastname": "last_name" } } }, "budget": { "records": { "perDay": 50, "perMonth": 500 } }, "costPerRecord": { "clay": 0.10 } } } to enrich.config.json.',
1977
+ );
1978
+ }
1979
+ const source = resolveEnrichSource(config, rest);
1980
+ const sourceConfig = config.sources[source];
1981
+ const save = rest.includes("--save");
1982
+ const today = new Date().toISOString().slice(0, 10);
1983
+
1984
+ // Prospects come from an API source (net-new discovery, e.g. Explorium +
1985
+ // pipe0 work-email) or a staged ingest list (Clay/CSV/webhook).
1986
+ const snapshot = await readSnapshot(rest);
1987
+ const icp = loadIcp(rest);
1988
+ if (sourceConfig.kind === "api" && !icp) {
1989
+ console.error(
1990
+ "⚠ No ICP loaded — discovery will use the raw discovery.filters and skip fit scoring. " +
1991
+ "Develop one with `fullstackgtm icp interview` (or pass --icp <path>) so leads map to your ICP.",
1992
+ );
1993
+ }
1994
+ // Recommend the strong dedup key when the CRM carries no LinkedIn URLs:
1995
+ // without them, pre-email dedup falls back to the weaker name+domain match.
1996
+ if (sourceConfig.kind === "api" && !(snapshot.contacts ?? []).some((c) => c.linkedin)) {
1997
+ console.error(
1998
+ "⚠ No LinkedIn URLs found on your contacts — pre-email dedup falls back to name+domain (weaker). " +
1999
+ "Populate the HubSpot \"LinkedIn URL\" (hs_linkedin_url) property for exact dedup; " +
2000
+ "acquire writes it on every new contact it creates, so coverage grows automatically.",
2001
+ );
2002
+ }
2003
+ const seen = loadSeen();
2004
+ let records: EnrichSourceRecord[];
2005
+ let apiSkippedCrm = 0;
2006
+ let apiSkippedSeen = 0;
2007
+ let apiProcessedKeys: string[] = [];
2008
+ if (sourceConfig.kind === "api") {
2009
+ const api = await acquireFromApi(config, source, rest, icp, snapshot, seen);
2010
+ records = api.records;
2011
+ apiSkippedCrm = api.skippedCrm;
2012
+ apiSkippedSeen = api.skippedSeen;
2013
+ apiProcessedKeys = api.processedKeys;
2014
+ } else {
2015
+ const stagedLabel = option(rest, "--staged-run");
2016
+ const stagedRun = stagedLabel
2017
+ ? await store.get(stagedLabel)
2018
+ : await store.latest({ source, mode: "ingest" });
2019
+ if (!stagedRun || stagedRun.mode !== "ingest") {
2020
+ throw new Error(
2021
+ `No staged data for source "${source}". Stage prospects first: fullstackgtm enrich ingest <prospects.csv|payload.json> --source ${source}`,
2022
+ );
2023
+ }
2024
+ records = stagedSourceRecords(config, source, stagedRun);
2025
+ }
2026
+
2027
+ // Meter: how many MORE leads may we create right now? --max is an
2028
+ // additional per-run ceiling, never a way to exceed the budget.
2029
+ const now = new Date();
2030
+ const costPerRecord = config.acquire.costPerRecord?.[source] ?? 0;
2031
+ if (apiSkippedCrm || apiSkippedSeen) {
2032
+ console.error(
2033
+ `Pre-email dedup: skipped ${apiSkippedCrm} already-in-CRM + ${apiSkippedSeen} seen before paying for emails ` +
2034
+ `(≈$${((apiSkippedCrm + apiSkippedSeen) * costPerRecord).toFixed(2)} enrichment saved).`,
2035
+ );
2036
+ }
2037
+ const headroom = remaining(loadMeter(now), config.acquire.budget, costPerRecord, now);
2038
+ const explicitMax = numericOption(rest, "--max");
2039
+ let cap = headroom.maxRecords;
2040
+ if (explicitMax !== undefined) cap = cap === null ? explicitMax : Math.min(cap, explicitMax);
2041
+
2042
+ // Assignment: never create an ownerless lead. An explicit `acquire.assign`
2043
+ // policy wins; a `--assign-owner <id>` flag is a quick fixed override;
2044
+ // otherwise, when the portal has exactly one active owner, default every
2045
+ // lead to them. With multiple owners and no policy we refuse to guess —
2046
+ // leads are left unassigned and the operator is told to configure a rule.
2047
+ const assignOwnerFlag = option(rest, "--assign-owner");
2048
+ if (!config.acquire.assign) {
2049
+ if (assignOwnerFlag) {
2050
+ config.acquire.assign = { strategy: "fixed", ownerId: assignOwnerFlag };
2051
+ } else {
2052
+ const activeOwners = (snapshot.users ?? []).filter((u) => u.active !== false);
2053
+ if (activeOwners.length === 1) {
2054
+ const sole = activeOwners[0].crmId ?? activeOwners[0].id;
2055
+ config.acquire.assign = { strategy: "fixed", ownerId: sole };
2056
+ console.error(
2057
+ `Assignment: no policy set — defaulting every lead to the portal's sole owner ` +
2058
+ `${activeOwners[0].name} (${sole}). Configure "acquire.assign" to route across reps.`,
2059
+ );
2060
+ } else if (activeOwners.length > 1) {
2061
+ console.error(
2062
+ `⚠ Assignment: ${activeOwners.length} active owners and no "acquire.assign" policy — ` +
2063
+ `leads will be created OWNERLESS. Add an acquire.assign rule (fixed / round-robin / territory) ` +
2064
+ `or pass --assign-owner <id> so every lead lands with an owner.`,
2065
+ );
2066
+ }
2067
+ }
2068
+ }
2069
+
2070
+ const result = buildAcquirePlan({
2071
+ config,
2072
+ source,
2073
+ snapshot,
2074
+ records,
2075
+ runLabel: option(rest, "--run-label") ?? `acquire-${source}-${today}`,
2076
+ maxRecords: cap,
2077
+ });
2078
+
2079
+ if (result.counts.unassigned > 0 && result.counts.created > 0) {
2080
+ console.error(
2081
+ `⚠ ${result.counts.unassigned}/${result.counts.created} proposed lead(s) have no owner ` +
2082
+ `(policy could not place them). They will be created ownerless.`,
2083
+ );
2084
+ }
2085
+
2086
+ // Observability: headline metrics for the web run timeline (paired users).
2087
+ reportCounts({
2088
+ sourced: result.counts.fetched,
2089
+ created: result.counts.created,
2090
+ withheldByMeter: result.counts.withheldByMeter,
2091
+ skippedInCrm: apiSkippedCrm,
2092
+ skippedSeen: apiSkippedSeen,
2093
+ estCostUsd: result.estCostUsd,
2094
+ });
2095
+
2096
+ const meterLine = formatAcquireMeter(headroom, costPerRecord);
2097
+ if (!save) {
2098
+ if (rest.includes("--json")) {
2099
+ console.log(
2100
+ JSON.stringify(
2101
+ { plan: result.plan, counts: result.counts, estCostUsd: result.estCostUsd, meter: headroom },
2102
+ null,
2103
+ 2,
2104
+ ),
2105
+ );
2106
+ } else {
2107
+ console.log(patchPlanToMarkdown(result.plan));
2108
+ console.log(meterLine);
2109
+ console.log("\nDry run — nothing written. Re-run with --save to persist the plan, then approve + apply.");
2110
+ }
2111
+ return;
2112
+ }
2113
+
2114
+ const run = await openEnrichRun(store, source, "append", option(rest, "--run-label"), today);
2115
+ const planIds: string[] = [];
2116
+ if (result.plan.operations.length > 0) {
2117
+ await createFilePlanStore().save(result.plan);
2118
+ planIds.push(result.plan.id);
2119
+ reportEvent("plan_saved", result.plan.id);
2120
+ }
2121
+ await store.update({
2122
+ ...run,
2123
+ completedAt: new Date().toISOString(),
2124
+ cursor: null,
2125
+ planIds: [...(run.planIds ?? []), ...planIds],
2126
+ });
2127
+ // Remember everyone we email-resolved this run so the next run skips them
2128
+ // pre-email (cross-run credit saver). Committed (--save) runs only.
2129
+ if (apiProcessedKeys.length > 0) recordSeen(apiProcessedKeys, now);
2130
+ console.log(meterLine);
2131
+ if (planIds.length > 0) {
2132
+ console.log(
2133
+ `Saved plan ${result.plan.id} — ${result.counts.created} net-new lead(s), est. $${result.estCostUsd.toFixed(2)}. ` +
2134
+ `Review \`fullstackgtm plans show ${result.plan.id}\`, approve \`fullstackgtm plans approve ${result.plan.id} --operations all\`, ` +
2135
+ `then \`fullstackgtm apply --plan-id ${result.plan.id} --provider hubspot\`. The meter is charged only when a create lands at apply.`,
2136
+ );
2137
+ } else {
2138
+ console.log("No net-new leads to create (everything sourced already matched, or was withheld by the meter).");
2139
+ }
1492
2140
  return;
1493
2141
  }
1494
2142
 
1495
- const mode = subcommand as "append" | "refresh";
2143
+ const mode: "append" | "refresh" = subcommand === "refresh" ? "refresh" : "append";
1496
2144
  const source = resolveEnrichSource(config, rest);
1497
2145
  const sourceConfig = config.sources[source];
1498
2146
  const save = rest.includes("--save");
@@ -1594,6 +2242,13 @@ are phase 2. Recurring execution is the scheduler's job; enrich has no cron.`);
1594
2242
  result.counts.fetched += missCount;
1595
2243
  result.counts.unmatched += missCount;
1596
2244
 
2245
+ reportCounts({
2246
+ fetched: result.counts.fetched,
2247
+ matched: result.counts.matched,
2248
+ unmatched: result.counts.unmatched,
2249
+ opsEmitted: result.counts.opsEmitted,
2250
+ });
2251
+
1597
2252
  if (!save) {
1598
2253
  if (rest.includes("--json")) {
1599
2254
  console.log(JSON.stringify(result.plan, null, 2));
@@ -1641,6 +2296,203 @@ function formatEnrichCounts(counts: EnrichCounts, ambiguities: number) {
1641
2296
  );
1642
2297
  }
1643
2298
 
2299
+ /** Best-effort enrich-config load for apply-time acquire-budget enforcement. */
2300
+ /** Provider API key: env override first, then the credential store (`login`). */
2301
+ function providerKey(provider: "explorium" | "pipe0" | "heyreach"): string {
2302
+ const envName =
2303
+ provider === "explorium" ? "EXPLORIUM_API_KEY" : provider === "pipe0" ? "PIPE0_API_KEY" : "HEYREACH_API_KEY";
2304
+ if (process.env[envName]) return process.env[envName] as string;
2305
+ const stored = getCredential(provider);
2306
+ if (stored) return stored.accessToken;
2307
+ throw new Error(`No ${provider} credentials. Run \`echo "$KEY" | fullstackgtm login ${provider}\`, or set ${envName}.`);
2308
+ }
2309
+
2310
+ /** Load the active ICP: --icp <path>, else ./icp.json. Undefined if none. */
2311
+ function loadIcp(args: string[]): Icp | undefined {
2312
+ const explicit = option(args, "--icp");
2313
+ const path = resolve(process.cwd(), explicit ?? "icp.json");
2314
+ if (!existsSync(path)) {
2315
+ if (explicit) throw new Error(`--icp ${explicit}: file not found`);
2316
+ return undefined;
2317
+ }
2318
+ return parseIcp(readFileSync(path, "utf8"));
2319
+ }
2320
+
2321
+ /**
2322
+ * `icp` — develop and inspect the Ideal Customer Profile that targets acquire.
2323
+ * The CLI can't run AskUserQuestion itself; `icp interview` emits the question
2324
+ * spec an agent (Claude Code / Codex) drives with its AskUserQuestion tool, then
2325
+ * `icp set` writes icp.json from the collected answers.
2326
+ */
2327
+ async function icpCommand(args: string[]) {
2328
+ const [sub, ...rest] = args;
2329
+ if (!sub || sub === "--help" || sub === "-h") {
2330
+ console.log(`Usage:
2331
+ fullstackgtm icp interview emit the interview spec (an agent drives it with AskUserQuestion)
2332
+ fullstackgtm icp set <answers.json> [--name <n>] [--out <path>] write icp.json from interview answers
2333
+ fullstackgtm icp show [--icp <path>] render the ICP + the discovery filters it produces
2334
+
2335
+ The ICP makes \`enrich acquire\` targeted, not random: it generates each
2336
+ provider's discovery filters (Explorium, pipe0/Crustdata) AND scores every
2337
+ discovered prospect for fit — only above-threshold leads become create_record
2338
+ ops. Develop one by interview, then \`enrich acquire\` picks up ./icp.json.`);
2339
+ return;
2340
+ }
2341
+ if (sub === "interview") {
2342
+ console.log(
2343
+ JSON.stringify(
2344
+ {
2345
+ questions: INTERVIEW_SPEC,
2346
+ instructions:
2347
+ "Ask each question with AskUserQuestion (multiSelect per .multiSelect). For each answer, collect the chosen options' .value arrays and concat them under the question's .id. Then run `fullstackgtm icp set <answers.json>` with that flattened object.",
2348
+ },
2349
+ null,
2350
+ 2,
2351
+ ),
2352
+ );
2353
+ return;
2354
+ }
2355
+ if (sub === "set") {
2356
+ const file = rest.find((a) => !a.startsWith("--"));
2357
+ if (!file) throw new Error("Usage: fullstackgtm icp set <answers.json> [--name <n>] [--out <path>]");
2358
+ const answers = JSON.parse(readFileSync(resolve(process.cwd(), file), "utf8"));
2359
+ const icp = icpFromAnswers(option(rest, "--name") ?? "ICP", answers);
2360
+ const out = resolve(process.cwd(), option(rest, "--out") ?? "icp.json");
2361
+ writeFileSync(out, `${JSON.stringify(icp, null, 2)}\n`);
2362
+ console.log(
2363
+ `Wrote ${out} — ${icp.persona.titleKeywords?.length ?? 0} title keyword(s), ` +
2364
+ `${icp.firmographics.employeeBands?.length ?? 0} size band(s), fit threshold ${fitThreshold(icp)}.`,
2365
+ );
2366
+ return;
2367
+ }
2368
+ if (sub === "show") {
2369
+ const icp = loadIcp(rest);
2370
+ if (!icp) throw new Error("No ICP found (icp.json in cwd, or pass --icp <path>). Build one: fullstackgtm icp interview.");
2371
+ console.log(
2372
+ JSON.stringify(
2373
+ {
2374
+ icp,
2375
+ exploriumFilters: icpToExploriumFilters(icp),
2376
+ crustdataFilters: icpToCrustdataFilters(icp),
2377
+ fitThreshold: fitThreshold(icp),
2378
+ },
2379
+ null,
2380
+ 2,
2381
+ ),
2382
+ );
2383
+ return;
2384
+ }
2385
+ throw new Error(`Unknown icp subcommand: ${sub} (try: interview, set, show)`);
2386
+ }
2387
+
2388
+ /**
2389
+ * Pull net-new prospects from an API acquire source into source records the
2390
+ * acquire builder dedupes + turns into create_record ops. Explorium discovers;
2391
+ * pipe0 (when resolveEmailsWith=pipe0) fills real work emails. Only rows that
2392
+ * carry the dedupe key (email) survive — you cannot resolve-first without it.
2393
+ */
2394
+ async function acquireFromApi(
2395
+ config: EnrichConfig,
2396
+ source: string,
2397
+ rest: string[],
2398
+ icp: Icp | undefined,
2399
+ snapshot: CanonicalGtmSnapshot,
2400
+ seen: Set<string>,
2401
+ ): Promise<{ records: EnrichSourceRecord[]; skippedCrm: number; skippedSeen: number; processedKeys: string[] }> {
2402
+ const acquire = config.acquire!;
2403
+ const disc = acquire.discovery?.[source];
2404
+ if (!disc) {
2405
+ throw new Error(`enrich acquire: api source "${source}" needs an "acquire.discovery.${source}" config (provider + size).`);
2406
+ }
2407
+ const matchKey = acquire.create.contact?.matchKey ?? "email";
2408
+ const maxOverride = numericOption(rest, "--max");
2409
+ const size = maxOverride !== undefined ? Math.min(maxOverride, disc.size ?? 25) : disc.size ?? 25;
2410
+
2411
+ // 1. Discover. Filters come from the ICP when one is loaded (the whole point —
2412
+ // targeted, not random); otherwise from the hand-written disc.filters.
2413
+ let prospects: Prospect[];
2414
+ if (disc.provider === "explorium") {
2415
+ const filters = icp
2416
+ ? icpToExploriumFilters(icp)
2417
+ : ((disc.filters ?? {}) as Record<string, { values?: string[]; value?: boolean }>);
2418
+ prospects = await fetchExploriumProspects({ apiKey: providerKey("explorium"), filters, size });
2419
+ } else if (disc.provider === "pipe0") {
2420
+ const filters = icp ? icpToCrustdataFilters(icp) : (disc.filters ?? {});
2421
+ prospects = await fetchPipe0CrustdataProspects({ apiKey: providerKey("pipe0"), filters, limit: size });
2422
+ } else if (disc.provider === "linkedin" || disc.provider === "heyreach") {
2423
+ // LinkedIn reads a pre-populated lead list (not an ICP-driven query); the ICP
2424
+ // scores the pulled list below. List id: disc.listId or --list <id>.
2425
+ const listId = disc.listId ?? option(rest, "--list") ?? undefined;
2426
+ if (!listId) {
2427
+ throw new Error(
2428
+ "enrich acquire --source linkedin needs a HeyReach lead-list id: pass --list <id> or set acquire.discovery.linkedin.listId.",
2429
+ );
2430
+ }
2431
+ const provider = createLinkedInProvider(disc.provider, providerKey("heyreach"));
2432
+ prospects = await discoverLinkedInProspects(provider, { sourceId: listId, max: size });
2433
+ } else {
2434
+ throw new Error(`enrich acquire: unknown discovery provider "${disc.provider}" (explorium | pipe0 | linkedin).`);
2435
+ }
2436
+
2437
+ // 2. ICP fit scoring BEFORE paying for emails — only above-threshold prospects
2438
+ // proceed to (credit-spending) email resolution.
2439
+ if (icp) {
2440
+ const threshold = fitThreshold(icp);
2441
+ prospects = prospects
2442
+ .map((p) => ({ ...p, fitScore: scoreProspectAgainstIcp(p, icp).score }))
2443
+ .filter((p) => (p.fitScore ?? 0) >= threshold);
2444
+ }
2445
+
2446
+ // 2.5 Pre-email dedup — drop prospects already in the CRM (name+domain match
2447
+ // vs the snapshot) or already processed in a prior run (the seen cache),
2448
+ // BEFORE paying pipe0 for emails. The email-level dedup (buildAcquirePlan)
2449
+ // and apply-time resolve-first remain the precise backstop.
2450
+ const { fresh, skippedCrm, skippedSeen } = partitionFreshProspects(prospects, crmContactKeys(snapshot), seen);
2451
+ prospects = fresh;
2452
+
2453
+ // 3. Resolve real work emails (both providers need it: Explorium's email is
2454
+ // hashed, Crustdata search returns none). pipe0 waterfall, chunked.
2455
+ if (matchKey === "email") {
2456
+ prospects = await pipe0ResolveWorkEmails({ apiKey: providerKey("pipe0"), prospects });
2457
+ }
2458
+
2459
+ const processedKeys = prospects.flatMap(prospectIdentityKeys);
2460
+ const records = prospects
2461
+ .map((p) => {
2462
+ const keyValue = (p as unknown as Record<string, unknown>)[matchKey] as string | undefined;
2463
+ return {
2464
+ id: p.sourceId ?? `${source}:${keyValue ?? p.fullName ?? ""}`,
2465
+ objectType: "contact" as const,
2466
+ keys: { [matchKey]: keyValue },
2467
+ payload: p as unknown as Record<string, unknown>,
2468
+ };
2469
+ })
2470
+ .filter((record) => Boolean(record.keys[matchKey]));
2471
+ return { records, skippedCrm, skippedSeen, processedKeys };
2472
+ }
2473
+
2474
+ function tryLoadAcquireConfig(args: string[]): EnrichConfig | undefined {
2475
+ try {
2476
+ const path = resolve(process.cwd(), option(args, "--config") ?? ENRICH_CONFIG_FILE_NAME);
2477
+ if (!existsSync(path)) return undefined;
2478
+ return loadEnrichConfig(path);
2479
+ } catch {
2480
+ return undefined;
2481
+ }
2482
+ }
2483
+
2484
+ function formatAcquireMeter(headroom: AcquireRemaining, costPerRecord: number): string {
2485
+ const n = (v: number | null) => (v === null ? "∞" : String(v));
2486
+ const money = (v: number | null) => (v === null ? "∞" : `$${v.toFixed(2)}`);
2487
+ const max = headroom.maxRecords === null ? "unlimited" : `${headroom.maxRecords}`;
2488
+ return (
2489
+ `Acquire meter — creatable now: ${max} lead(s). ` +
2490
+ `Records left: ${n(headroom.records.day)}/day, ${n(headroom.records.month)}/month · ` +
2491
+ `Spend left: ${money(headroom.spendUsd.day)}/day, ${money(headroom.spendUsd.month)}/month ` +
2492
+ `(≈$${costPerRecord.toFixed(2)}/lead).`
2493
+ );
2494
+ }
2495
+
1644
2496
  function resolveEnrichSource(config: EnrichConfig, rest: string[]): string {
1645
2497
  const requested = option(rest, "--source");
1646
2498
  const declared = Object.keys(config.sources);
@@ -1723,7 +2575,7 @@ async function openEnrichRun(
1723
2575
  });
1724
2576
  }
1725
2577
 
1726
- async function enrichIngest(store: EnrichRunStore, config: EnrichConfig, rest: string[]) {
2578
+ async function enrichIngest(store: EnrichRunStore, config: EnrichConfig, rest: string[], autoAppend = false) {
1727
2579
  const file = rest.find((arg) => !arg.startsWith("--") && !isOptionValue(rest, arg));
1728
2580
  if (!file) throw new Error("Usage: fullstackgtm enrich ingest <file.csv|payload.json> --source <id> [--run-label <label>]");
1729
2581
  const source = option(rest, "--source");
@@ -1784,8 +2636,10 @@ async function enrichIngest(store: EnrichRunStore, config: EnrichConfig, rest: s
1784
2636
  stagedObjectType: objectType,
1785
2637
  });
1786
2638
  console.log(
1787
- `Staged ${rows.length} ${objectType} row(s) from ${file} as run ${label}. ` +
1788
- `Next: fullstackgtm enrich append --source ${source} [source options] [--save]`,
2639
+ autoAppend
2640
+ ? `Staged ${rows.length} ${objectType} row(s) from ${file} as run ${label}; matching against the CRM…`
2641
+ : `Staged ${rows.length} ${objectType} row(s) from ${file} as run ${label}. ` +
2642
+ `Next: fullstackgtm enrich append --source ${source} [source options] [--save]`,
1789
2643
  );
1790
2644
  }
1791
2645
 
@@ -2442,9 +3296,10 @@ async function dedupeCommand(args: string[]) {
2442
3296
  async function reassignCommand(args: string[]) {
2443
3297
  const from = option(args, "--from");
2444
3298
  const to = option(args, "--to");
2445
- if (!from || !to) {
3299
+ const assignUnowned = args.includes("--assign-unowned");
3300
+ if (!to || (!from && !assignUnowned)) {
2446
3301
  throw new Error(
2447
- "Usage: fullstackgtm reassign --from <ownerId> --to <ownerId> [--objects account,contact,deal] [--where <expr> …] [--except-deal-stage <stage>] [--include-closed-deals] [source options] [--reason <text>] [--max-operations <n>] [--save] [--out <path>] [--json]",
3302
+ "Usage: fullstackgtm reassign (--from <ownerId> | --assign-unowned) --to <ownerId> [--objects account,contact,deal] [--where <expr> …] [--except-deal-stage <stage>] [--include-closed-deals] [source options] [--reason <text>] [--max-operations <n>] [--save] [--out <path>] [--json]\n\n--assign-unowned claims every OWNERLESS record (ownerId:empty) for --to — the backfill twin of `enrich acquire`'s create-time assignment.",
2448
3303
  );
2449
3304
  }
2450
3305
  const objects = option(args, "--objects")
@@ -2453,8 +3308,9 @@ async function reassignCommand(args: string[]) {
2453
3308
  .filter(Boolean) as ReassignObjectType[] | undefined;
2454
3309
  const snapshot = await readSnapshot(args);
2455
3310
  const plans = buildReassignPlans(snapshot, {
2456
- fromOwnerId: from,
3311
+ fromOwnerId: from ?? undefined,
2457
3312
  toOwnerId: to,
3313
+ assignUnowned,
2458
3314
  objects,
2459
3315
  where: repeatedOption(args, "--where"),
2460
3316
  exceptDealStage: option(args, "--except-deal-stage") ?? undefined,
@@ -2775,6 +3631,40 @@ async function apply(args: string[]) {
2775
3631
  valueOverrides = parseValueOverrides(args);
2776
3632
  }
2777
3633
 
3634
+ // Acquire meter: create_record ops are budgeted. Refuse up-front if the
3635
+ // approved creates would exceed the current budget window (the plan was
3636
+ // capped when `enrich acquire` ran, but the budget may have been spent down
3637
+ // since), then charge the meter for what actually lands.
3638
+ const approvedSet = new Set(approvedOperationIds);
3639
+ const createOps = plan.operations.filter(
3640
+ (op) => op.operation === "create_record" && approvedSet.has(op.id),
3641
+ );
3642
+ const createSpend = (op: PatchOperation) =>
3643
+ ((op.afterValue as CreateRecordPayload | undefined)?.estCostUsd) ?? 0;
3644
+ if (createOps.length > 0) {
3645
+ const acquireConfig = tryLoadAcquireConfig(args)?.acquire;
3646
+ if (acquireConfig?.budget) {
3647
+ const now = new Date();
3648
+ const head = remaining(loadMeter(now), acquireConfig.budget, 0, now);
3649
+ const approvedSpend = createOps.reduce((sum, op) => sum + createSpend(op), 0);
3650
+ const refusals: string[] = [];
3651
+ if (head.records.day !== null && createOps.length > head.records.day)
3652
+ refusals.push(`${createOps.length} creates > ${head.records.day} record(s) left today`);
3653
+ if (head.records.month !== null && createOps.length > head.records.month)
3654
+ refusals.push(`${createOps.length} creates > ${head.records.month} record(s) left this month`);
3655
+ if (head.spendUsd.day !== null && approvedSpend > head.spendUsd.day)
3656
+ refusals.push(`$${approvedSpend.toFixed(2)} > $${head.spendUsd.day.toFixed(2)} spend left today`);
3657
+ if (head.spendUsd.month !== null && approvedSpend > head.spendUsd.month)
3658
+ refusals.push(`$${approvedSpend.toFixed(2)} > $${head.spendUsd.month.toFixed(2)} spend left this month`);
3659
+ if (refusals.length > 0) {
3660
+ throw new Error(
3661
+ `Refusing to apply: acquire budget exceeded (${refusals.join("; ")}). ` +
3662
+ "Re-run `fullstackgtm enrich acquire` to re-cap to the remaining budget, or wait for the window to reset.",
3663
+ );
3664
+ }
3665
+ }
3666
+ }
3667
+
2778
3668
  const connector = await connectorFor(provider, args);
2779
3669
  const run = await applyPatchPlan(connector, plan, {
2780
3670
  approvedOperationIds,
@@ -2784,6 +3674,23 @@ async function apply(args: string[]) {
2784
3674
  await store.recordRun(planId, run);
2785
3675
  }
2786
3676
 
3677
+ // Charge the acquire meter for the creates that actually landed.
3678
+ if (createOps.length > 0) {
3679
+ const appliedIds = new Set(
3680
+ run.results.filter((result) => result.status === "applied").map((result) => result.operationId),
3681
+ );
3682
+ const landed = createOps.filter((op) => appliedIds.has(op.id));
3683
+ if (landed.length > 0) {
3684
+ const spend = landed.reduce((sum, op) => sum + createSpend(op), 0);
3685
+ recordConsumption(new Date(), landed.length, spend);
3686
+ }
3687
+ }
3688
+
3689
+ // Observability: apply-outcome tallies for the web run timeline.
3690
+ const applyTally: Record<string, number> = { applied: 0, conflict: 0, skipped: 0, failed: 0 };
3691
+ for (const result of run.results) applyTally[result.status] = (applyTally[result.status] ?? 0) + 1;
3692
+ reportCounts(applyTally);
3693
+
2787
3694
  if (args.includes("--json")) {
2788
3695
  console.log(JSON.stringify(run, null, 2));
2789
3696
  } else {
@@ -3280,9 +4187,22 @@ async function login(args: string[]) {
3280
4187
  console.log(`Stored Apollo API key in ${credentialsPath()}. \`fullstackgtm enrich append|refresh\` use it automatically.`);
3281
4188
  return;
3282
4189
  }
4190
+ if (provider === "pipe0" || provider === "explorium" || provider === "heyreach") {
4191
+ rejectArgvSecret(args, "--token", "--key", "--api-key");
4192
+ const key = await readSecret(`${provider} API key`);
4193
+ if (!key) throw new Error(`No ${provider} key provided.`);
4194
+ // No free auth-health endpoint; validating would spend credits, so the key
4195
+ // is stored as-is and validated on the first `enrich acquire` pull.
4196
+ const stamp = new Date().toISOString();
4197
+ storeCredential(provider, { kind: "api_key", accessToken: key, createdAt: stamp, updatedAt: stamp });
4198
+ console.log(
4199
+ `Stored ${provider} API key in ${credentialsPath()}. \`fullstackgtm enrich acquire\` uses it automatically (validated on first pull).`,
4200
+ );
4201
+ return;
4202
+ }
3283
4203
  if (provider !== "hubspot") {
3284
4204
  throw new Error(
3285
- "login supports: hubspot, salesforce, stripe, anthropic, openai, apollo, or --via <hosted url>. Usage: fullstackgtm login <provider> | fullstackgtm login --via https://gtm.example.com",
4205
+ "login supports: hubspot, salesforce, stripe, anthropic, openai, apollo, pipe0, explorium, or --via <hosted url>. Usage: fullstackgtm login <provider> | fullstackgtm login --via https://gtm.example.com",
3286
4206
  );
3287
4207
  }
3288
4208
  const now = new Date().toISOString();
@@ -3499,19 +4419,31 @@ function profilesCommand(args: string[]) {
3499
4419
 
3500
4420
  export async function runCli(argv: string[]) {
3501
4421
  const [command, ...args] = extractProfile(argv);
4422
+ // Front door: the lifecycle-grouped map by default, the full reference on
4423
+ // --full. `help <command>` zooms into one verb. (docs/dx-punch-list.md #1)
3502
4424
  if (!command || command === "--help" || command === "-h") {
3503
- console.log(usage());
4425
+ console.log(args.includes("--full") ? usage() : shortUsage());
4426
+ return;
4427
+ }
4428
+ if (command === "help") {
4429
+ const [topic, ...rest] = args;
4430
+ if (topic && topic !== "--full" && !topic.startsWith("-")) {
4431
+ console.log(commandHelp(topic));
4432
+ } else {
4433
+ console.log(args.includes("--full") || topic === "--full" ? usage() : shortUsage());
4434
+ }
3504
4435
  return;
3505
4436
  }
3506
4437
  if (command === "--version" || command === "-v" || command === "version") {
3507
4438
  console.log(readPackageInfo().version);
3508
4439
  return;
3509
4440
  }
3510
- // Commands without bespoke help fall back to the top-level usage on --help
3511
- // instead of executing (audit used to silently run the sample audit).
3512
- // call/market/enrich/bulk-update/schedule print their own richer help.
3513
- if (!["call", "market", "enrich", "bulk-update", "schedule"].includes(command) && (args.includes("--help") || args.includes("-h"))) {
3514
- console.log(usage());
4441
+ // Commands without bespoke help get focused per-command help on --help
4442
+ // instead of executing (audit used to silently run the sample audit) or
4443
+ // dumping the whole surface. call/market/enrich/bulk-update/schedule print
4444
+ // their own richer help. `--full` always escapes to the complete reference.
4445
+ if (!BESPOKE_HELP.includes(command) && (args.includes("--help") || args.includes("-h"))) {
4446
+ console.log(args.includes("--full") ? usage() : commandHelp(command));
3515
4447
  return;
3516
4448
  }
3517
4449
 
@@ -3543,6 +4475,10 @@ export async function runCli(argv: string[]) {
3543
4475
  doctorCommand(args);
3544
4476
  return;
3545
4477
  }
4478
+ if (command === "health") {
4479
+ healthCommand(args);
4480
+ return;
4481
+ }
3546
4482
  if (command === "suggest") {
3547
4483
  await suggest(args);
3548
4484
  return;
@@ -3579,6 +4515,10 @@ export async function runCli(argv: string[]) {
3579
4515
  await enrichCommand(args);
3580
4516
  return;
3581
4517
  }
4518
+ if (command === "icp") {
4519
+ await icpCommand(args);
4520
+ return;
4521
+ }
3582
4522
  if (command === "schedule") {
3583
4523
  await scheduleCommand(args);
3584
4524
  return;