fullstackgtm 0.45.0 → 0.47.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (95) hide show
  1. package/CHANGELOG.md +115 -1
  2. package/INSTALL_FOR_AGENTS.md +13 -11
  3. package/README.md +27 -18
  4. package/dist/backfill.d.ts +86 -0
  5. package/dist/backfill.js +251 -0
  6. package/dist/bin.js +4 -1
  7. package/dist/cli/auth.d.ts +2 -0
  8. package/dist/cli/auth.js +119 -12
  9. package/dist/cli/backfill.d.ts +1 -0
  10. package/dist/cli/backfill.js +125 -0
  11. package/dist/cli/backfillRuns.d.ts +1 -0
  12. package/dist/cli/backfillRuns.js +187 -0
  13. package/dist/cli/call.js +23 -9
  14. package/dist/cli/enrich.js +28 -10
  15. package/dist/cli/fix.js +9 -7
  16. package/dist/cli/help.js +60 -23
  17. package/dist/cli/plans.js +13 -11
  18. package/dist/cli/shared.d.ts +4 -3
  19. package/dist/cli/shared.js +31 -20
  20. package/dist/cli/ui.d.ts +21 -0
  21. package/dist/cli/ui.js +53 -1
  22. package/dist/cli.js +37 -41
  23. package/dist/connector.d.ts +8 -0
  24. package/dist/connector.js +104 -21
  25. package/dist/connectors/hubspot.d.ts +8 -1
  26. package/dist/connectors/hubspot.js +406 -13
  27. package/dist/connectors/hubspotAuth.js +5 -1
  28. package/dist/connectors/linkedin.js +14 -14
  29. package/dist/connectors/salesforce.d.ts +8 -1
  30. package/dist/connectors/salesforce.js +163 -2
  31. package/dist/connectors/stripe.d.ts +37 -0
  32. package/dist/connectors/stripe.js +103 -31
  33. package/dist/enrich.d.ts +7 -0
  34. package/dist/enrich.js +7 -0
  35. package/dist/health.d.ts +11 -69
  36. package/dist/health.js +4 -134
  37. package/dist/healthScore.d.ts +71 -0
  38. package/dist/healthScore.js +143 -0
  39. package/dist/index.d.ts +3 -1
  40. package/dist/index.js +3 -1
  41. package/dist/llm.d.ts +29 -0
  42. package/dist/llm.js +206 -0
  43. package/dist/market.d.ts +39 -1
  44. package/dist/market.js +116 -44
  45. package/dist/marketClassify.d.ts +9 -1
  46. package/dist/marketClassify.js +10 -1
  47. package/dist/marketTaxonomy.d.ts +6 -1
  48. package/dist/marketTaxonomy.js +4 -2
  49. package/dist/mcp-bin.js +29 -0
  50. package/dist/mcp.js +117 -4
  51. package/dist/progress.d.ts +96 -0
  52. package/dist/progress.js +142 -0
  53. package/dist/runReport.d.ts +24 -0
  54. package/dist/runReport.js +139 -4
  55. package/dist/types.d.ts +33 -1
  56. package/docs/api.md +4 -2
  57. package/docs/architecture.md +2 -0
  58. package/docs/linkedin-connector-spec.md +1 -1
  59. package/llms.txt +3 -3
  60. package/package.json +10 -3
  61. package/skills/fullstackgtm/SKILL.md +1 -0
  62. package/src/backfill.ts +340 -0
  63. package/src/bin.ts +5 -1
  64. package/src/cli/auth.ts +135 -15
  65. package/src/cli/backfill.ts +156 -0
  66. package/src/cli/backfillRuns.ts +198 -0
  67. package/src/cli/call.ts +26 -10
  68. package/src/cli/enrich.ts +33 -10
  69. package/src/cli/fix.ts +11 -10
  70. package/src/cli/help.ts +61 -23
  71. package/src/cli/plans.ts +15 -14
  72. package/src/cli/shared.ts +44 -27
  73. package/src/cli/ui.ts +72 -1
  74. package/src/cli.ts +38 -41
  75. package/src/connector.ts +110 -16
  76. package/src/connectors/hubspot.ts +423 -14
  77. package/src/connectors/hubspotAuth.ts +5 -1
  78. package/src/connectors/linkedin.ts +14 -14
  79. package/src/connectors/salesforce.ts +168 -3
  80. package/src/connectors/stripe.ts +154 -34
  81. package/src/enrich.ts +13 -0
  82. package/src/health.ts +14 -213
  83. package/src/healthScore.ts +223 -0
  84. package/src/index.ts +28 -1
  85. package/src/llm.ts +239 -0
  86. package/src/market.ts +157 -44
  87. package/src/marketClassify.ts +18 -1
  88. package/src/marketTaxonomy.ts +10 -2
  89. package/src/mcp-bin.ts +32 -0
  90. package/src/mcp.ts +140 -6
  91. package/src/progress.ts +197 -0
  92. package/src/runReport.ts +159 -4
  93. package/src/types.ts +35 -2
  94. package/docs/dx-punch-list.md +0 -87
  95. package/docs/roadmap-to-1.0.md +0 -211
@@ -1,87 +0,0 @@
1
- # DX / adoption punch list
2
-
3
- Audit date: 2026-06-19. Method: ran the CLI as a new adopter would (bare
4
- invoke → `doctor` → `audit --demo` → per-command `--help`) and measured the
5
- friction, rather than reading the source. Companion to the security/strategic
6
- findings that drove the 0.25.1–0.28.0 hardening releases — same format, same
7
- intent: a tracked list that drives a release.
8
-
9
- ## Framing
10
-
11
- The **agent path** (SKILL.md verb map, MCP tools, `--json` everywhere,
12
- gate-shaped exit codes 0/1/2) is cohesive and adopts cleanly. The **human
13
- path** is the weak side — and the human is a primary user (the consultant-CLI,
14
- dogfood-on-client-work direction). Every fix below either *deepens an existing
15
- verb* or *connects two existing verbs*; none adds a new top-level noun. The
16
- adoption work **is** the "deeper not broader" work.
17
-
18
- `doctor` (ends with "Next step") and `fix` (chains audit→suggest→approve→apply)
19
- already do the right thing. Cohesion here = make every verb behave like
20
- `doctor` and `fix` already do.
21
-
22
- ## Findings (evidence-backed)
23
-
24
- | # | Finding | Evidence | Impact |
25
- | --- | --- | --- | --- |
26
- | F1 | **Front door is a firehose** | bare invoke = 194 lines; 22 verbs / 87 distinct flags; `cli.ts` is 3,615 lines | New user can't find the ~6 things they actually do |
27
- | F2 | **Credential-free entry point dead-ends** | `audit --demo` (the README's "try it first") dumps **1,467 lines** to stdout and ends on a blank line — no "next step," unlike `doctor` | The single most-run first command strands you |
28
- | F3 | **No per-command help** | `dedupe --help`, `audit --help` fall through to the same 194-line global wall | A stuck user gets the firehose, not the answer |
29
- | F4 | **No altitude control on reads** | `audit` has only `--json` / `--out` / `--format`; no `--summary` / `--top` / `--quiet`. Human mode *is* the 1,467-line dump | Default human output is unreadable yet not machine-parseable |
30
- | F5 | **Tone undercuts positioning** | `audit --demo` footer: "This prototype is dry-run only" | Reads as toy vs. the beta/production-safety-invariant framing |
31
- | F6 | **No guided mode** | `readline` is used only for the login secret prompt | Every workflow is hand-assembled from flags; nothing scaffolds the loop |
32
-
33
- ## Fix sequence (highest leverage first)
34
-
35
- ### 1. Progressive-disclosure help — IN PROGRESS
36
- Fixes **F1, F3**. The full `usage()` becomes the explicit full reference
37
- (`fullstackgtm help --full`). Add:
38
- - `shortUsage()` — a ~30-line map of the verbs grouped by lifecycle phase
39
- (Setup · Detect · Prevent · Remediate · Calls · Govern · Market · Schedule),
40
- one line each, ending with `<command> --help` and `help --full` pointers.
41
- Becomes the default for bare invoke and `--help`.
42
- - `commandHelp(command)` — focused per-verb help (summary, synopsis, where it
43
- sits in the loop, key options, see-also). `<verb> --help` zooms in instead
44
- of dumping the surface. `call`/`market`/`enrich`/`bulk-update`/`schedule`
45
- keep their existing bespoke help.
46
- - `help [command] [--full]` command.
47
-
48
- ### 2. Every verb hands you the next step — DONE (audit keystone)
49
- Fixes **F2**. `auditNextStep()` gives `audit` context-aware forward guidance on
50
- stderr (stdout stays clean for pipes/`--out`; suppressed under `--json`):
51
- - **demo/sample** → "Client-ready writeup: `report --demo`" + "Run on your CRM:
52
- `login hubspot` → `audit --provider hubspot --save`"
53
- - **live + `--save`** → the governed spine: `suggest` → `plans approve
54
- --values-from` → `apply`, with the real plan id
55
- - **0 findings** → "clean — gate new records with `resolve`, schedule a check"
56
-
57
- The lifecycle spine made *experiential* — each command knows its phase and
58
- points forward (`doctor`/`fix` were the templates). `audit` is the keystone
59
- (the documented dead-end); the helper pattern now generalizes to the other read
60
- verbs (`report`, `resolve`, `dedupe` previews) in a follow-up.
61
-
62
- ### 3. Altitude control on the firehose — DONE
63
- Fixes **F4**. `patchPlanToMarkdown(plan, { summary })` gains a summary view
64
- (header + Findings-by-Rule table + operation count + pointers to `--full` and
65
- `report`). `audit` defaults to it — **1,467 → 24 lines** on the demo — with
66
- `--full` to opt back into the per-operation dump. The default stays *full* for
67
- every other caller (bulk-update, fix, dedupe, plans show, MCP): write-preview
68
- verbs keep full operation detail because you approve specific ops there. The
69
- principled split — audit = "what's wrong" (summary → `report`); write verbs =
70
- "exactly what I'll change" (full) — is the real win.
71
-
72
- ### 4. Tone pass — DONE
73
- Fixes **F5**. The "This prototype is dry-run only" footer is replaced
74
- everywhere with safety-invariant framing matching README/SKILL: "Dry-run plan —
75
- read-only. No provider write happens until you approve specific operations and
76
- run `apply`; placeholder values are refused without an explicit override. These
77
- safety invariants are not beta." No "prototype" string remains in user output.
78
-
79
- ## Deferred (bigger bets, gated on 1–4 landing)
80
- - **Engagement workspace**: per-client `.fullstackgtm/` state that accumulates
81
- snapshots, plans, evidence, and a health-over-time score — turns episodic
82
- audits into a continuously-operated system.
83
- - **Journey commands**: 2–3 opinionated composites (onboard-a-client,
84
- health-rollup) sequencing existing verbs into revops jobs.
85
-
86
- There is no point building the engagement workspace while the front door dumps
87
- 1,467 lines. Land the DX fixes first.
@@ -1,211 +0,0 @@
1
- # fullstackgtm: 0.1 → 1.0
2
-
3
- The planned, versioned path from first publish to a stable 1.0. Each milestone
4
- is shippable on its own, ordered so that every step consolidates the
5
- architecture before the next step expands it. The invariants that hold at
6
- every version:
7
-
8
- 1. **The package is the product; the app is an adapter.** Anything the app
9
- needs from a provider goes through the package connector. New capability
10
- lands in the package first.
11
- 2. **Reads are free, writes are patch plans.** No code path may mutate a
12
- provider except `applyPatchPlan` / `applyOperation` with explicit approval.
13
- 3. **Deterministic and diffable.** Same inputs produce the same findings with
14
- the same ids. Golden tests over the demo dataset enforce this.
15
- 4. **Zero-dependency core.** Connectors use `fetch`; optional integrations
16
- (MCP) stay optional peers.
17
-
18
- ## 0.1.0 — The loop exists (done)
19
-
20
- Canonical model, pluggable rule engine, patch plans, safe apply, HubSpot
21
- connector, CLI/MCP, demo dataset, CLI auth (private app token, loopback
22
- OAuth), broker pairing against a hosted deployment, CI + tag-publish
23
- automation.
24
-
25
- ## 0.2.0 — Provider parity and operational trust (done)
26
-
27
- - **Salesforce connector** behind the same `GtmConnector` contract: SOQL with
28
- cursor pagination, PATCH write-back, probabilities normalized to canonical
29
- 0..1, never drops unresolvable records.
30
- - **Salesforce CLI auth**: native device flow (code on any device, no client
31
- secret, silent refresh) plus manual token + instance URL.
32
- - **Broker mint for Salesforce**: paired CLIs receive `accessToken +
33
- instanceUrl + fieldMappings` from the org's stored credentials.
34
- - **CLI token observability**: paired-CLI list with last-used timestamps and
35
- one-click revoke in the dashboard.
36
- - App consolidation: `convex/salesforceActions.ts` collapses onto the package
37
- connector like the HubSpot path did.
38
-
39
- ## 0.3.0 — One patch-plan vocabulary (done)
40
-
41
- The last internal duplication: the app's durable `patchPlans` tables speak
42
- `verb`/`operation` strings while the package speaks typed `PatchOperation`s.
43
-
44
- - Package: add a `PlanStore` interface (persist plan → approve operations →
45
- record runs) so durable workflows are a first-class framework concern, not
46
- an app concern.
47
- - App: migrate `patchPlans`/`patchOperations` rows to the package types
48
- (schema migration with a compatibility window), route
49
- `patchPlanActions.apply` through `applyPatchPlan`.
50
- - Exit criterion: the dashboard review queue and `fullstackgtm apply` operate
51
- on byte-identical plan documents.
52
-
53
- ## 0.4.0 — Policy as config, rules as packages (done)
54
-
55
- Make the rule engine the community surface.
56
-
57
- - `fullstackgtm.config.json` (or `.ts`): policy thresholds, enabled rules,
58
- per-rule severity overrides, custom rule module paths.
59
- - Rule metadata: category, default severity, docs URL; `fullstackgtm rules`
60
- becomes generated documentation.
61
- - 10–15 additional built-in rules drawn from real RevOps pain: duplicate
62
- accounts by domain, contacts without owners, deals closing this quarter
63
- with no activity in 14 days, stage/probability drift, currency mismatches.
64
- - Exit criterion: a third party can publish an npm package of rules and a
65
- user can enable it from config without forking.
66
-
67
- ## 0.5.0 — Time: snapshot history and drift (done)
68
-
69
- - Snapshot archive conventions (local directory or any mounted/S3-backed
70
- path) with `fullstackgtm snapshot --archive`.
71
- - `fullstackgtm diff <a> <b>`: what changed between snapshots — records,
72
- fields, and *findings* (hygiene drift), built on the stable-id property.
73
- - Audit trends in the hosted app (the observability layer earns its keep).
74
- - Exit criterion: a nightly CI job can fail on hygiene regression, not just
75
- hygiene presence.
76
-
77
- ## 0.6.0 — Many systems, one entity (done — Stripe is the first non-CRM connector)
78
-
79
- The original thesis: GTM data disagrees across systems.
80
-
81
- - Entity resolution over `identities` claims: merge canonical records from
82
- multiple snapshots (CRM + marketing + billing) by domain/email/external-id
83
- heuristics, with explicit confidence and human-reviewable merge plans (the
84
- patch-plan safety model applied to identity).
85
- - Cross-system audit rules: "account exists in billing but not CRM",
86
- "marketing-qualified contact has no CRM owner".
87
- - First non-CRM connector (likely billing — Stripe — or marketing) to prove
88
- the contract generalizes.
89
- - Exit criterion: one audit over a merged snapshot from two live systems.
90
-
91
- ## 0.7.0 — Sync maturity (done)
92
-
93
- - Incremental fetch: provider cursors (HubSpot `updatedAfter` search,
94
- Salesforce `SystemModstamp` filters) behind an optional
95
- `fetchChanges(since)` connector capability.
96
- - Conflict surfacing: when a provider value changed under an unapplied patch
97
- operation, the plan flags it instead of writing blind (compare-and-set).
98
- - Exit criterion: hourly sync of a 100k-record org without full re-pulls.
99
-
100
- ## 0.8–0.9 — Hardening and freeze (done)
101
-
102
- - API review and freeze of `types.ts`, connector contract, CLI flags, MCP
103
- schemas; deprecations resolved.
104
- - Security review of the auth surfaces (credential store, broker endpoints,
105
- token lifecycle); rate limiting on the device-flow endpoints.
106
- - Docs site with the operating-model registry as browsable reference.
107
- - Performance pass: streaming snapshots for very large orgs.
108
-
109
- ## 0.10 → 0.28 — the layers, as shipped
110
-
111
- The plan above ended at the freeze; what shipped next grew the surface
112
- outward, one layer per release, each consolidating before the next expanded:
113
-
114
- - **0.11** — the suggest chain: deterministic placeholder values with
115
- confidence + reasons, `plans approve --values-from`.
116
- - **0.12** — governed merge: `merge_records` (HubSpot contacts / companies /
117
- deals), survivor suggestions capped at low confidence.
118
- - **0.13–0.14** — call intelligence: `call parse|score|link|plan`, LLM
119
- extraction behind the bring-your-own-key seam, deterministic baseline,
120
- provenance-marked insights.
121
- - **0.15** — the Prevent layer: the `resolve` create gate plus record-source
122
- provenance and attribution.
123
- - **0.16–0.22** — the market map: content-addressed captures, classification
124
- with mechanical span verification, front states and drift, axis discovery,
125
- overlay directives, scale estimation, the field report.
126
- - **0.19 / 0.23** — governed write verbs (`bulk-update`, then `dedupe`,
127
- `reassign`, `fix`) and the enrich layer (Apollo / Clay, fill-blanks-only
128
- plans).
129
- - **0.24** — the schedule layer: horizontal cron, read/plan-side allowlist,
130
- scheduling never auto-approves.
131
- - **0.25** — agent skill distribution (`npx skills add fullstackgtm/core`).
132
- - **0.25.2–0.26** — the security-hardening train: write-path integrity
133
- (HMAC-signed approvals re-verified at apply; archive-of-duplicate and
134
- irreversible-op drift guards; recovery snapshots) plus crontab/SSRF/XSS/
135
- error-body/CSV/credential-mode fixes, each verified by adversarial re-attack.
136
- - **0.27** — trust & transparency: `audit-log export|verify` (hash-chained,
137
- signed apply-run record), SECURITY.md + DATA-FLOWS.md + company-of-record,
138
- call-transcript insight grounding.
139
- - **0.28** — connectors, credentials & supply chain: opt-in OS keychain,
140
- broker-https enforcement, the build/CI dist-integrity gate (published dist is
141
- provably from source), Salesforce-merge capability matrix.
142
-
143
- ## 0.29 → 0.43 — from hygiene to the full outbound loop, as shipped
144
-
145
- The next train extended the governed spine from *fixing the CRM* to *filling
146
- it and acting on it*, without ever loosening the write gate:
147
-
148
- - **0.29–0.34** — market-map maturation (config suggestion + taxonomy types,
149
- sourcing helpers, competitor discovery, vendor logos/scale in the report)
150
- plus call-type classification with type-specific coaching rubrics (0.32);
151
- Salesforce `dedupe`/`merge_records` via SOAP and pipeline-aware closed/won
152
- detection (0.30).
153
- - **0.35–0.36** — DX cohesion: progressive-disclosure help, summary-first
154
- `audit` with next-step guidance; the engagement workspace — a deterministic
155
- `health` verb over a per-profile timeline.
156
- - **0.37–0.39** — acquire: `enrich acquire` (net-new, ICP-targeted,
157
- resolve-first deduped, metered lead creation), lead assignment policies so
158
- leads are never born ownerless, the LinkedIn (HeyReach) discovery source
159
- with email resolution, and run observability for broker-paired CLIs.
160
- - **0.40** — Salesforce reaches full write parity with HubSpot
161
- (`create_record`); HubSpot date-field writes no longer false-conflict.
162
- - **0.41** — signal-based outbound: `signals fetch/list/outcome/weights`,
163
- `icp judge`/`icp eval` (timing × fit × memory, golden-set calibration
164
- gate), `draft` (trigger-grounded openers as governed plans), and the LLM
165
- base-URL override.
166
- - **0.42** — bulk apply for lead creation (HubSpot batch + Salesforce
167
- composite).
168
- - **0.43** — the on-ramp and the seams: `init` workspace scaffolding,
169
- `docs/recipes.md` (five composable plays), and the contact/account seam
170
- campaign — contact-granular outbound end to end, account-level acquire for
171
- ABM, `health` by object type.
172
-
173
- The known-gaps list below predates these layers and has been re-verified
174
- against the 0.43 surface (2026-07): still accurate, still open.
175
-
176
- ## Known real-portal gaps to close before 1.0
177
-
178
- Found by exercising the published package as a fresh RevOps user with a real
179
- CRM (2026-06):
180
-
181
- - **Rate-limit resilience.** No 429/retry/backoff handling anywhere; a
182
- mid-size portal snapshot is ~1,000+ sequential page requests and one
183
- transient failure aborts the run. Fix: honor `Retry-After`, retry
184
- idempotent reads with backoff.
185
- - **`fetchChanges` 10k truncation.** The HubSpot search API caps at 10,000
186
- results; the connector stops silently at MAX_PAGES. Fix: detect the cap
187
- and fall back to (or instruct) a full snapshot, loudly.
188
- - **MCP plan hand-off.** `fullstackgtm_audit` can only return the full plan
189
- inline (200KB+ on real data) while `fullstackgtm_apply` requires a file
190
- path. Fix: an `outPath` option on the audit tool plus a summary-only
191
- output mode.
192
- - **Scope-complete login validation.** `login hubspot` validates against the
193
- owners endpoint only, so an under-scoped token passes login and fails
194
- mid-audit. Fix: probe each required object endpoint at login and report
195
- missing scopes up front.
196
-
197
- ## 1.0.0 — The contract (not yet declared)
198
-
199
- Semver stability commitment on the canonical model, rule interface, connector
200
- contract, plan format, CLI, and MCP tools. Declared only after the API
201
- surface has survived external usage and the real-portal gaps above are
202
- closed. From there, new providers and new rules are minor releases; the
203
- model only breaks at 2.0.
204
-
205
- ## Deliberately out of scope until after 1.0
206
-
207
- - Hosted multi-org analytics across customers
208
- - Non-deterministic (LLM-scored) rules — they can *propose*, but the
209
- deterministic engine stays the system of record for findings
210
- - Workflow orchestration (sequences, cadences) — adjacent product, not
211
- framework