gremlin-crm-safety

Original🇺🇸 English
Translated

Anti-bypass routing policy for CRM operations. When working with Salesforce (sf CLI), HubSpot API, or Dynamics 365 (pac CLI), prefer g-gremlin wrappers that provide receipts, previews, reviewed plan verification, and audit trails. Use when the user asks to query, update, deploy, or manage any CRM system.

3installs
Sourcemikeheilmann1024/foundryops-ai
Added on

NPX Install

npx skill4agent add mikeheilmann1024/foundryops-ai gremlin-crm-safety

Tags

Translated version includes tags in frontmatter
crm-operationsg-gremlin-wrappersalesforce-clihubspot-integrationdynamics-365-management

SKILL.md Content

View Translation Comparison →

Policy: prefer g-gremlin over raw vendor CLIs

When a 
g-gremlin
command exists for a CRM operation, always use it instead of calling the vendor CLI or API directly. Raw vendor tools bypass g-gremlin's safety layer.
Safety featureg-gremlinRaw vendor CLI/API
Planned apply flowYes - Salesforce uses 
plan_hash
; HubSpot/Dynamics support reviewed 
--plan-hash
verification on pack apply		No
Before/after receiptsYes - structured results with deltas and artifactsNo
Audit trailYes - correlation IDs and provenanceNo
Dry-run / previewYes - 
--dry-run
, 
preview-push
, or plan-first flows		Varies
Rollback supportYes - where the command supports backups or snapshotsNo
Entitlement / budget enforcementYes - meter and capability checksNo

Vendor CLI mapping

Instead of...Use...
sf data query
g-gremlin sfdc query --soql "..." --out results.csv
sf org display
g-gremlin sfdc whoami --json
sf sobject describe
g-gremlin sfdc describe <SObject> --json
sf project deploy
g-gremlin sfdc metadata-pack plan
then 
apply --plan-hash
sf data update record
g-gremlin sfdc preview-push
then 
pack apply
Raw HubSpot API calls
g-gremlin hubspot
subcommands
pac solution import
g-gremlin dynamics pack plan
then 
apply --yes
pac auth list
g-gremlin dynamics auth list

Write gating patterns

All CRM write operations follow: Plan > Review > Apply > Verify
Salesforce metadata/data packs use an explicit 
plan_hash
handshake:
bash
# 1. Plan (read-only, generates plan_hash)
g-gremlin sfdc metadata-pack plan my_pack --json
# Output includes: "plan_hash": "abc123..."

# 2. Review the plan output (human or AI)

# 3. Apply (requires the plan_hash from step 1)
g-gremlin sfdc metadata-pack apply my_pack --yes --plan-hash abc123

# 4. Verify (optional, confirms deployment)
g-gremlin sfdc metadata-pack verify my_pack
HubSpot and Dynamics also persist reviewed plan artifacts and support 
--plan-hash
verification on 
pack apply
. Their current CLI still allows 
--yes
without 
--plan-hash
unless the pack sets 
options.require_plan_hash: true
, so treat the hash as the preferred AI/CI binding mechanism and enable the strict pack option where you want hard enforcement.

When raw vendor CLI is acceptable

  • Auth bootstrap: 
    sf org login
    , 
    pac auth create
    - g-gremlin delegates to these.
  • Operations g-gremlin does not wrap: check 
    g-gremlin help <connector> --json
    first.
  • Explicit user instruction: if the user specifically asks for raw CLI, comply but note the bypass.

Discovery

bash
g-gremlin help --json --full          # full command index
g-gremlin help sfdc --json            # Salesforce commands
g-gremlin help hubspot --json         # HubSpot commands
g-gremlin help dynamics --json        # Dynamics commands
g-gremlin doctor --live --format json # connector health check

MCP server

If the 
g-gremlin-sfdc
MCP server is available, prefer MCP tools over CLI for Salesforce operations. Write tools (
sfdc.metadata_pack.apply
, 
sfdc.pack.apply
) require 
plan_hash
- call the corresponding 
.plan
tool first.