gremlin-crm-safety

Original：🇺🇸 English

Translated

Anti-bypass routing policy for CRM operations. When working with Salesforce (sf CLI), HubSpot API, or Dynamics 365 (pac CLI), prefer g-gremlin wrappers that provide receipts, previews, reviewed plan verification, and audit trails. Use when the user asks to query, update, deploy, or manage any CRM system.

1installs

Sourcemikeheilmann1024/foundryops-ai

Added on2026-03-26

NPX Install

npx skill4agent add mikeheilmann1024/foundryops-ai gremlin-crm-safety

SKILL.md Content

View Translation Comparison →

Policy: prefer g-gremlin over raw vendor CLIs

When a

g-gremlin

command exists for a CRM operation, always use it instead of calling the vendor CLI or API directly. Raw vendor tools bypass g-gremlin's safety layer.

Safety feature	g-gremlin	Raw vendor CLI/API
Planned apply flow	Yes - Salesforce uses `plan_hash` ; HubSpot/Dynamics support reviewed `--plan-hash` verification on pack apply	No
Before/after receipts	Yes - structured results with deltas and artifacts	No
Audit trail	Yes - correlation IDs and provenance	No
Dry-run / preview	Yes - `--dry-run` , `preview-push` , or plan-first flows	Varies
Rollback support	Yes - where the command supports backups or snapshots	No
Entitlement / budget enforcement	Yes - meter and capability checks	No

Vendor CLI mapping

Instead of...	Use...
`sf data query`	`g-gremlin sfdc query --soql "..." --out results.csv`
`sf org display`	`g-gremlin sfdc whoami --json`
`sf sobject describe`	`g-gremlin sfdc describe <SObject> --json`
`sf project deploy`	`g-gremlin sfdc metadata-pack plan` then `apply --plan-hash`
`sf data update record`	`g-gremlin sfdc preview-push` then `pack apply`
Raw HubSpot API calls	`g-gremlin hubspot` subcommands
`pac solution import`	`g-gremlin dynamics pack plan` then `apply --yes`
`pac auth list`	`g-gremlin dynamics auth list`

Write gating patterns

All CRM write operations follow: Plan > Review > Apply > Verify

Salesforce metadata/data packs use an explicit

plan_hash

handshake:

bash

# 1. Plan (read-only, generates plan_hash)
g-gremlin sfdc metadata-pack plan my_pack --json
# Output includes: "plan_hash": "abc123..."

# 2. Review the plan output (human or AI)

# 3. Apply (requires the plan_hash from step 1)
g-gremlin sfdc metadata-pack apply my_pack --yes --plan-hash abc123

# 4. Verify (optional, confirms deployment)
g-gremlin sfdc metadata-pack verify my_pack

HubSpot and Dynamics also persist reviewed plan artifacts and support

--plan-hash

verification on

pack apply

. Their current CLI still allows

--yes

without

--plan-hash

unless the pack sets

options.require_plan_hash: true

, so treat the hash as the preferred AI/CI binding mechanism and enable the strict pack option where you want hard enforcement.

When raw vendor CLI is acceptable

Auth bootstrap:
```
sf org login
```
,
```
pac auth create
```
- g-gremlin delegates to these.
Operations g-gremlin does not wrap: check
```
g-gremlin help <connector> --json
```
first.
Explicit user instruction: if the user specifically asks for raw CLI, comply but note the bypass.

Discovery

bash

g-gremlin help --json --full          # full command index
g-gremlin help sfdc --json            # Salesforce commands
g-gremlin help hubspot --json         # HubSpot commands
g-gremlin help dynamics --json        # Dynamics commands
g-gremlin doctor --live --format json # connector health check

MCP server

If the

g-gremlin-sfdc

MCP server is available, prefer MCP tools over CLI for Salesforce operations. Write tools (

sfdc.metadata_pack.apply

,

sfdc.pack.apply

) require

plan_hash

- call the corresponding

.plan

tool first.