// Diagnose and fix common Finta CRM issues with email sync, deal rooms, and pipeline. Trigger with phrases like "finta error", "finta not working", "fix finta".
Scan a source tree for command-injection vulnerable patterns: shell=True calls in Python subprocess, os.system / os.popen with interpolated strings, Node child_process.exec with template literals, Ruby backticks / Kernel#system / Kernel#exec with interpolation, Go exec.Command with shell wrapping, PHP system / passthru / shell_exec / backticks with $-interpolation, Java Runtime.exec with concatenated args. Use when: pre-commit gate on code that calls out to shell utilities, audit of file-processing / archive-handling / image-conversion code, post-bug-report investigation for "we shell out to a tool." Threshold: any shell-invocation API called with a string that contains a variable interpolation, OR shell=True with anything other than a fixed literal. Trigger with: "scan command injection", "shell=True audit", "find exec calls", "check os.system".
Scan a source tree for dynamic-code-execution APIs that an attacker can hijack: Python eval / exec / compile, JavaScript eval / Function() / setTimeout(string), Ruby eval / instance_eval / class_eval, Java ScriptEngine, PHP eval / assert($str), .NET Activator.CreateInstance / Reflection.Emit with dynamic input. Use when: pre-commit gate on any application that parses user-uploaded code (rule engines, formula evaluators, plugin systems), or post-bug-report when "we run user-supplied expressions." Threshold: any call to eval / exec / Function / similar where the argument is not a string literal. Trigger with: "scan eval", "find dynamic exec", "audit eval calls", "code injection patterns".
Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".
Scan a source tree for SQL-injection vulnerable patterns: string concatenation into queries, f-string interpolation in SQL, string-format substitution into raw queries, deprecated cursor methods (cursor.execute with % formatting), Knex / Sequelize raw() with template interpolation, sequelize.query with replacements. Use when: pre-commit code review, post-feature SQL-touching release, inheriting a legacy codebase that predates ORMs, or post-bug-report investigation. Threshold: any source line where SQL keywords (SELECT / INSERT / UPDATE / DELETE / FROM / WHERE) appear in a string that's being built via concatenation, f-string, %-format, or .format() with variable input. Trigger with: "scan for sqli", "sql injection patterns", "check raw queries", "audit cursor.execute".
Scan a source tree for weak cryptographic primitives: MD5 / SHA-1 used for security purposes, DES / 3DES / RC4 ciphers, ECB block mode, custom-built crypto (XOR loops, hand-rolled HMAC), hardcoded IVs, predictable random (Math.random / java.util.Random for crypto seeds), missing certificate verification (verify=False, rejectUnauthorized: false). Use when: pre-merge gate on crypto-touching code, audit before SOC2 / PCI assessment, post-incident review when "we found a weakness in our token signing." Threshold: any call to a known-weak algorithm with non-test context, OR cert verification explicitly disabled, OR a custom crypto loop pattern. Trigger with: "scan weak crypto", "find MD5 usage", "check ECB mode", "audit ssl verify", "weak random".
Scan a source-code tree for hardcoded credentials embedded in source files: AWS access keys, GitHub tokens, Stripe keys, Slack tokens, Anthropic API keys, OpenAI keys, JWT signing secrets, generic base64-encoded passwords, RSA / SSH private keys, and high-entropy string literals that pattern-match common credential shapes. Use when: pre-commit gate before pushing a feature branch, audit before SOC2, post-incident scan after a leak, or inheriting a codebase you didn't write. Threshold: any source file contains a string that matches a canonical credential regex (AWS AKIA prefix, GitHub ghp_ prefix, etc.) OR a string with Shannon entropy above 4.5 in a field context (key=, token:, secret=). Trigger with: "scan secrets", "credential scan", "find hardcoded keys", "leak check".
| name | finta-common-errors |
| description | Diagnose and fix common Finta CRM issues with email sync, deal rooms, and pipeline. Trigger with phrases like "finta error", "finta not working", "fix finta". |
| allowed-tools | Read, Grep |
| version | 1.0.0 |
| license | MIT |
| author | Jeremy Longshore <jeremy@intentsolutions.io> |
| tags | ["saas","fundraising-crm","investor-management","finta"] |
| compatibility | Designed for Claude Code |
Finta is a fundraising CRM that manages investor pipelines, deal rooms, email sync, and payment collection for startups raising capital. Common errors involve round state transition violations (e.g., moving a round backward from "Closing" to "Outreach"), investor deduplication failures during CSV imports, and pipeline sync breakdowns between email providers and the deal tracker. Aurora AI suggestions depend on complete company profiles, and incomplete data is the top cause of empty recommendations. This reference covers API-level errors and CRM workflow issues that disrupt fundraising operations.
| Code | Message | Cause | Fix |
|---|---|---|---|
400 | Invalid round transition | Moving round to an invalid state | Follow valid transitions: Draft > Active > Closing > Closed |
401 | Invalid API key | Expired or revoked FINTA_API_KEY | Regenerate at Settings > API Access |
404 | Investor not found | Deleted or merged investor record | Search by email to find merged record |
409 | Duplicate investor | Email already exists in pipeline | Use dedup endpoint before CSV import |
422 | Missing required fields | Incomplete investor or round data | Include name, email, stage at minimum |
429 | Rate limit exceeded | Too many API calls | Implement backoff; batch operations where possible |
500 | Pipeline sync failed | Email provider OAuth expired | Reconnect Gmail/Outlook at Settings > Integrations |
502 | Stripe webhook failed | Payment collection error | Verify Stripe integration and webhook URL |
interface FintaError {
code: number;
message: string;
category: "auth" | "rate_limit" | "validation" | "sync";
}
function classifyFintaError(status: number, body: string): FintaError {
if (status === 401) {
return { code: 401, message: body, category: "auth" };
}
if (status === 429) {
return { code: 429, message: "Rate limit exceeded", category: "rate_limit" };
}
if (status === 400 || status === 404 || status === 409 || status === 422) {
return { code: status, message: body, category: "validation" };
}
return { code: status, message: body, category: "sync" };
}
Finta API keys are scoped per workspace. Verify the key matches the active workspace at Settings > API Access. Keys are revoked automatically when team members are removed. Re-invite and regenerate if a team change caused the failure. Test connectivity with a simple GET to the rounds endpoint before running complex operations.
Finta enforces 60 requests/minute per API key. Batch investor updates using the bulk endpoint instead of individual PUT calls. CSV imports bypass the rate limit -- prefer bulk import for large datasets.
Round state transitions must follow the sequence: Draft, Active, Closing, Closed. Skipping states returns 400. Backward transitions (e.g., Closing to Active) are also rejected. Investor deduplication matches on email -- always check for existing records before creating. Deal room links expire after 30 days by default; regenerate from the round settings page. CSV imports require name, email, and stage columns with dates in YYYY-MM-DD format.
| Scenario | Pattern | Recovery |
|---|---|---|
| Round state transition rejected | Invalid backward move | Query current state, advance only forward |
| CSV import partial failure | Duplicate emails found | Run dedup pass, retry failed rows |
| Email sync disconnected | OAuth token expired | Reconnect provider at Settings > Integrations |
| Aurora AI no suggestions | Incomplete company profile | Fill all profile fields: sector, stage, location, raise amount |
| Payment link mismatch | Amount differs from commitment | Regenerate Stripe payment link with correct amount |
# Verify API connectivity
curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer $FINTA_API_KEY" \
https://api.trustfinta.com/v1/rounds
See finta-debug-bundle.