@beyondwork/docx-react-component 1.0.71 → 1.0.73

package/src/runtime/scopes/scope-kinds/paragraph.ts

@@ -12,10 +12,13 @@
  * compiler-backed.
  */
 
-import type { CanonicalDocument } from "../../../model/canonical-document.ts";
+import type {
+  CanonicalDocument,
+  InlineNode,
+} from "../../../model/canonical-document.ts";
 import { resolveEffectiveFormattingForScope } from "../_formatting-seam.ts";
 import type { ParagraphLikeEnumeratedScope } from "../enumerate-scopes.ts";
-import { computeBlockPositions } from "../position-map.ts";
+import { buildScopePositionMap, computeBlockPositions } from "../position-map.ts";
 import { deriveReplaceability } from "../replaceability.ts";
 import {
   isStructuredReplacementContent,
@@ -32,6 +35,99 @@ import {
   extractParagraphText,
 } from "./_paragraph-text.ts";
 
+function inlineLengthLocal(node: InlineNode): number {
+  switch (node.type) {
+    case "text":
+      return Array.from(node.text).length;
+    case "hyperlink":
+    case "field":
+      return (node.children as readonly InlineNode[]).reduce(
+        (total, child) => total + inlineLengthLocal(child),
+        0,
+      );
+    case "bookmark_start":
+    case "bookmark_end":
+    case "scope_marker_start":
+    case "scope_marker_end":
+      return 0;
+    default:
+      return 1;
+  }
+}
+
+/**
+ * Opt-in preservation helper: walk a paragraph's inline children,
+ * return the longest contiguous text-only run's [from, to] sub-range
+ * within the caller's `target` range. Opaque inlines / images / other
+ * non-text inlines break the run. Returns `null` when no text-only run
+ * exists inside the target range (paragraph is entirely opaques or the
+ * range falls on a non-text inline).
+ *
+ * Used by coord-08 §17 — `ReplacementPreservePolicy.opaqueFragments =
+ * true` narrows the replace range to this text-only sub-range so the
+ * opaque inlines survive the apply.
+ */
+function longestTextOnlyRangeInParagraph(
+  paragraph: ParagraphLikeEnumeratedScope["paragraph"],
+  paragraphFrom: number,
+  target: { readonly from: number; readonly to: number },
+): { readonly from: number; readonly to: number } | null {
+  let best: { readonly from: number; readonly to: number } | null = null;
+  let runStart: number | null = null;
+  let cursor = paragraphFrom;
+
+  const consider = (from: number, to: number) => {
+    // Clip to the caller's target range.
+    const clippedFrom = Math.max(from, target.from);
+    const clippedTo = Math.min(to, target.to);
+    if (clippedTo <= clippedFrom) return;
+    if (!best || clippedTo - clippedFrom > best.to - best.from) {
+      best = { from: clippedFrom, to: clippedTo };
+    }
+  };
+
+  const isTextRun = (child: InlineNode): boolean => {
+    if (child.type === "text" || child.type === "tab" || child.type === "hard_break") {
+      // tab + hard_break carry length 1 and are safe to text-replace
+      // (the runtime's text.insert handles them structurally). Treat
+      // as part of the text run.
+      return true;
+    }
+    if (child.type === "hyperlink" || child.type === "field") {
+      // Hyperlink / field wrappers contribute their text-only children
+      // to the run; they're not themselves opaque.
+      return true;
+    }
+    if (
+      child.type === "bookmark_start" ||
+      child.type === "bookmark_end" ||
+      child.type === "scope_marker_start" ||
+      child.type === "scope_marker_end"
+    ) {
+      // Zero-width boundary markers — preserve via length 0. Don't
+      // break the text run.
+      return true;
+    }
+    return false;
+  };
+
+  for (const child of paragraph.children) {
+    const len = inlineLengthLocal(child);
+    const childFrom = cursor;
+    const childTo = cursor + len;
+    if (isTextRun(child)) {
+      if (runStart === null) runStart = childFrom;
+    } else {
+      // Opaque / image / non-text inline breaks the run.
+      if (runStart !== null) consider(runStart, childFrom);
+      runStart = null;
+    }
+    cursor = childTo;
+  }
+  if (runStart !== null) consider(runStart, cursor);
+  return best;
+}
+
 export interface CompileParagraphOptions {
   readonly document?: CanonicalDocument;
   readonly paragraphIndex?: number;
@@ -125,10 +221,71 @@ export function compileParagraphReplacement(
   const blockRange = blocks.find((b) => b.blockIndex === entry.blockIndex);
   if (!blockRange) return null;
 
+  // Inline-range correction (2026-04-24 bug fix): when the scope is
+  // marker-backed AND the marker pair sits strictly INSIDE the
+  // paragraph (marker range is narrower than the paragraph's full
+  // block range), the replace range must follow the markers — not
+  // the paragraph. Otherwise surrounding text in the same paragraph
+  // gets destroyed on every applyReplacementScope call. The markers'
+  // positions are already tracked in `buildScopePositionMap().
+  // markerScopes`; we consult it here only when the scope is marker-
+  // backed so non-marker paragraphs pay zero cost.
+  let effectiveRange: { readonly from: number; readonly to: number } = {
+    from: blockRange.from,
+    to: blockRange.to,
+  };
+  let rangeKind: "block" | "inline-marker" | "opaque-preserving-text" = "block";
+  if (entry.handle.provenance === "marker-backed") {
+    const positionMap = buildScopePositionMap(options.document);
+    const markerRange = positionMap.markerScopes.get(entry.handle.scopeId);
+    if (
+      markerRange &&
+      markerRange.from >= blockRange.from &&
+      markerRange.to <= blockRange.to &&
+      // Strictly narrower than the paragraph — only then is the marker
+      // a sub-paragraph inline range. Whole-paragraph marker scopes
+      // (markers wrapping all of the paragraph's text) continue to use
+      // the block range, preserving the existing replace-whole-paragraph
+      // semantics.
+      (markerRange.from > blockRange.from || markerRange.to < blockRange.to)
+    ) {
+      effectiveRange = markerRange;
+      rangeKind = "inline-marker";
+    }
+  }
+
+  // Coord-08 §17 (2026-04-24) — opt-in opaque preservation. When the
+  // caller sets `preserve.opaqueFragments === true`, narrow the
+  // replace range to the longest contiguous text-only sub-range so
+  // opaque inlines (images, charts, preserve-only fragments) survive
+  // the apply at their original positions.
+  if (proposed.preserve?.opaqueFragments === true) {
+    const textOnly = longestTextOnlyRangeInParagraph(
+      entry.paragraph,
+      blockRange.from,
+      effectiveRange,
+    );
+    if (!textOnly) {
+      // Paragraph is entirely opaques within the target range — no
+      // text-only sub-range to replace. Refuse cleanly; the composer's
+      // `preserve:opaque-fragment:*` warning already signalled the
+      // opt-in intent.
+      return null;
+    }
+    effectiveRange = textOnly;
+    rangeKind = "opaque-preserving-text";
+  }
+
   if (proposed.proposedContent.kind === "text") {
     const text = proposed.proposedContent.text ?? "";
     const stepKind =
       options.posture === "suggest-mode" ? "text-insert-tracked" : "text-replace";
+    const summaryScope =
+      rangeKind === "inline-marker"
+        ? `paragraph #${entry.blockIndex} inline-marker range [${effectiveRange.from}..${effectiveRange.to}]`
+        : rangeKind === "opaque-preserving-text"
+          ? `paragraph #${entry.blockIndex} opaque-preserving text range [${effectiveRange.from}..${effectiveRange.to}]`
+          : `paragraph #${entry.blockIndex}`;
     return {
       scopeId: entry.handle.scopeId,
       targetKind: "paragraph",
@@ -138,9 +295,9 @@ export function compileParagraphReplacement(
           kind: stepKind,
           summary:
             stepKind === "text-replace"
-              ? `replace paragraph #${entry.blockIndex} text (len ${text.length})`
-              : `suggest-mode paragraph #${entry.blockIndex} text replace (len ${text.length})`,
-          range: { from: blockRange.from, to: blockRange.to },
+              ? `replace ${summaryScope} text (len ${text.length})`
+              : `suggest-mode ${summaryScope} text replace (len ${text.length})`,
+          range: { from: effectiveRange.from, to: effectiveRange.to },
           text,
         },
       ]),
@@ -161,6 +318,12 @@ export function compileParagraphReplacement(
     const fragment = proposed.proposedContent.structured;
     if (!isStructuredReplacementContent(fragment)) return null;
     const blockCount = fragment.blocks.length;
+    const summaryScope =
+      rangeKind === "inline-marker"
+        ? `paragraph #${entry.blockIndex} inline-marker range [${effectiveRange.from}..${effectiveRange.to}]`
+        : rangeKind === "opaque-preserving-text"
+          ? `paragraph #${entry.blockIndex} opaque-preserving text range [${effectiveRange.from}..${effectiveRange.to}]`
+          : `paragraph #${entry.blockIndex}`;
     return {
       scopeId: entry.handle.scopeId,
       targetKind: "paragraph",
@@ -168,8 +331,8 @@ export function compileParagraphReplacement(
       steps: Object.freeze([
         {
           kind: "fragment-replace",
-          summary: `replace paragraph #${entry.blockIndex} with structured fragment (${blockCount} block(s))`,
-          range: { from: blockRange.from, to: blockRange.to },
+          summary: `replace ${summaryScope} with structured fragment (${blockCount} block(s))`,
+          range: { from: effectiveRange.from, to: effectiveRange.to },
           fragment,
         },
       ]),

package/src/runtime/scopes/semantic-scope-types.ts

@@ -296,6 +296,25 @@ export interface ReplacementPreservePolicy {
   readonly comments?: boolean;
   readonly revisions?: boolean;
   readonly bookmarks?: boolean;
+  /**
+   * Opt-in (2026-04-24): allow the replace to proceed when the target
+   * range contains opaque fragments (inline images, charts, or other
+   * `preserve-only` payload) that the runtime cannot safely
+   * re-serialize. When `true`:
+   *
+   *   - `computePreservationVerdict` downgrades
+   *     `preserve:opaque-fragment:*` reasons from blockers to warnings
+   *     (still surfaced on `validation.warnings` + audit-bundle).
+   *   - `compileParagraphReplacement` narrows the replace range to the
+   *     longest contiguous text-only sub-range, leaving opaques at
+   *     their original inline offsets. If no text sub-range exists
+   *     (paragraph is entirely opaques), compile still refuses.
+   *
+   * Default (absent / `false`) preserves the pre-opt-in refusal
+   * semantics. Callers that don't set this flag are protected from
+   * accidental opaque-fragment loss.
+   */
+  readonly opaqueFragments?: boolean;
 }
 
 export interface ReplacementScope {
@@ -426,6 +445,14 @@ export interface ScopeActionAudit {
   }[];
   readonly validation: ValidationResult;
   readonly emittedAtUtc: string;
+  /**
+   * Gap A (coord-08 post-Slice-7 integration) — revision IDs authored
+   * by the runtime during this apply. Populated for suggest-mode
+   * dispatch (tracked insert + delete revisions); omitted for direct-
+   * edit. Agents chain into `ai.acceptRevision` / `ai.rejectRevision`
+   * to land / discard the proposal without diffing the revision map.
+   */
+  readonly authoredRevisionIds?: readonly string[];
 }
 
 /* -------------------------------------------------------------------------

package/src/runtime/surface-projection.ts

@@ -796,6 +796,58 @@ function resolveSurfaceParagraphShading(
   };
 }
 
+/**
+ * Strip the verbatim-OOXML `rawXml` round-trip field from
+ * `FrameProperties` before forwarding to the public surface. Consumers
+ * (L04 paginated-layout placement, L11 render) read the modeled
+ * positioning + size fields; `rawXml` exists only so the serializer can
+ * merge extension attributes (`w14:*`, `w15:*`, `mc:Ignorable`) back
+ * onto the element on export.
+ */
+function toSurfaceFrameProperties(
+  frame: NonNullable<CanonicalParagraphFormatting["frameProperties"]>,
+): NonNullable<
+  Extract<
+    import("../api/public-types.ts").SurfaceBlockSnapshot,
+    { kind: "paragraph" }
+  >["frameProperties"]
+> {
+  const {
+    widthTwips,
+    heightTwips,
+    hRule,
+    xTwips,
+    yTwips,
+    xAlign,
+    yAlign,
+    hAnchor,
+    vAnchor,
+    wrap,
+    hSpaceTwips,
+    vSpaceTwips,
+    dropCap,
+    lines,
+    anchorLock,
+  } = frame;
+  return {
+    ...(widthTwips !== undefined ? { widthTwips } : {}),
+    ...(heightTwips !== undefined ? { heightTwips } : {}),
+    ...(hRule !== undefined ? { hRule } : {}),
+    ...(xTwips !== undefined ? { xTwips } : {}),
+    ...(yTwips !== undefined ? { yTwips } : {}),
+    ...(xAlign !== undefined ? { xAlign } : {}),
+    ...(yAlign !== undefined ? { yAlign } : {}),
+    ...(hAnchor !== undefined ? { hAnchor } : {}),
+    ...(vAnchor !== undefined ? { vAnchor } : {}),
+    ...(wrap !== undefined ? { wrap } : {}),
+    ...(hSpaceTwips !== undefined ? { hSpaceTwips } : {}),
+    ...(vSpaceTwips !== undefined ? { vSpaceTwips } : {}),
+    ...(dropCap !== undefined ? { dropCap } : {}),
+    ...(lines !== undefined ? { lines } : {}),
+    ...(anchorLock !== undefined ? { anchorLock } : {}),
+  };
+}
+
 function resolveSurfaceParagraphFormatting(
   formatting: CanonicalParagraphFormatting,
   themeResolver: ThemeColorResolver | undefined,
@@ -1066,6 +1118,9 @@ function createParagraphBlock(
       : {}),
     ...(paragraph.indentation ? { indentation: paragraph.indentation } : {}),
     ...(paragraph.borders ? { borders: paragraph.borders } : {}),
+    ...(paragraph.frameProperties
+      ? { frameProperties: toSurfaceFrameProperties(paragraph.frameProperties) }
+      : {}),
     ...(paragraph.shading
       ? { shading: resolveSurfaceParagraphShading(paragraph.shading, themeResolver) }
       : {}),
@@ -1400,6 +1455,25 @@ function appendInlineSegments(
         state: "locked-preserve-only",
       });
       return { nextCursor: start + 1, lockedFragmentIds: [] };
+    case "page_break":
+      // coord-04 §1.18.5 / coord-03 §11 — `<w:br w:type="page"/>` forces
+      // subsequent content onto a new page. Mirror `column_break`'s
+      // quiet-marker emission (label-based detection). L04 pagination
+      // reads `segment.label === "Page break"` via `hasPageBreak` and
+      // forces `pushPage(block.to)` after placing the carrying block.
+      paragraph.segments.push({
+        segmentId: `${paragraph.blockId}-segment-${paragraph.segments.length}`,
+        kind: "opaque_inline",
+        from: start,
+        to: start + 1,
+        fragmentId: "",
+        warningId: "",
+        label: "Page break",
+        detail: "Word hard page break marker — pagination forces a new page here.",
+        presentation: "quiet-marker",
+        state: "locked-preserve-only",
+      });
+      return { nextCursor: start + 1, lockedFragmentIds: [] };
     case "footnote_ref":
       paragraph.segments.push({
         segmentId: `${paragraph.blockId}-segment-${paragraph.segments.length}`,
@@ -2070,6 +2144,8 @@ function summarizePreviewInline(node: InlineNode): string {
       return node.char ? String.fromCodePoint(parseInt(node.char, 16)) : "\uFFFD";
     case "column_break":
       return "[Column break]";
+    case "page_break":
+      return "[Page break]";
     case "chart_preview":
       return "[Embedded chart]";
     case "smartart_preview":
@@ -2376,6 +2452,7 @@ function cloneMarks(marks: TextMark[]): {
         break;
       case "highlight":
         highlightColor = mark.color;
+        supported.push("highlight");
         break;
       case "charSpacing":
         attrs.charSpacing = mark.val;

package/src/runtime/workflow/coordinator.ts

@@ -838,6 +838,9 @@ export function createWorkflowCoordinator(deps: CoordinatorDeps): WorkflowCoordi
       anchor: publicAnchor,
       ...(params.storyTarget ? { storyTarget: params.storyTarget } : {}),
       ...(params.label ? { label: params.label } : {}),
+      ...(params.scopeMetadataFields && params.scopeMetadataFields.length > 0
+        ? { metadata: [...params.scopeMetadataFields] }
+        : {}),
     };
 
     deps.dispatch({

package/src/runtime/workflow/scope-writer.ts

@@ -34,6 +34,7 @@ import type {
   RuntimeRenderSnapshot,
   WorkflowMetadataEntry,
   WorkflowMetadataPersistence,
+  WorkflowScopeMetadataField,
   WorkflowScopeMode,
 } from "../../api/public-types.ts";
 
@@ -68,6 +69,26 @@ export interface CreateScopeFromBlockIdInput {
    * completeness since `BoundaryAssoc` typing allows them.
    */
   readonly assoc?: { readonly start: -1 | 1; readonly end: -1 | 1 };
+  /**
+   * Coord-08 §9 / coord-09 §1.13 (A3) — caller-steerable identity
+   * strategy for the enumerated scope's `ScopeHandle.stableRef`.
+   * Stored as an overlay-scope metadata field (`key: "stableRefHint"`)
+   * at creation time; the L08 compiler reads it back during
+   * enumeration and honors the requested kind when the strategy is
+   * feasible, falling back to its default selection otherwise (see
+   * `src/runtime/scopes/enumerate-scopes.ts::stableRefHintForScopeId`
+   * for the feasibility matrix).
+   *
+   * Today's honored values: `"scope-id"` / `"semantic-path"`. The
+   * `"bookmark"` + `"runtime-handle"` kinds currently fall back (no
+   * bookmark-lookup wired in phase 1; runtime-handle is a transient
+   * strategy with no durability meaning).
+   */
+  readonly stableRefHint?:
+    | "scope-id"
+    | "bookmark"
+    | "semantic-path"
+    | "runtime-handle";
 }
 
 export type CreateScopeFromBlockIdResult =
@@ -172,6 +193,16 @@ export function createScopeFromBlockId(
   if (!anchor) {
     return { status: "block-not-found", blockId: input.blockId };
   }
+  // Coord-08 §9 — encode stableRefHint as an overlay-scope metadata
+  // field so the L08 compiler can read it back at enumeration time.
+  const scopeMetadataFields: WorkflowScopeMetadataField[] = [];
+  if (input.stableRefHint !== undefined) {
+    scopeMetadataFields.push({
+      key: "stableRefHint",
+      valueType: "string",
+      value: input.stableRefHint,
+    });
+  }
   const result: AddScopeResult = runtime.addScope({
     anchor,
     mode: input.mode,
@@ -180,6 +211,9 @@ export function createScopeFromBlockId(
     metadata: input.metadata,
     storyTarget: input.storyTarget,
     label: input.label,
+    ...(scopeMetadataFields.length > 0
+      ? { scopeMetadataFields }
+      : {}),
   });
   return { status: "created", scopeId: result.scopeId, anchor: result.anchor };
 }

package/src/session/export/embedded-reconstitute.ts

@@ -68,6 +68,34 @@ export async function reconstituteEmbeddedDocuments(
   }
 }
 
+/**
+ * SEC-IO-01 (2026-04-23): tamper-verified resolution.
+ *
+ * Two sources are consulted in order:
+ *   1. `hostAdapter.loadEmbeddedDocument(storageReference)` — verified against
+ *      `entry.sha256`. Mismatch falls through to inline bytes, treated as a
+ *      storage failure.
+ *   2. `entry.inlineBytes` base64 fallback — also verified against
+ *      `entry.sha256`. If the inline bytes have been tampered with (attacker-
+ *      modified customXml payload carrying altered bytes with the original
+ *      declared sha), this check fail-closes: export throws a specific error
+ *      rather than shipping attacker-chosen bytes into the OPC package.
+ *
+ * Before the fix, the inline-bytes path returned the decoded payload without
+ * verification — a crafted DOCX could inject attacker-controlled bytes into
+ * every exported package part whose host-adapter lookup happened to fail.
+ */
+class EmbeddedOffloadTamperError extends Error {
+  constructor(public readonly entry: { sourcePartPath: string; sha256: string }) {
+    super(
+      `Embedded offload entry '${entry.sourcePartPath}' failed sha256 integrity ` +
+        `check against inline-bytes fallback (expected sha256=${entry.sha256.slice(0, 16)}…). ` +
+        `Source customXml payload is tampered.`,
+    );
+    this.name = "EmbeddedOffloadTamperError";
+  }
+}
+
 async function resolveEntryBytes(
   hostAdapter: EditorHostAdapter | undefined,
   entry: EmbeddingOffloadEntry,
@@ -89,11 +117,17 @@ async function resolveEntryBytes(
       }
     } catch {
       // Treat identically to `null` — fall through to the inline-
-      // bytes fallback. The architecture guarantees export never
-      // fails on storage unavailability.
+      // bytes fallback.
     }
   }
-  return decodeInlineBytes(entry.inlineBytes);
+  // SEC-IO-01 verification on the inline fallback. Unlike storage
+  // unavailability (which is benign), sha mismatch here means the
+  // source customXml payload was tampered with. Fail closed.
+  const decoded = decodeInlineBytes(entry.inlineBytes);
+  if (sha256Hex(decoded) !== entry.sha256) {
+    throw new EmbeddedOffloadTamperError(entry);
+  }
+  return decoded;
 }
 
 /**

package/src/session/import/embedded-offload.ts

@@ -263,6 +263,31 @@ const EMPTY_RESULT: EmbeddedOffloadResult = Object.freeze({
 // (Buffer) and browser (btoa/atob) contexts. Direct call; the earlier
 // local `encodeBase64` alias was unnecessary indirection.
 
+/**
+ * SEC-IO-02 (2026-04-23): allowlist check for offload sourcePartPath.
+ *
+ * Offload entries come from customXml — untrusted content. The export-time
+ * `reconstituteEmbeddedDocuments` writes to `entry.sourcePartPath` via
+ * `exportSession.replaceOwnedPart`, which accepts arbitrary OPC paths. A
+ * malicious `sourcePartPath` could overwrite `/[Content_Types].xml`,
+ * `/_rels/.rels`, `/word/document.xml`, or any other sensitive part of the
+ * exported package.
+ *
+ * The offload feature covers EMBEDDED documents only — sub-documents Word
+ * stores under `/word/embeddings/embedded{N}.bin` (OLE) or similar. Narrow
+ * the allowlist to that canonical prefix. Entries with any other path,
+ * any traversal segment, or any control char silently drop.
+ */
+const SAFE_EMBEDDING_PATH = /^\/word\/embeddings\/[A-Za-z0-9_.-]+$/;
+
+function isSafeSourcePartPath(path: unknown): path is string {
+  if (typeof path !== "string") return false;
+  if (path.length === 0 || path.length > 256) return false;
+  if (path.includes("..")) return false;
+  if (path.includes("\0") || path.includes("\n") || path.includes("\r")) return false;
+  return SAFE_EMBEDDING_PATH.test(path);
+}
+
 function parseEmbeddingsInline(
   inline: unknown,
 ): EmbeddingOffloadEntry[] | undefined {
@@ -293,7 +318,7 @@ function parseEmbeddingsInline(
     if (
       typeof r.embeddedDocId !== "string" ||
       typeof r.relationshipId !== "string" ||
-      typeof r.sourcePartPath !== "string" ||
+      !isSafeSourcePartPath(r.sourcePartPath) ||
       typeof r.contentType !== "string" ||
       typeof r.sha256 !== "string" ||
       typeof r.inlineBytes !== "string" ||

package/src/session/import/loader-types.ts

@@ -119,6 +119,24 @@ export interface LoadDocxEditorSessionOptions {
    * FRESH offload on first-open.
    */
   offloadEmbeddedDocuments?: boolean;
+  /**
+   * Phase 1 cosmetic-marker strip. When `true` (the default), the
+   * OOXML parser drops `<w:lastRenderedPageBreak/>`, `<w:proofErr/>`,
+   * and `<w:noBreakHyphen/>` during the body walk instead of emitting
+   * them as `opaque_inline` nodes. Aggregate counts are surfaced as
+   * a single `diagnostic:parser.skipped-cosmetic-markers` warning on
+   * the returned canonical document.
+   *
+   * These markers carry no contract semantics (Word regenerates them
+   * on reopen) and are structural boundaries that today cause
+   * `replaceText` to refuse ranges that happen to cross them. See
+   * `docs/architecture/cosmetic-marker-strip.md`.
+   *
+   * Set to `false` to preserve pre-strip behavior exactly — useful for
+   * byte-preservation tests and diagnostic scripts that need to
+   * inspect every marker.
+   */
+  stripCosmeticMarkers?: boolean;
 }
 
 /**

package/src/session/import/loader.ts

@@ -540,6 +540,7 @@ export async function loadDocxSessionAsync(
         mediaParts,
         mainDocumentPath,
         chartPartLookup,
+        { stripCosmeticMarkers: options.stripCosmeticMarkers !== false },
       );
     } finally {
       if (options.telemetryBus) setActiveParseTelemetryBus(undefined);
@@ -1312,6 +1313,7 @@ export function loadDocxSessionSync(
         mediaParts,
         mainDocumentPath,
         chartPartLookup,
+        { stripCosmeticMarkers: options.stripCosmeticMarkers !== false },
       );
     } finally {
       if (options.telemetryBus) setActiveParseTelemetryBus(undefined);

package/src/shell/media-previews.ts

@@ -6,11 +6,13 @@
  * digest, walks the OPC parts table, and projects each canonical media
  * item into a `MediaPreviewDescriptor`.
  *
- * SVG is included in the browser-safe content-type allowlist — Chromium
- * sandboxes SVGs loaded via `<img src="data:image/svg+xml;base64,…">`
- * (no script execution, no external refs), so XSS surface matches PNG.
- * Required for CCEP-synthesized chart previews (Stage 0B) and hosts
- * that ship `.svg` inside `word/media/`.
+ * SVG is EXCLUDED from the content-type allowlist (SEC-UI-03, 2026-04-23).
+ * While Chromium's `<img src="data:image/svg+xml;base64,…">` path does block
+ * script execution on modern browsers, user-authored SVGs in DOCX `word/media/`
+ * can still leak user presence via `<image xlink:href="http://...">` trackers
+ * and have historically had CSP-bypass gaps. Chart-preview SVGs (Stage 0B)
+ * come from our own renderer via `chart-preview-resolver.ts`, not from
+ * `word/media/*`, so dropping SVG here does not regress charts.
  *
  * Lives in `src/shell/` so the three `io/**` substrate imports stay
  * outside the L11 boundary register — package decoding is a shell
@@ -33,7 +35,7 @@ const BROWSER_SAFE_PREVIEW_TYPES = new Set([
   "image/gif",
   "image/webp",
   "image/bmp",
-  "image/svg+xml",
+  // SVG intentionally EXCLUDED — see SEC-UI-03 header comment.
 ]);
 
 export function buildMediaPreviews(

package/src/ui/WordReviewEditor.tsx

@@ -3321,6 +3321,7 @@ export const WordReviewEditor = forwardRef<WordReviewEditorRef, WordReviewEditor
         pasteFragmentParser={SHELL_PASTE_FRAGMENT_PARSER}
         runtimeSearchDocument={api.runtime.search.searchDocument}
         runtimeGetTableSelectionDescriptor={api.runtime.table.getSelectionDescriptor}
+        scopeTagRegistryFactory={api.runtime.workflow.createScopeTagRegistry}
         snapshot={snapshot}
         canonicalDocument={canonicalDocument}
         documentNavigation={documentNavigation}

package/src/ui/editor-surface-controller.tsx

@@ -84,6 +84,17 @@ export interface EditorSurfaceControllerProps {
   runtimeGetTableSelectionDescriptor?: (
     state: import("prosemirror-state").EditorState,
   ) => TableSelectionDescriptor | null;
+  /**
+   * Coord-10 L11-4 — forwarded to `TwProseMirrorSurface`. Threaded
+   * from `api.runtime.workflow.createScopeTagRegistry` (shipped by
+   * L06 in react-refactor `534f2b97`). Replaces the pre-L06-catalog
+   * pragmatic public-types re-export (refactor/11 §4.17, 2026-04-24
+   * `7a2d2fc0`). When absent, `TwProseMirrorSurface` falls back to
+   * the public-types re-export for test / headless mount back-compat.
+   */
+  scopeTagRegistryFactory?: () => import(
+    "../api/public-types.ts"
+  ).ScopeTagRegistry;
   onPasteApplied?: (meta: {
     segmentCount: number;
     charCount: number;

package/src/ui/headless/selection-helpers.ts

@@ -1,8 +1,8 @@
-import type { SelectionSnapshot } from "../../api/public-types";
 import {
+  type SelectionSnapshot,
   createPublicNodeAnchor,
   createPublicRangeAnchor,
-} from "../../core/selection/anchor-conversion.ts";
+} from "../../api/public-types";
 
 /**
  * Headless-UI-side `createSelectionSnapshot` that produces the **public**

package/src/ui/runtime-shortcut-dispatch.ts

@@ -1,8 +1,8 @@
-import type {
-  StyleCatalogSnapshot,
-  WorkflowBlockedCommandReason,
+import {
+  CAPABILITY_BY_ID,
+  type StyleCatalogSnapshot,
+  type WorkflowBlockedCommandReason,
 } from "../api/public-types.ts";
-import { CAPABILITY_BY_ID } from "../runtime/editor-surface/capabilities.ts";
 
 export interface ShortcutKeyInput {
   key: string;