@jgardner04/ghost-mcp-server 1.13.1 → 1.13.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jgardner04/ghost-mcp-server",
-  "version": "1.13.1",
+  "version": "1.13.2",
   "description": "A Model Context Protocol (MCP) server for interacting with Ghost CMS via the Admin API",
   "author": "Jonathan Gardner",
   "type": "module",
@@ -30,10 +30,6 @@
     "url": "https://github.com/jgardner04/Ghost-MCP-Server/issues"
   },
   "scripts": {
-    "dev": "node scripts/dev.js",
-    "list": "node scripts/dev.js list",
-    "generate": "node scripts/dev.js generate",
-    "parse-prd": "node scripts/dev.js parse-prd",
     "build": "mkdir -p build && cp -r src/* build/",
     "start": "node src/index.js",
     "start:mcp": "node src/mcp_server.js",
@@ -107,7 +103,7 @@
     "husky": "^9.1.7",
     "lint-staged": "^16.2.7",
     "prettier": "^3.7.4",
-    "semantic-release": "^25.0.2",
+    "semantic-release": "^25.0.3",
     "supertest": "^7.1.4",
     "vitest": "^4.0.15"
   }

package/src/mcp_server.js

@@ -672,7 +672,7 @@ server.registerTool(
   'ghost_update_post',
   {
     description:
-      'Updates an existing post in Ghost CMS. Can update title, content, status, tags, images, and SEO fields.',
+      'Updates an existing post in Ghost CMS. Can update title, content, status, tags, images, and SEO fields. Only the provided fields are changed; omitted fields remain unchanged. Note: tags and authors arrays are fully replaced, not merged with existing values.',
     inputSchema: updatePostInputSchema,
   },
   async (rawInput) => {
@@ -939,7 +939,7 @@ server.registerTool(
   'ghost_update_page',
   {
     description:
-      'Updates an existing page in Ghost CMS. Can update title, content, status, images, and SEO fields.',
+      'Updates an existing page in Ghost CMS. Can update title, content, status, images, and SEO fields. Only the provided fields are changed; omitted fields remain unchanged.',
     inputSchema: updatePageInputSchema,
   },
   async (rawInput) => {

package/src/schemas/pageSchemas.js

@@ -62,8 +62,6 @@ export const createPageSchema = z.object({
   tags: tagsSchema.describe('Array of tag names or IDs (rarely used for pages)'),
   authors: authorsSchema.describe('Array of author IDs or emails'),
   published_at: isoDateSchema.optional().describe('Scheduled publish time (ISO 8601 format)'),
-  updated_at: isoDateSchema.optional(),
-  created_at: isoDateSchema.optional(),
   codeinjection_head: z.string().optional(),
   codeinjection_foot: z.string().optional(),
   custom_template: z.string().optional().describe('Custom template filename'),

package/src/schemas/postSchemas.js

@@ -57,11 +57,13 @@ export const createPostSchema = z.object({
     .max(500, 'Twitter description cannot exceed 500 characters')
     .optional(),
   canonical_url: canonicalUrlSchema,
-  tags: tagsSchema.describe('Array of tag names or IDs to associate with the post'),
-  authors: authorsSchema.describe('Array of author IDs or emails'),
+  tags: tagsSchema.describe(
+    'Array of tag names or IDs to associate with the post. On update, this fully replaces the existing tags array (not merged).'
+  ),
+  authors: authorsSchema.describe(
+    'Array of author IDs or emails. On update, this fully replaces the existing authors array (not merged).'
+  ),
   published_at: isoDateSchema.optional().describe('Scheduled publish time (ISO 8601 format)'),
-  updated_at: isoDateSchema.optional(),
-  created_at: isoDateSchema.optional(),
   codeinjection_head: z.string().optional(),
   codeinjection_foot: z.string().optional(),
   custom_template: z.string().optional().describe('Custom template filename'),

package/src/services/__tests__/ghostServiceImproved.members.test.js

@@ -144,7 +144,7 @@ describe('ghostServiceImproved - Members', () => {
   });
 
   describe('updateMember', () => {
-    it('should update a member with valid ID and data', async () => {
+    it('should send only update fields and updated_at, not the full existing member', async () => {
       const memberId = 'member-1';
       const updateData = {
         name: 'Jane Doe',
@@ -153,8 +153,10 @@ describe('ghostServiceImproved - Members', () => {
 
       const mockExistingMember = {
         id: memberId,
+        uuid: 'abc-def-123',
         email: 'test@example.com',
         name: 'John Doe',
+        status: 'free',
         updated_at: '2023-01-01T00:00:00.000Z',
       };
 
@@ -169,13 +171,15 @@ describe('ghostServiceImproved - Members', () => {
       const result = await updateMember(memberId, updateData);
 
       expect(api.members.read).toHaveBeenCalledWith(expect.any(Object), { id: memberId });
+      // Should send ONLY updateData + updated_at, NOT the full existing member
       expect(api.members.edit).toHaveBeenCalledWith(
-        expect.objectContaining({
-          ...mockExistingMember,
-          ...updateData,
-        }),
+        { name: 'Jane Doe', note: 'Updated note', updated_at: '2023-01-01T00:00:00.000Z' },
         expect.objectContaining({ id: memberId })
       );
+      // Verify read-only fields are NOT sent
+      const editCallData = api.members.edit.mock.calls[0][0];
+      expect(editCallData).not.toHaveProperty('uuid');
+      expect(editCallData).not.toHaveProperty('status');
       expect(result).toEqual(mockUpdatedMember);
     });
 

package/src/services/__tests__/ghostServiceImproved.newsletters.test.js

@@ -194,10 +194,12 @@ describe('ghostServiceImproved - Newsletter Operations', () => {
   });
 
   describe('updateNewsletter', () => {
-    it('should update a newsletter successfully', async () => {
+    it('should send only update fields and updated_at, not the full existing newsletter', async () => {
       const existingNewsletter = {
         id: 'newsletter-123',
+        uuid: 'abc-def-123',
         name: 'Old Name',
+        slug: 'old-name',
         updated_at: '2024-01-01T00:00:00.000Z',
       };
       const updateData = { name: 'New Name' };
@@ -210,13 +212,15 @@ describe('ghostServiceImproved - Newsletter Operations', () => {
 
       expect(result).toEqual(updatedNewsletter);
       expect(mockNewslettersApi.read).toHaveBeenCalledWith({}, { id: 'newsletter-123' });
+      // Should send ONLY updateData + updated_at, NOT the full existing newsletter
       expect(mockNewslettersApi.edit).toHaveBeenCalledWith(
-        {
-          ...existingNewsletter,
-          ...updateData,
-        },
+        { name: 'New Name', updated_at: '2024-01-01T00:00:00.000Z' },
         { id: 'newsletter-123' }
       );
+      // Verify read-only fields are NOT sent
+      const editCallData = mockNewslettersApi.edit.mock.calls[0][0];
+      expect(editCallData).not.toHaveProperty('uuid');
+      expect(editCallData).not.toHaveProperty('slug');
     });
 
     it('should update newsletter with email settings', async () => {
@@ -236,9 +240,11 @@ describe('ghostServiceImproved - Newsletter Operations', () => {
 
       await updateNewsletter('newsletter-123', updateData);
 
-      expect(mockNewslettersApi.edit).toHaveBeenCalledWith(expect.objectContaining(updateData), {
-        id: 'newsletter-123',
-      });
+      // Should send ONLY updateData + updated_at
+      expect(mockNewslettersApi.edit).toHaveBeenCalledWith(
+        { ...updateData, updated_at: '2024-01-01T00:00:00.000Z' },
+        { id: 'newsletter-123' }
+      );
     });
 
     it('should throw ValidationError if ID is missing', async () => {
@@ -270,10 +276,9 @@ describe('ghostServiceImproved - Newsletter Operations', () => {
 
       await updateNewsletter('newsletter-123', updateData);
 
+      // Should send ONLY updateData + updated_at
       expect(mockNewslettersApi.edit).toHaveBeenCalledWith(
-        expect.objectContaining({
-          updated_at: '2024-01-01T00:00:00.000Z',
-        }),
+        { description: 'Updated description', updated_at: '2024-01-01T00:00:00.000Z' },
         { id: 'newsletter-123' }
       );
     });

package/src/services/__tests__/ghostServiceImproved.pages.test.js

@@ -63,6 +63,7 @@ import {
   api,
   validators,
 } from '../ghostServiceImproved.js';
+import { createPageSchema, updatePageSchema } from '../../schemas/pageSchemas.js';
 
 describe('ghostServiceImproved - Pages', () => {
   beforeEach(() => {
@@ -219,7 +220,7 @@ describe('ghostServiceImproved - Pages', () => {
       expect(api.pages.add).toHaveBeenCalledWith(pageData, { source: 'html' });
     });
 
-    it('should sanitize HTML content', async () => {
+    it('should pass HTML through without service-layer sanitization (schema layer handles it)', async () => {
       const pageData = {
         title: 'Test Page',
         html: '<p>Safe content</p><script>alert("xss")</script>',
@@ -228,10 +229,10 @@ describe('ghostServiceImproved - Pages', () => {
 
       await createPage(pageData);
 
-      // Verify that the HTML was sanitized (script tags removed)
+      // HTML sanitization is enforced at the schema layer via htmlContentSchema,
+      // not at the service layer
       const calledWith = api.pages.add.mock.calls[0][0];
-      expect(calledWith.html).not.toContain('<script>');
-      expect(calledWith.html).toContain('<p>Safe content</p>');
+      expect(calledWith.html).toBeDefined();
     });
 
     it('should handle Ghost API validation errors (422)', async () => {
@@ -266,12 +267,16 @@ describe('ghostServiceImproved - Pages', () => {
       await expect(updatePage('', { title: 'Updated' })).rejects.toThrow('Page ID is required');
     });
 
-    it('should update page with valid data', async () => {
+    it('should send only update fields and updated_at, not the full existing page', async () => {
       const pageId = 'page-123';
       const existingPage = {
         id: pageId,
+        uuid: 'abc-def-123',
         title: 'Original Title',
+        slug: 'original-title',
         html: '<p>Original content</p>',
+        url: 'https://example.com/original-title',
+        reading_time: 2,
         updated_at: '2024-01-01T00:00:00.000Z',
       };
       const updateData = { title: 'Updated Title' };
@@ -285,10 +290,16 @@ describe('ghostServiceImproved - Pages', () => {
       expect(result).toEqual(expectedPage);
       // handleApiRequest calls read with (options, data), where options={} and data={id}
       expect(api.pages.read).toHaveBeenCalledWith({}, { id: pageId });
+      // Should send ONLY updateData + updated_at, NOT the full existing page
       expect(api.pages.edit).toHaveBeenCalledWith(
-        { ...existingPage, ...updateData },
+        { title: 'Updated Title', updated_at: '2024-01-01T00:00:00.000Z' },
         { id: pageId }
       );
+      // Verify read-only fields are NOT sent
+      const editCallData = api.pages.edit.mock.calls[0][0];
+      expect(editCallData).not.toHaveProperty('uuid');
+      expect(editCallData).not.toHaveProperty('url');
+      expect(editCallData).not.toHaveProperty('reading_time');
     });
 
     it('should handle page not found (404)', async () => {
@@ -317,16 +328,18 @@ describe('ghostServiceImproved - Pages', () => {
       expect(editCall.updated_at).toBe('2024-01-01T00:00:00.000Z');
     });
 
-    it('should sanitize HTML content in updates', async () => {
+    it('should throw ValidationError when updating to scheduled without published_at', async () => {
       const pageId = 'page-123';
-      const existingPage = { id: pageId, title: 'Test', updated_at: '2024-01-01T00:00:00.000Z' };
+      const existingPage = {
+        id: pageId,
+        title: 'Test Page',
+        updated_at: '2024-01-01T00:00:00.000Z',
+      };
       api.pages.read.mockResolvedValue(existingPage);
-      api.pages.edit.mockResolvedValue({ ...existingPage });
 
-      await updatePage(pageId, { html: '<p>Safe</p><script>alert("xss")</script>' });
-
-      const editCall = api.pages.edit.mock.calls[0][0];
-      expect(editCall.html).not.toContain('<script>');
+      await expect(updatePage(pageId, { status: 'scheduled' })).rejects.toThrow(
+        'Page validation failed'
+      );
     });
   });
 
@@ -558,4 +571,34 @@ describe('ghostServiceImproved - Pages', () => {
       expect(browseCall.filter).toContain('+');
     });
   });
+
+  describe('HTML sanitization (schema + service integration)', () => {
+    it('should strip XSS from page HTML when input flows through schema validation (production path)', async () => {
+      const rawInput = { title: 'Test Page', html: '<p>Safe</p><script>alert("xss")</script>' };
+      const validated = createPageSchema.parse(rawInput);
+
+      api.pages.add.mockResolvedValue({ id: '1', ...validated });
+      await createPage(validated);
+
+      const sentToApi = api.pages.add.mock.calls[0][0];
+      expect(sentToApi.html).not.toContain('<script>');
+      expect(sentToApi.html).not.toContain('alert');
+      expect(sentToApi.html).toContain('<p>Safe</p>');
+    });
+
+    it('should strip XSS from page HTML on update when input flows through schema validation', async () => {
+      const rawUpdate = { html: '<p>Updated</p><img src=x onerror="alert(1)">' };
+      const validated = updatePageSchema.parse(rawUpdate);
+
+      const existingPage = { id: 'page-1', updated_at: '2024-01-01T00:00:00.000Z' };
+      api.pages.read.mockResolvedValue(existingPage);
+      api.pages.edit.mockResolvedValue({ ...existingPage, ...validated });
+
+      await updatePage('page-1', validated);
+
+      const sentToApi = api.pages.edit.mock.calls[0][0];
+      expect(sentToApi.html).not.toContain('onerror');
+      expect(sentToApi.html).toContain('<img src="x"');
+    });
+  });
 });

package/src/services/__tests__/ghostServiceImproved.posts.test.js

@@ -0,0 +1,233 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { createMockContextLogger } from '../../__tests__/helpers/mockLogger.js';
+import { mockDotenv } from '../../__tests__/helpers/testUtils.js';
+
+// Mock the Ghost Admin API with posts support
+vi.mock('@tryghost/admin-api', () => ({
+  default: vi.fn(function () {
+    return {
+      posts: {
+        add: vi.fn(),
+        browse: vi.fn(),
+        read: vi.fn(),
+        edit: vi.fn(),
+        delete: vi.fn(),
+      },
+      pages: {
+        add: vi.fn(),
+        browse: vi.fn(),
+        read: vi.fn(),
+        edit: vi.fn(),
+        delete: vi.fn(),
+      },
+      tags: {
+        add: vi.fn(),
+        browse: vi.fn(),
+        read: vi.fn(),
+        edit: vi.fn(),
+        delete: vi.fn(),
+      },
+      members: {
+        add: vi.fn(),
+        browse: vi.fn(),
+        read: vi.fn(),
+        edit: vi.fn(),
+        delete: vi.fn(),
+      },
+      site: {
+        read: vi.fn(),
+      },
+      images: {
+        upload: vi.fn(),
+      },
+    };
+  }),
+}));
+
+// Mock dotenv
+vi.mock('dotenv', () => mockDotenv());
+
+// Mock logger
+vi.mock('../../utils/logger.js', () => ({
+  createContextLogger: createMockContextLogger(),
+}));
+
+// Mock fs for validateImagePath
+vi.mock('fs/promises', () => ({
+  default: {
+    access: vi.fn(),
+  },
+}));
+
+// Import after setting up mocks
+import { updatePost, api, validators } from '../ghostServiceImproved.js';
+import { updatePostSchema } from '../../schemas/postSchemas.js';
+
+describe('ghostServiceImproved - Posts (updatePost)', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe('updatePost', () => {
+    it('should send only update fields and updated_at, not the full existing post', async () => {
+      const postId = 'post-123';
+      const existingPost = {
+        id: postId,
+        uuid: 'abc-def-123',
+        title: 'Original Title',
+        slug: 'original-title',
+        html: '<p>Original content</p>',
+        status: 'published',
+        url: 'https://example.com/original-title',
+        comment_id: 'comment-123',
+        reading_time: 3,
+        updated_at: '2024-01-01T00:00:00.000Z',
+        created_at: '2023-12-01T00:00:00.000Z',
+      };
+      const updateData = { title: 'Updated Title' };
+      const expectedResult = { ...existingPost, title: 'Updated Title' };
+
+      api.posts.read.mockResolvedValue(existingPost);
+      api.posts.edit.mockResolvedValue(expectedResult);
+
+      const result = await updatePost(postId, updateData);
+
+      expect(result).toEqual(expectedResult);
+      // Should send ONLY updateData + updated_at, NOT the full existing post
+      expect(api.posts.edit).toHaveBeenCalledWith(
+        { title: 'Updated Title', updated_at: '2024-01-01T00:00:00.000Z' },
+        { id: postId }
+      );
+      // Verify read-only fields are NOT sent
+      const editCallData = api.posts.edit.mock.calls[0][0];
+      expect(editCallData).not.toHaveProperty('uuid');
+      expect(editCallData).not.toHaveProperty('url');
+      expect(editCallData).not.toHaveProperty('comment_id');
+      expect(editCallData).not.toHaveProperty('reading_time');
+      expect(editCallData).not.toHaveProperty('created_at');
+    });
+
+    it('should preserve updated_at from existing post for OCC', async () => {
+      const postId = 'post-123';
+      const existingPost = {
+        id: postId,
+        title: 'Original',
+        updated_at: '2024-06-15T12:30:00.000Z',
+      };
+      api.posts.read.mockResolvedValue(existingPost);
+      api.posts.edit.mockResolvedValue({ ...existingPost, title: 'Updated' });
+
+      await updatePost(postId, { title: 'Updated' });
+
+      const editCall = api.posts.edit.mock.calls[0][0];
+      expect(editCall.updated_at).toBe('2024-06-15T12:30:00.000Z');
+    });
+
+    it('should throw error when post ID is missing', async () => {
+      await expect(updatePost(null, { title: 'Updated' })).rejects.toThrow(
+        'Post ID is required for update'
+      );
+      await expect(updatePost('', { title: 'Updated' })).rejects.toThrow(
+        'Post ID is required for update'
+      );
+    });
+
+    it('should handle post not found (404)', async () => {
+      const error404 = new Error('Post not found');
+      error404.response = { status: 404 };
+      api.posts.read.mockRejectedValue(error404);
+
+      await expect(updatePost('nonexistent-id', { title: 'Updated' })).rejects.toThrow(
+        'Post not found'
+      );
+    });
+
+    it('should throw ValidationError when updating to scheduled without published_at', async () => {
+      const postId = 'post-123';
+      const existingPost = {
+        id: postId,
+        title: 'Test Post',
+        updated_at: '2024-01-01T00:00:00.000Z',
+      };
+      api.posts.read.mockResolvedValue(existingPost);
+
+      await expect(updatePost(postId, { status: 'scheduled' })).rejects.toThrow(
+        'Post validation failed'
+      );
+    });
+
+    it('should allow updating to scheduled with valid future published_at', async () => {
+      const postId = 'post-123';
+      const existingPost = {
+        id: postId,
+        title: 'Test Post',
+        updated_at: '2024-01-01T00:00:00.000Z',
+      };
+      const futureDate = new Date(Date.now() + 86400000).toISOString();
+      const updateData = { status: 'scheduled', published_at: futureDate };
+
+      api.posts.read.mockResolvedValue(existingPost);
+      api.posts.edit.mockResolvedValue({ ...existingPost, ...updateData });
+
+      const result = await updatePost(postId, updateData);
+
+      expect(result).toBeDefined();
+      expect(api.posts.edit).toHaveBeenCalledWith(
+        { ...updateData, updated_at: existingPost.updated_at },
+        { id: postId }
+      );
+    });
+  });
+
+  describe('validators.validateScheduledStatus', () => {
+    it('should throw when status is scheduled without published_at', () => {
+      expect(() => validators.validateScheduledStatus({ status: 'scheduled' })).toThrow(
+        'validation failed'
+      );
+    });
+
+    it('should throw when published_at has invalid date format', () => {
+      expect(() => validators.validateScheduledStatus({ published_at: 'not-a-date' })).toThrow(
+        'validation failed'
+      );
+    });
+
+    it('should throw when scheduled date is in the past', () => {
+      const pastDate = new Date(Date.now() - 86400000).toISOString();
+      expect(() =>
+        validators.validateScheduledStatus({ status: 'scheduled', published_at: pastDate })
+      ).toThrow('validation failed');
+    });
+
+    it('should not throw for valid scheduled status with future date', () => {
+      const futureDate = new Date(Date.now() + 86400000).toISOString();
+      expect(() =>
+        validators.validateScheduledStatus({ status: 'scheduled', published_at: futureDate })
+      ).not.toThrow();
+    });
+
+    it('should not throw when status is not scheduled', () => {
+      expect(() => validators.validateScheduledStatus({ status: 'draft' })).not.toThrow();
+      expect(() => validators.validateScheduledStatus({ status: 'published' })).not.toThrow();
+      expect(() => validators.validateScheduledStatus({})).not.toThrow();
+    });
+  });
+
+  describe('HTML sanitization (schema + service integration)', () => {
+    it('should strip XSS from post HTML on update when input flows through schema validation (production path)', async () => {
+      const rawUpdate = { html: '<p>Safe</p><script>alert("xss")</script>' };
+      const validated = updatePostSchema.parse(rawUpdate);
+
+      const existingPost = { id: 'post-1', updated_at: '2024-01-01T00:00:00.000Z' };
+      api.posts.read.mockResolvedValue(existingPost);
+      api.posts.edit.mockResolvedValue({ ...existingPost, ...validated });
+
+      await updatePost('post-1', validated);
+
+      const sentToApi = api.posts.edit.mock.calls[0][0];
+      expect(sentToApi.html).not.toContain('<script>');
+      expect(sentToApi.html).not.toContain('alert');
+      expect(sentToApi.html).toContain('<p>Safe</p>');
+    });
+  });
+});

package/src/services/__tests__/ghostServiceImproved.tags.test.js

@@ -403,7 +403,7 @@ describe('ghostServiceImproved - Tags', () => {
   });
 
   describe('updateTag', () => {
-    it('should update tag with valid ID and data', async () => {
+    it('should send only update fields, not the full existing tag', async () => {
       const tagId = 'tag-1';
       const updateData = {
         name: 'Updated JavaScript',
@@ -414,6 +414,8 @@ describe('ghostServiceImproved - Tags', () => {
         id: tagId,
         name: 'JavaScript',
         slug: 'javascript',
+        url: 'https://example.com/tag/javascript',
+        visibility: 'public',
       };
 
       const mockUpdatedTag = {
@@ -427,7 +429,16 @@ describe('ghostServiceImproved - Tags', () => {
       const result = await updateTag(tagId, updateData);
 
       expect(api.tags.read).toHaveBeenCalled();
-      expect(api.tags.edit).toHaveBeenCalled();
+      // Should send ONLY updateData, NOT the full existing tag
+      expect(api.tags.edit).toHaveBeenCalledWith(
+        { name: 'Updated JavaScript', description: 'Updated description' },
+        { id: tagId }
+      );
+      // Verify read-only fields are NOT sent
+      const editCallData = api.tags.edit.mock.calls[0][0];
+      expect(editCallData).not.toHaveProperty('url');
+      expect(editCallData).not.toHaveProperty('visibility');
+      expect(editCallData).not.toHaveProperty('slug');
       expect(result).toEqual(mockUpdatedTag);
     });
 

package/src/services/__tests__/ghostServiceImproved.tiers.test.js

@@ -300,12 +300,15 @@ describe('ghostServiceImproved - Tiers', () => {
   });
 
   describe('updateTier', () => {
-    it('should update a tier', async () => {
+    it('should send only update fields and updated_at, not the full existing tier', async () => {
       const existingTier = {
         id: 'tier-1',
+        slug: 'premium',
         name: 'Premium',
         currency: 'USD',
         monthly_price: 999,
+        type: 'paid',
+        active: true,
         updated_at: '2024-01-01T00:00:00.000Z',
       };
 
@@ -328,15 +331,16 @@ describe('ghostServiceImproved - Tiers', () => {
         expect.objectContaining({ id: 'tier-1' }),
         expect.objectContaining({ id: 'tier-1' })
       );
+      // Should send ONLY updateData + updated_at, NOT the full existing tier
       expect(api.tiers.edit).toHaveBeenCalledWith(
-        expect.objectContaining({
-          ...existingTier,
-          ...updateData,
-        }),
-        expect.objectContaining({
-          id: 'tier-1',
-        })
+        { name: 'Premium Plus', monthly_price: 1299, updated_at: '2024-01-01T00:00:00.000Z' },
+        expect.objectContaining({ id: 'tier-1' })
       );
+      // Verify read-only fields are NOT sent
+      const editCallData = api.tiers.edit.mock.calls[0][0];
+      expect(editCallData).not.toHaveProperty('slug');
+      expect(editCallData).not.toHaveProperty('type');
+      expect(editCallData).not.toHaveProperty('active');
       expect(result).toEqual(mockUpdatedTier);
     });
 

package/src/services/ghostServiceImproved.js

@@ -1,5 +1,4 @@
 import GhostAdminAPI from '@tryghost/admin-api';
-import sanitizeHtml from 'sanitize-html';
 import dotenv from 'dotenv';
 import { promises as fs } from 'fs';
 import {
@@ -118,6 +117,30 @@ const handleApiRequest = async (resource, action, data = {}, options = {}, confi
  * Input validation helpers
  */
 const validators = {
+  validateScheduledStatus(data, resourceLabel = 'Resource') {
+    const errors = [];
+
+    if (data.status === 'scheduled' && !data.published_at) {
+      errors.push({
+        field: 'published_at',
+        message: 'published_at is required when status is scheduled',
+      });
+    }
+
+    if (data.published_at) {
+      const publishDate = new Date(data.published_at);
+      if (isNaN(publishDate.getTime())) {
+        errors.push({ field: 'published_at', message: 'Invalid date format' });
+      } else if (data.status === 'scheduled' && publishDate <= new Date()) {
+        errors.push({ field: 'published_at', message: 'Scheduled date must be in the future' });
+      }
+    }
+
+    if (errors.length > 0) {
+      throw new ValidationError(`${resourceLabel} validation failed`, errors);
+    }
+  },
+
   validatePostData(postData) {
     const errors = [];
 
@@ -136,25 +159,11 @@ const validators = {
       });
     }
 
-    if (postData.status === 'scheduled' && !postData.published_at) {
-      errors.push({
-        field: 'published_at',
-        message: 'published_at is required when status is scheduled',
-      });
-    }
-
-    if (postData.published_at) {
-      const publishDate = new Date(postData.published_at);
-      if (isNaN(publishDate.getTime())) {
-        errors.push({ field: 'published_at', message: 'Invalid date format' });
-      } else if (postData.status === 'scheduled' && publishDate <= new Date()) {
-        errors.push({ field: 'published_at', message: 'Scheduled date must be in the future' });
-      }
-    }
-
     if (errors.length > 0) {
       throw new ValidationError('Post validation failed', errors);
     }
+
+    this.validateScheduledStatus(postData, 'Post');
   },
 
   validateTagData(tagData) {
@@ -228,25 +237,11 @@ const validators = {
       });
     }
 
-    if (pageData.status === 'scheduled' && !pageData.published_at) {
-      errors.push({
-        field: 'published_at',
-        message: 'published_at is required when status is scheduled',
-      });
-    }
-
-    if (pageData.published_at) {
-      const publishDate = new Date(pageData.published_at);
-      if (isNaN(publishDate.getTime())) {
-        errors.push({ field: 'published_at', message: 'Invalid date format' });
-      } else if (pageData.status === 'scheduled' && publishDate <= new Date()) {
-        errors.push({ field: 'published_at', message: 'Scheduled date must be in the future' });
-      }
-    }
-
     if (errors.length > 0) {
       throw new ValidationError('Page validation failed', errors);
     }
+
+    this.validateScheduledStatus(pageData, 'Page');
   },
 
   validateNewsletterData(newsletterData) {
@@ -285,48 +280,7 @@ export async function createPost(postData, options = { source: 'html' }) {
     ...postData,
   };
 
-  // Sanitize HTML content if provided
-  if (dataWithDefaults.html) {
-    // Use proper HTML sanitization library to prevent XSS
-    dataWithDefaults.html = sanitizeHtml(dataWithDefaults.html, {
-      allowedTags: [
-        'h1',
-        'h2',
-        'h3',
-        'h4',
-        'h5',
-        'h6',
-        'blockquote',
-        'p',
-        'a',
-        'ul',
-        'ol',
-        'nl',
-        'li',
-        'b',
-        'i',
-        'strong',
-        'em',
-        'strike',
-        'code',
-        'hr',
-        'br',
-        'div',
-        'span',
-        'img',
-        'pre',
-      ],
-      allowedAttributes: {
-        a: ['href', 'title'],
-        img: ['src', 'alt', 'title', 'width', 'height'],
-        '*': ['class', 'id'],
-      },
-      allowedSchemes: ['http', 'https', 'mailto'],
-      allowedSchemesByTag: {
-        img: ['http', 'https', 'data'],
-      },
-    });
-  }
+  // SECURITY: HTML must be sanitized before reaching this function. See htmlContentSchema in schemas/common.js
 
   try {
     return await handleApiRequest('posts', 'add', dataWithDefaults, options);
@@ -346,18 +300,22 @@ export async function updatePost(postId, updateData, options = {}) {
     throw new ValidationError('Post ID is required for update');
   }
 
+  // Validate scheduled status if status is being updated
+  if (updateData.status) {
+    validators.validateScheduledStatus(updateData, 'Post');
+  }
+
   // Get the current post first to ensure it exists
   try {
     const existingPost = await handleApiRequest('posts', 'read', { id: postId });
 
-    // Merge with existing data
-    const mergedData = {
-      ...existingPost,
+    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
+    const editData = {
       ...updateData,
-      updated_at: existingPost.updated_at, // Required for Ghost API
+      updated_at: existingPost.updated_at,
     };
 
-    return await handleApiRequest('posts', 'edit', mergedData, { id: postId, ...options });
+    return await handleApiRequest('posts', 'edit', editData, { id: postId, ...options });
   } catch (error) {
     if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
       throw new NotFoundError('Post', postId);
@@ -457,47 +415,7 @@ export async function createPage(pageData, options = { source: 'html' }) {
     ...pageData,
   };
 
-  // Sanitize HTML content if provided (use same sanitization as posts)
-  if (dataWithDefaults.html) {
-    dataWithDefaults.html = sanitizeHtml(dataWithDefaults.html, {
-      allowedTags: [
-        'h1',
-        'h2',
-        'h3',
-        'h4',
-        'h5',
-        'h6',
-        'blockquote',
-        'p',
-        'a',
-        'ul',
-        'ol',
-        'nl',
-        'li',
-        'b',
-        'i',
-        'strong',
-        'em',
-        'strike',
-        'code',
-        'hr',
-        'br',
-        'div',
-        'span',
-        'img',
-        'pre',
-      ],
-      allowedAttributes: {
-        a: ['href', 'title'],
-        img: ['src', 'alt', 'title', 'width', 'height'],
-        '*': ['class', 'id'],
-      },
-      allowedSchemes: ['http', 'https', 'mailto'],
-      allowedSchemesByTag: {
-        img: ['http', 'https', 'data'],
-      },
-    });
-  }
+  // SECURITY: HTML must be sanitized before reaching this function. See htmlContentSchema in schemas/common.js
 
   try {
     return await handleApiRequest('pages', 'add', dataWithDefaults, options);
@@ -516,60 +434,24 @@ export async function updatePage(pageId, updateData, options = {}) {
     throw new ValidationError('Page ID is required for update');
   }
 
-  // Sanitize HTML if being updated
-  if (updateData.html) {
-    updateData.html = sanitizeHtml(updateData.html, {
-      allowedTags: [
-        'h1',
-        'h2',
-        'h3',
-        'h4',
-        'h5',
-        'h6',
-        'blockquote',
-        'p',
-        'a',
-        'ul',
-        'ol',
-        'nl',
-        'li',
-        'b',
-        'i',
-        'strong',
-        'em',
-        'strike',
-        'code',
-        'hr',
-        'br',
-        'div',
-        'span',
-        'img',
-        'pre',
-      ],
-      allowedAttributes: {
-        a: ['href', 'title'],
-        img: ['src', 'alt', 'title', 'width', 'height'],
-        '*': ['class', 'id'],
-      },
-      allowedSchemes: ['http', 'https', 'mailto'],
-      allowedSchemesByTag: {
-        img: ['http', 'https', 'data'],
-      },
-    });
+  // SECURITY: HTML must be sanitized before reaching this function. See htmlContentSchema in schemas/common.js
+
+  // Validate scheduled status if status is being updated
+  if (updateData.status) {
+    validators.validateScheduledStatus(updateData, 'Page');
   }
 
   try {
     // Get existing page to retrieve updated_at for conflict resolution
     const existingPage = await handleApiRequest('pages', 'read', { id: pageId });
 
-    // Merge existing data with updates, preserving updated_at
-    const mergedData = {
-      ...existingPage,
+    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
+    const editData = {
       ...updateData,
       updated_at: existingPage.updated_at,
     };
 
-    return await handleApiRequest('pages', 'edit', mergedData, { id: pageId, ...options });
+    return await handleApiRequest('pages', 'edit', editData, { id: pageId, ...options });
   } catch (error) {
     if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
       throw new NotFoundError('Page', pageId);
@@ -743,13 +625,11 @@ export async function updateTag(tagId, updateData) {
   validators.validateTagUpdateData(updateData); // Validate update data
 
   try {
-    const existingTag = await getTag(tagId);
-    const mergedData = {
-      ...existingTag,
-      ...updateData,
-    };
+    // Verify tag exists before updating
+    await getTag(tagId);
 
-    return await handleApiRequest('tags', 'edit', mergedData, { id: tagId });
+    // Send only changed fields (tags don't use updated_at for OCC)
+    return await handleApiRequest('tags', 'edit', { ...updateData }, { id: tagId });
   } catch (error) {
     if (error instanceof NotFoundError) {
       throw error;
@@ -837,14 +717,13 @@ export async function updateMember(memberId, updateData, options = {}) {
     // Get existing member to retrieve updated_at for conflict resolution
     const existingMember = await handleApiRequest('members', 'read', { id: memberId });
 
-    // Merge existing data with updates, preserving updated_at
-    const mergedData = {
-      ...existingMember,
+    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
+    const editData = {
       ...updateData,
       updated_at: existingMember.updated_at,
     };
 
-    return await handleApiRequest('members', 'edit', mergedData, { id: memberId, ...options });
+    return await handleApiRequest('members', 'edit', editData, { id: memberId, ...options });
   } catch (error) {
     if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
       throw new NotFoundError('Member', memberId);
@@ -1037,14 +916,13 @@ export async function updateNewsletter(newsletterId, updateData) {
       id: newsletterId,
     });
 
-    // Merge existing data with updates, preserving updated_at
-    const mergedData = {
-      ...existingNewsletter,
+    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
+    const editData = {
       ...updateData,
       updated_at: existingNewsletter.updated_at,
     };
 
-    return await handleApiRequest('newsletters', 'edit', mergedData, { id: newsletterId });
+    return await handleApiRequest('newsletters', 'edit', editData, { id: newsletterId });
   } catch (error) {
     if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
       throw new NotFoundError('Newsletter', newsletterId);
@@ -1111,17 +989,16 @@ export async function updateTier(id, updateData, options = {}) {
   validateTierUpdateData(updateData);
 
   try {
-    // Get existing tier for merge
+    // Get existing tier to retrieve updated_at for conflict resolution
     const existingTier = await handleApiRequest('tiers', 'read', { id }, { id });
 
-    // Merge updates with existing data
-    const mergedData = {
-      ...existingTier,
+    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
+    const editData = {
       ...updateData,
       updated_at: existingTier.updated_at,
     };
 
-    return await handleApiRequest('tiers', 'edit', mergedData, { id, ...options });
+    return await handleApiRequest('tiers', 'edit', editData, { id, ...options });
   } catch (error) {
     if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
       throw new NotFoundError('Tier', id);

package/src/utils/__tests__/urlValidator.test.js

@@ -1,5 +1,11 @@
 import { describe, it, expect } from 'vitest';
-import { validateImageUrl, createSecureAxiosConfig, ALLOWED_DOMAINS } from '../urlValidator.js';
+import {
+  validateImageUrl,
+  createSecureAxiosConfig,
+  createBeforeRedirect,
+  isSafeHost,
+  ALLOWED_DOMAINS,
+} from '../urlValidator.js';
 
 describe('urlValidator', () => {
   describe('ALLOWED_DOMAINS', () => {
@@ -446,5 +452,135 @@ describe('urlValidator', () => {
       expect(config2.url).toBe(url2);
       expect(config1.url).not.toBe(config2.url);
     });
+
+    it('should include beforeRedirect callback', () => {
+      const config = createSecureAxiosConfig('https://imgur.com/image.jpg');
+      expect(config).toHaveProperty('beforeRedirect');
+      expect(typeof config.beforeRedirect).toBe('function');
+    });
+  });
+
+  describe('isSafeHost', () => {
+    it('should allow domains on the allowlist', () => {
+      expect(isSafeHost('imgur.com')).toBe(true);
+      expect(isSafeHost('i.imgur.com')).toBe(true);
+      expect(isSafeHost('github.com')).toBe(true);
+    });
+
+    it('should allow subdomains of allowed domains', () => {
+      expect(isSafeHost('cdn.images.unsplash.com')).toBe(true);
+      expect(isSafeHost('my-bucket.s3.amazonaws.com')).toBe(true);
+    });
+
+    it('should reject domains not on the allowlist', () => {
+      expect(isSafeHost('evil.com')).toBe(false);
+      expect(isSafeHost('fakeimgur.com')).toBe(false);
+    });
+
+    it('should block localhost IPs', () => {
+      expect(isSafeHost('127.0.0.1')).toBe(false);
+      expect(isSafeHost('127.0.0.2')).toBe(false);
+    });
+
+    it('should block private network IPs', () => {
+      expect(isSafeHost('10.0.0.1')).toBe(false);
+      expect(isSafeHost('192.168.1.1')).toBe(false);
+      expect(isSafeHost('172.16.0.1')).toBe(false);
+    });
+
+    it('should block link-local and cloud metadata IPs', () => {
+      expect(isSafeHost('169.254.169.254')).toBe(false);
+      expect(isSafeHost('169.254.0.1')).toBe(false);
+    });
+
+    it('should block IPv6 private addresses', () => {
+      expect(isSafeHost('::1')).toBe(false);
+      expect(isSafeHost('fc00::1')).toBe(false);
+      expect(isSafeHost('fe80::1')).toBe(false);
+    });
+
+    it('should allow public IPs not on blocklist', () => {
+      expect(isSafeHost('8.8.8.8')).toBe(true);
+      expect(isSafeHost('1.1.1.1')).toBe(true);
+    });
+  });
+
+  describe('createBeforeRedirect', () => {
+    it('should not throw for redirects to allowed domains', () => {
+      const beforeRedirect = createBeforeRedirect();
+      expect(() =>
+        beforeRedirect({
+          protocol: 'https:',
+          hostname: 'imgur.com',
+          path: '/image.jpg',
+        })
+      ).not.toThrow();
+    });
+
+    it('should throw for redirect to 127.0.0.1 (localhost)', () => {
+      const beforeRedirect = createBeforeRedirect();
+      expect(() =>
+        beforeRedirect({
+          protocol: 'https:',
+          hostname: '127.0.0.1',
+          path: '/secret',
+        })
+      ).toThrow('Redirect blocked');
+    });
+
+    it('should throw for redirect to 169.254.169.254 (AWS metadata)', () => {
+      const beforeRedirect = createBeforeRedirect();
+      expect(() =>
+        beforeRedirect({
+          protocol: 'http:',
+          hostname: '169.254.169.254',
+          path: '/latest/meta-data/',
+        })
+      ).toThrow('Redirect blocked');
+    });
+
+    it('should throw for redirect to 192.168.x.x (private network)', () => {
+      const beforeRedirect = createBeforeRedirect();
+      expect(() =>
+        beforeRedirect({
+          protocol: 'https:',
+          hostname: '192.168.1.1',
+          path: '/admin',
+        })
+      ).toThrow('Redirect blocked');
+    });
+
+    it('should throw for redirect to 10.x.x.x (private network)', () => {
+      const beforeRedirect = createBeforeRedirect();
+      expect(() =>
+        beforeRedirect({
+          protocol: 'https:',
+          hostname: '10.0.0.1',
+          path: '/internal',
+        })
+      ).toThrow('Redirect blocked');
+    });
+
+    it('should throw for redirect to disallowed domain', () => {
+      const beforeRedirect = createBeforeRedirect();
+      expect(() =>
+        beforeRedirect({
+          protocol: 'https:',
+          hostname: 'evil.com',
+          path: '/payload',
+        })
+      ).toThrow('Redirect blocked');
+    });
+
+    it('should allow redirect between allowed domains', () => {
+      const beforeRedirect = createBeforeRedirect();
+      expect(() =>
+        beforeRedirect({
+          protocol: 'https:',
+          hostname: 'images.unsplash.com',
+          path: '/photo-123',
+        })
+      ).not.toThrow();
+    });
   });
 });

package/src/utils/urlValidator.js

@@ -147,7 +147,23 @@ const validateImageUrl = (url) => {
 };
 
 /**
- * Configures axios with security settings for external requests
+ * Creates a beforeRedirect callback that validates each redirect target against
+ * the same SSRF rules applied to the initial URL.
+ * @returns {function} Axios beforeRedirect callback
+ */
+const createBeforeRedirect = () => {
+  return (options) => {
+    const redirectUrl = `${options.protocol}//${options.hostname}${options.path}`;
+    const validation = validateImageUrl(redirectUrl);
+    if (!validation.isValid) {
+      throw new Error(`Redirect blocked: ${validation.error}`);
+    }
+  };
+};
+
+// Note: DNS rebinding (TOCTOU) attacks are not mitigated by hostname-based validation
+/**
+ * Configures axios with security settings for external requests.
  * @param {string} url - The validated URL to request
  * @returns {object} Axios configuration with security settings
  */
@@ -159,10 +175,17 @@ const createSecureAxiosConfig = (url) => {
     maxRedirects: 3, // Limit redirects
     maxContentLength: 50 * 1024 * 1024, // 50MB max response
     validateStatus: (status) => status >= 200 && status < 300, // Only accept 2xx
+    beforeRedirect: createBeforeRedirect(),
     headers: {
       'User-Agent': 'Ghost-MCP-Server/1.0',
     },
   };
 };
 
-export { validateImageUrl, createSecureAxiosConfig, ALLOWED_DOMAINS };
+export {
+  validateImageUrl,
+  createSecureAxiosConfig,
+  createBeforeRedirect,
+  isSafeHost,
+  ALLOWED_DOMAINS,
+};