localant 1.0.2 → 1.1.0

package/README.ja.md

@@ -0,0 +1,185 @@
+<p align="center">
+  <img src="assets/hero.png" width="320" alt="LocalAnt — ChatGPT ネイティブのローカル MCP ゲートウェイ" />
+</p>
+
+# LocalAnt
+
+<p align="center">
+  <a href="https://github.com/yuga-hashimoto/localant/actions/workflows/ci.yml"><img src="https://github.com/yuga-hashimoto/localant/actions/workflows/ci.yml/badge.svg" alt="CI" /></a>
+  <a href="https://www.npmjs.com/package/localant"><img src="https://img.shields.io/npm/v/localant.svg" alt="npm version" /></a>
+  <a href="https://nodejs.org"><img src="https://img.shields.io/node/v/localant.svg" alt="node version" /></a>
+  <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="MIT license" /></a>
+</p>
+
+<p align="center">
+  <a href="README.md">English</a> · <b>日本語</b>
+</p>
+
+> **ChatGPT を頭脳に、あなたのローカル PC を手足にする。**
+
+`LocalAnt` は、ChatGPT を頭脳として、ローカル PC を実行環境として使うための
+ツールです。
+
+安全で権限管理された「スキル」を MCP 経由で ChatGPT に公開します。
+許可済みコマンドの実行、プロジェクトの調査、ファイル操作、Claude Code や Codex
+などのコーディングエージェントの呼び出し、ブラウザ / ADB の操作、記事の公開、
+独自スキルの作成 —— すべてが**デフォルト拒否**のセキュリティモデル、ローカル承認、
+完全な監査ログの背後で動作します。
+
+```text
+ChatGPT
+  ↓ Apps SDK / MCP コネクタ（Streamable HTTP /mcp）
+LocalAnt  ── ゲートウェイ · リスクエンジン · 承認キュー · 監査ログ · ダッシュボード
+  ↓ ローカル PC
+  ├─ シェル（allowlist）· ファイルシステム（allowlist）· Git
+  ├─ Claude Code / Codex（計画 → 承認 → 実行 → 検証 → 差分）
+  ├─ ブラウザ（Playwright・分離プロファイル）· Android（ADB）
+  ├─ 記事（Zenn / Qiita / note）· カスタムスキル
+  └─ アダプタ: OpenClaw · Desktop Commander · 任意の MCP サーバ
+```
+
+---
+
+## LocalAnt とは？
+
+ChatGPT のための**ローカルファースト MCP ゲートウェイ**です。ChatGPT は会話 UI
+兼意思決定者、あなたの PC が実行環境になります。ゲートウェイは **140 以上の権限
+管理されたツール**を Model Context Protocol で公開し、ChatGPT の開発者モード
+コネクタから呼び出せます。
+
+## なぜ ChatGPT が頭脳で、ローカル PC が手足なのか？
+
+- ChatGPT は推論・計画・会話が得意です。
+- あなたの PC には、実際のコード・ファイル・デバイス・ツールがあります。
+- ChatGPT に生のシェルを渡すのは危険です。代わりに、リスクの高い操作はローカル
+  承認を挟んだ**厳選された権限付きの操作面**を提供します。
+
+## 特長
+
+- 🔒 **デフォルト拒否のセキュリティ**: ディレクトリ / コマンドの allowlist、
+  blocklist、パス・シンボリックリンクのトラバーサル防止、シークレット保管庫 + マスキング。
+- ✅ **ローカル承認キュー**: リスク2以上のツールはダッシュボードまたは CLI での
+  明示的な承認が必須。ChatGPT 側の確認だけでは決して信用しません。
+- 🧾 **完全な監査ログ**: すべてのツール呼び出しを記録（シークレットはマスキング）。
+- 🧩 **スキルシステム**: 作成・検証・有効化・実行・git からの導入・公開、そして
+  **ChatGPT からのスキル生成**（常に無効状態で保存）。
+- 🤖 **コーディングエージェント**: Claude Code / Codex を駆動（計画 → 承認 → 実行
+  → 検証 → 差分）。
+- 🖥️ **ローカルダッシュボード**: ステータス・承認・監査・スキル・プロジェクト・
+  シークレット・エージェント。
+- 🌐 **3分セットアップ**: Cloudflare Tunnel / ngrok とクリップボードコピー対応。
+- 🔌 **アダプタ**: OpenClaw、Desktop Commander、任意の MCP サーバ。
+
+## 3分セットアップ
+
+```bash
+npx -y localant setup
+```
+
+または：
+
+```bash
+npm install -g localant
+localant setup
+```
+
+`setup` は環境チェック、設定の初期化、認証トークン生成、組み込みスキルの有効化、
+ゲートウェイ + ダッシュボードの起動、公開トンネルの作成、MCP URL のクリップボード
+コピー、ChatGPT 接続手順の表示までを行います。
+
+## ChatGPT の設定
+
+1. ChatGPT →**設定 → アプリとコネクタ**
+2. **詳細設定 → 開発者モードをオン**
+3. **コネクタ → 作成**
+4. **MCP URL**（`https://…/mcp?key=<token>`）を貼り付け
+5. **認証**を**なし**にする（URLにトークンが含まれているため）
+6. 名前を **LocalAnt** にする
+7. ChatGPT に「ローカルアプリのヘルスチェックを実行して」と頼む
+
+トークンは URL に埋め込まれているため、カスタムヘッダが使えない環境でもコネクタ
+が認証できます。`Authorization: Bearer <token>` も利用できます（こちらを推奨）。
+詳細は [docs/chatgpt-setup.md](docs/chatgpt-setup.md)。
+
+## セキュリティモデル
+
+| リスク | 意味 | 承認 |
+|------|---------|------|
+| 0 | 読み取り専用 | 不要 |
+| 1 | 安全な下書き書き込み | 設定次第（既定は不要） |
+| 2 | ファイル変更 | **必須** |
+| 3 | シェル / エージェント / ネットワーク書き込み | **必須** |
+| 4 | 破壊的 / 公開 / デプロイ | **二重承認** |
+
+- 既定では生のシェルなし —— allowlist に対する `shell_run_allowed_command` のみ。
+- ファイルアクセスは**許可ディレクトリ**に限定。機微なパス（`~/.ssh`、`~/.aws`、
+  `/etc` など）は常にブロックし、シンボリックリンクによる脱出も検出します。
+- シークレットは暗号化されたローカル保管庫に保存され、ツール出力・監査ログから
+  **マスキング**されます。
+- 生成 / 導入したスキルはレビューするまで**既定で無効**です。
+
+詳細は [SECURITY.md](SECURITY.md)。トークンは秘密を失わずに
+`localant token rotate` でいつでも再発行できます。
+
+## スキル
+
+スキルは拡張の単位です。
+
+```text
+skills/<name>/
+  skill.json     # マニフェスト: 権限 + リスク + ツールスキーマ
+  README.md  LICENSE  CHANGELOG.md
+  src/index.ts   # defineSkill({...})
+  tests/index.test.ts
+  examples/
+```
+
+```ts
+import { defineSkill, z } from "@LocalAnt/skill-sdk";
+
+export default defineSkill({
+  name: "hello-world",
+  tools: {
+    hello: {
+      description: "Say hello",
+      riskLevel: 0,
+      inputSchema: z.object({ name: z.string() }),
+      handler: async ({ name }) => ({ content: `Hello ${name}` }),
+    },
+  },
+});
+```
+
+詳細は [docs/skills.md](docs/skills.md)。
+
+## 記事の公開
+
+- **Zenn**: GitHub リポジトリ方式。`published:false` で `articles/<slug>.md` を
+  書き出し、PR ブランチも作成可能。（`zenn_*`）
+- **Qiita**: 保管庫の `QIITA_TOKEN` を使った公式 API。非公開を優先。（`qiita_*`）
+- **note**: ローカルの下書きファイル優先。公開には note-mcp アダプタが必要。（`note_*`）
+
+公開操作は**リスク4（二重承認）**です。詳細は [docs/articles.md](docs/articles.md)。
+
+## CLI
+
+```bash
+localant setup | start | stop | restart | status | doctor | update | uninstall
+localant token rotate | show   # 認証トークンを再発行（シークレットは保持）
+localant tunnel status
+localant approvals list | approve <id> [--session] | deny <id>
+localant skills list | info <name> | enable <name> | disable <name> | install <git-url>
+localant projects list | add <path> [--name <n>] | remove <id>
+localant secrets set <name> [value] | list | remove <name>
+```
+
+## コントリビュート
+
+コントリビューション歓迎です（特にテストとセキュリティ強化）。セットアップ・
+コーディング規約・リリース手順は [CONTRIBUTING.md](CONTRIBUTING.md)、今後の方針は
+[ROADMAP.md](ROADMAP.md) を参照してください。脆弱性は
+[SECURITY.md](SECURITY.md) に従って非公開で報告してください。
+
+## ライセンス
+
+MIT —— [LICENSE](LICENSE) を参照。

package/README.md

@@ -1,9 +1,20 @@
 <p align="center">
-  <img src="assets/icon.svg" width="96" height="96" alt="LocalAnt — ChatGPT-native Local MCP Gateway" />
+  <img src="assets/hero.png" width="320" alt="LocalAnt — ChatGPT-native Local MCP Gateway" />
 </p>
 
 # LocalAnt
 
+<p align="center">
+  <a href="https://github.com/yuga-hashimoto/localant/actions/workflows/ci.yml"><img src="https://github.com/yuga-hashimoto/localant/actions/workflows/ci.yml/badge.svg" alt="CI" /></a>
+  <a href="https://www.npmjs.com/package/localant"><img src="https://img.shields.io/npm/v/localant.svg" alt="npm version" /></a>
+  <a href="https://nodejs.org"><img src="https://img.shields.io/node/v/localant.svg" alt="node version" /></a>
+  <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="MIT license" /></a>
+</p>
+
+<p align="center">
+  <b>English</b> · <a href="README.ja.md">日本語</a>
+</p>
+
 > **Use ChatGPT as the brain. Use your local computer as the hands.**
 
 `LocalAnt` lets you use ChatGPT as the brain and your local computer as the hands.
@@ -63,6 +74,55 @@ and audit.
 - 🌐 **3-minute setup** with Cloudflare Tunnel / ngrok and clipboard copy.
 - 🔌 **Adapters** for OpenClaw, Desktop Commander, and arbitrary MCP servers.
 
+## ChatGPT as a local coding agent
+
+LocalAnt is also a **ChatGPT-native local coding-agent runtime**. ChatGPT can
+read, search, edit, run, test, and diff a project on your machine through MCP —
+behind the same approval / audit / security pipeline as everything else.
+
+It exposes the standard **Codex / Claude Code / OpenCode**-style tool names:
+
+| Category | Tools |
+|----------|-------|
+| Read / search | `read` · `read_file_range` · `grep` · `glob` · `list_files` · `get_file_info` |
+| Edit | `write` · `edit` · `multi_edit` · `apply_patch` · `move_file` · `copy_file` · `create_directory` · `delete_file` |
+| Run | `bash` · `shell_run_background` · `shell_get_output` · `shell_stop` · `command_exists` |
+| Git | `git_status` · `git_diff` · `git_add` · `git_commit` · `git_restore` · `git_stash` · `git_reset` · `git_apply_patch` · `git_is_dirty` |
+| Validate | `project_run_tests` · `project_run_lint` · `project_run_typecheck` · `project_run_build` · `project_run_validation` · `project_get_package_scripts` |
+| Code intel | `lsp_status` · `lsp_diagnostics` · `lsp_document_symbols` · `lsp_go_to_definition` · `lsp_find_references` · `lsp_hover` · `lsp_rename_symbol` |
+| Approve | `approval_request` (the human approves in the dashboard / CLI) |
+| Delegate | `agent_run` (claude-code · codex · opencode · openclaw · antigravity-cli · hermes-agent) |
+
+> **No web search / web fetch / todo / "ask the user" tools** — ChatGPT already
+> does web search, browsing, planning, and asking you directly, so tool-ifying
+> those would only bloat the surface. LocalAnt exposes only what it *uniquely*
+> provides: your local files, shell, git, toolchain, language server, browser,
+> device, and agents.
+
+`bash` runs through a real shell (pipelines and `&&` work) **but** every command
+is screened by CommandGuard (blocked tokens, `rm -rf`, …), the `cwd` is validated
+by PathGuard, and the call is gated by the security mode (approval in `strict`,
+audited-but-ungated in `open`, ungated in `yolo` — with `CORE_BLOCKED_COMMAND_TOKENS`
+rejected even in `yolo`).
+
+**Tool profiles** keep the advertised surface sharp:
+
+- `minimal` — the small delegation core (shell / agent / skill + read-only fs).
+- `coding` — the full coding surface above (recommended for ChatGPT-as-coder).
+- `full` — every tool (browser, adb, skill authoring, destructive git, secrets).
+
+```bash
+localant tools profile coding   # switch profile
+localant tools list             # see what's exposed
+```
+
+Then just ask ChatGPT:
+
+> "Look at this repo, fix the bug, run `pnpm validate`, and show me the `git diff`."
+
+ChatGPT will check project/git state, `grep`/`glob` for the code, `edit`/`apply_patch`
+the fix, `bash` the validation, iterate on errors, and return `git_diff`.
+
 ## 3-minute setup
 
 ```bash
@@ -92,7 +152,8 @@ Connect ChatGPT:
   2. Advanced settings → Developer Mode ON
   3. Connectors → Create
   4. Paste the MCP URL above
-  5. Name it: LocalAnt
+  5. Set Authentication to "None"
+  6. Name it: LocalAnt
 ```
 
 > **From source** (this repo): `pnpm install && pnpm build && node packages/cli/dist/bin.js setup`
@@ -103,26 +164,53 @@ Connect ChatGPT:
 2. **Advanced settings → Developer Mode ON**
 3. **Connectors → Create**
 4. Paste the **MCP URL** (`https://…/mcp?key=<token>`)
-5. Name it **LocalAnt**
-6. Ask ChatGPT: *"Run health check on my local app"*
+5. Set **Authentication** to **None**
+6. Name it **LocalAnt**
+7. Ask ChatGPT: *"Run health check on my local app"*
 
 The token is embedded in the URL so the connector authenticates even where
 custom headers aren't available. You can also send `Authorization: Bearer <token>`.
 See [docs/chatgpt-setup.md](docs/chatgpt-setup.md).
 
+> **Tip — set a fixed URL so you never recreate the connector.** The default
+> Quick Tunnel URL changes on every restart. Configure a fixed tunnel (ngrok
+> static domain, a custom subdomain, or your own domain) in the dashboard
+> **Settings** tab or with `localant config set tunnel.domain <domain>`. The
+> auth token is persistent, so a stable URL means you connect ChatGPT **once**.
+> Full instructions: [docs/chatgpt-setup.md → Keep a fixed URL](docs/chatgpt-setup.md#keep-a-fixed-url-dont-recreate-the-connector-every-time).
+
 ## Security model
 
-| Risk | Meaning | Approval |
-|------|---------|----------|
-| 0 | read-only | none |
-| 1 | safe write draft | config (default none) |
-| 2 | file modification | **required** |
-| 3 | shell / agent / network write | **required** |
-| 4 | destructive / publish / deploy | **double approval** |
-
-- No raw shell by default — only `shell_run_allowed_command` against an allowlist.
-- Filesystem access limited to **allowed directories**; sensitive paths
-  (`~/.ssh`, `~/.aws`, `/etc`, …) are always blocked; symlink escapes are caught.
+LocalAnt has three security modes (set `security.mode` in config or the
+dashboard Settings tab):
+
+| Mode | Filesystem / shell | Approval gates | For |
+|------|--------------------|----------------|-----|
+| **`open`** (default) | deny-list — everything allowed except the sensitive blocklist + core blocked tokens | only risk-4 (destructive/publish) | personal single-user machines |
+| `strict` | allow-list — only allowed directories & commands | per risk level (see below) | shared / multi-user environments |
+| `yolo` | deny-list (same as `open`) | none at all | trusted automation only |
+
+The default is **`open`**: a deny-list model for personal use. There is no
+directory or command allow-list to maintain — ChatGPT can read/write anywhere
+and run any command **except** the always-blocked items below.
+
+**Strict-mode approval matrix:**
+
+| Risk | Meaning | Approval (strict) | Approval (open) |
+|------|---------|-------------------|-----------------|
+| 0 | read-only | none | none |
+| 1 | safe write draft | config (default none) | none |
+| 2 | file modification | **required** | none |
+| 3 | shell / agent / network write | **required** | none |
+| 4 | destructive / publish / deploy | **double approval** | **double approval** |
+
+**Always enforced, in every mode (including `open` and `yolo`):**
+
+- Sensitive paths (`~/.ssh`, `~/.aws`, `~/.gnupg`, `/etc`, Keychains, …) are
+  **never** readable or writable; symlink escapes are caught.
+- Core blocked commands — `sudo`, `su`, `dd`, `mkfs`, `fdisk`, `diskutil`,
+  `shutdown`, `reboot` — and `rm -rf` / `chmod 777` are **always rejected** and
+  cannot be removed from the blocklist.
 - Secrets live in an encrypted local vault and are **redacted** from tool
   output and the audit log.
 - Generated/installed skills are **disabled by default** until you review them.
@@ -131,9 +219,26 @@ Full details: [SECURITY.md](SECURITY.md).
 
 ## Dashboard
 
-A local-only dashboard (`http://127.0.0.1:8788`) shows status, the MCP endpoint
-(with copy button), pending approvals, the audit log, skills (enable/disable),
-projects, secret names, and coding agents.
+A local-only dashboard (`http://127.0.0.1:8788`) is a full control panel — every
+setting that's available on the CLI is editable from the web, and vice versa.
+A live status badge and a pending-approvals counter update automatically.
+
+- **Home** — status, MCP endpoint (copy), tunnel start/stop/restart, **Test
+  connection** (fetches the public URL to confirm ChatGPT can reach you), health
+  check.
+- **Settings** — security mode (open/strict/yolo), risk policy, **auth token
+  reveal/rotate** (rotation takes effect with no restart), tunnel provider +
+  fixed-URL config with **Save & restart**, gateway/dashboard ports, allowed
+  directories/commands, blocked tokens (core tokens shown but locked), **bridged
+  MCP servers** (add/test/remove downstream stdio servers), and a raw JSON editor
+  with validation.
+- **Skills** — create, enable/disable, inspect permissions (modal), uninstall.
+- **Agents** — enable/disable (e.g. Codex), **launch plan/execute tasks** and
+  live-tail their logs.
+- **Audit** — full-text search and click-through to the full input/output of any
+  entry.
+- **Projects** — register/remove. **Secrets** — add/remove with reveal toggle
+  (names only). Plus a live **Approvals** queue.
 
 ## Skills
 
@@ -242,12 +347,16 @@ them behind the gateway's safety pipeline.
 
 ```bash
 localant setup | start | stop | restart | status | doctor | update | uninstall
+localant token rotate | show   # re-issue the auth token (secrets preserved)
 localant tunnel status
 localant dashboard | logs
 localant approvals list | approve <id> [--session] | deny <id>
 localant skills list | info <name> | enable <name> | disable <name> | install <git-url> | validate <name> | publish <name>
 localant projects list | add <path> [--name <n>] | remove <id>
 localant secrets set <name> [value] | list | remove <name>
+localant tools list | profile <minimal|coding|full>
+localant agents list | detect | run <agent> <projectId> <task> [--execute] | logs <taskId> | stop <taskId>
+localant mcp list | test <name> | import-all
 ```
 
 ## Architecture
@@ -269,8 +378,9 @@ See [docs/architecture.md](docs/architecture.md).
 
 - **Does ChatGPT get a raw shell?** No. Only allowlisted commands run without
   approval; anything else needs an explicit local approval.
-- **Where is my config?** `~/Library/Application Support/LocalAnt` (macOS),
-  `~/.config/LocalAnt` (Linux), `%APPDATA%/LocalAnt` (Windows).
+- **Where is my config?** `~/.localant` on every platform (override with the
+  `LOCALANT_HOME` env var). A pre-1.x install under `~/Library/Application
+  Support/LocalAnt` / `~/.config/LocalAnt` is migrated automatically on first run.
 - **Do I need Claude Code/Codex/adb/Playwright?** Only for those specific tool
   families; they degrade gracefully with install guidance.
 - **Is the tunnel safe?** A public tunnel exposes the gateway; the auth token is
@@ -289,6 +399,13 @@ localant uninstall --purge  # also deletes the config/data directory
 npm uninstall -g localant
 ```
 
+## Contributing
+
+Contributions are welcome — especially tests and security hardening. See
+[CONTRIBUTING.md](CONTRIBUTING.md) for setup, coding standards, and the release
+process, and [ROADMAP.md](ROADMAP.md) for where the project is headed. Please
+report vulnerabilities privately per [SECURITY.md](SECURITY.md).
+
 ## License
 
 MIT — see [LICENSE](LICENSE).

package/SECURITY.md

@@ -12,7 +12,9 @@ describes the threat model and the controls that mitigate it.
 | Prompt-injected ChatGPT tries to read secrets/credentials | High | Secret vault (encrypted), redaction, sensitive-path blocklist |
 | Path traversal / symlink escape | High | `PathGuard` resolves realpaths and re-checks allowlist + blocklist |
 | Shell injection / command chaining | High | `CommandGuard` rejects pipes/redirection/substitution; allowlist prefix match; hard blocklist |
-| Public tunnel exposure | Medium | Mandatory auth token; dashboard warnings; tunnel is opt-out |
+| Public tunnel exposure | Medium | Mandatory auth token; rate-limited `/mcp`; dashboard warnings; tunnel is opt-out |
+| Malicious web page driving the local dashboard (CSRF / DNS-rebinding) | Medium | Dashboard `/api/*` requires a per-process token embedded only in the served HTML; non-local `Host` headers rejected |
+| Token leakage via `?key=` in tunnel logs | Medium | Bearer header recommended; `localant token rotate` re-issues without losing secrets |
 | Malicious third-party skill | Medium | Skills disabled by default; per-skill permission manifest; isolated subprocess execution; only declared secrets injected |
 | Secret leakage to logs/responses | Medium | Deep redaction of known secret values + token-shaped strings |
 
@@ -54,20 +56,73 @@ human approves it; once-approvals are consumed after a single use.
 
 ## Shell safety
 
-- Allowlist prefix matching; pipeline/redirection/chaining/substitution rejected.
-- Hard blocklist enforced even after approval.
-- No shell interpreter — validated commands are split to argv and executed
-  directly with a timeout and output cap.
+LocalAnt exposes two shell paths:
+
+- **`shell_run_allowed_command`** (allowlist) — allowlist prefix matching;
+  pipeline/redirection/chaining/substitution rejected; commands split to argv and
+  executed directly (no shell interpreter), with a timeout and output cap.
+- **`bash`** (arbitrary, risk 3) — runs through a real shell (`bash -c`) so
+  pipelines and `&&` work, but **only after**:
+  - **CommandGuard** rejects blocked tokens (`sudo`, `su`, `dd`, `mkfs`,
+    `fdisk`, `diskutil`, `shutdown`, `reboot`, …) across *every* pipeline
+    segment, and rejects `rm -rf` / `chmod 777`;
+  - **PathGuard** validates the `cwd`;
+  - the security **mode policy** gates it (see below).
+
+In **all** modes `CORE_BLOCKED_COMMAND_TOKENS` and `rm -rf` are rejected — even
+in `yolo`, and even after approval. Background processes (`shell_run_background`)
+go through the same guard.
+
+### Mode behaviour for `bash` (risk 3)
+
+| Mode | `bash` behaviour |
+|------|------------------|
+| `strict` | requires approval; only allowlisted commands run without it |
+| `open` | runs without approval but **always audited**; only risk-4 needs approval |
+| `yolo` | runs without approval; blocklist + core tokens still rejected; audited |
 
 ## Secret safety
 
-- Secrets stored in an AES-256-GCM encrypted vault keyed from the local token.
-- Listing returns **names only**; values are never displayed.
+- Secrets stored in an AES-256-GCM encrypted vault keyed from a **dedicated,
+  random vault key** held in `vault.key` (mode `0600`) — independent of the auth
+  token, so rotating the token never makes stored secrets undecryptable. Secrets
+  written by older versions (token-derived key) are transparently migrated.
+- Listing returns **names only**; values are never displayed. `secret_set` stores
+  a value but **no tool ever returns it**; `secret_remove` is risk 4.
 - Tool output and audit entries are deep-redacted for known secret values and
-  token-shaped strings.
+  token-shaped strings — including `bash` and coding-agent output.
 - Skills receive only the secret values they declare in their manifest, passed
   to an isolated subprocess — never the vault itself.
 
+## Dashboard safety
+
+The dashboard binds to `127.0.0.1` only, but localhost binding alone does not
+stop a malicious web page from issuing requests to it. Two additional controls
+close that gap:
+
+- **Per-process token**: every `/api/*` call must carry an `x-dashboard-token`
+  header. The token is embedded only in the dashboard HTML, which a cross-origin
+  page cannot read, and the custom header cannot be forged cross-origin without
+  a CORS preflight that is never granted — defeating CSRF.
+- **Host allowlisting**: requests whose `Host` header is not local
+  (`localhost`, `127.0.0.1`, `::1`) are rejected, defeating DNS-rebinding.
+
+## Browser safety
+
+- Browser automation uses an **isolated profile by default** — never your
+  day-to-day logged-in Chrome profile. Using a login-capable profile is an
+  explicit opt-in (`browser_use_profile`) and exposes your sessions to
+  automation; treat it as a strong-approval action.
+- `browser_evaluate` (arbitrary in-page JS) is risk 4.
+
+## Network safety
+
+- The public `/mcp` endpoint is rate-limited per client IP.
+- Rotate the auth token at any time with `localant token rotate`; stored secrets
+  are preserved. Prefer `Authorization: Bearer <token>` over `?key=<token>` where
+  your client supports custom headers, since query strings can appear in proxy
+  and tunnel access logs.
+
 ## Skill safety
 
 - Generated and git-installed skills are saved **disabled**.

package/examples/skills/article-publisher/README.md

@@ -0,0 +1,41 @@
+# Article Publisher (LocalAnt skill)
+
+Draft and publish articles to **Zenn** (GitHub repo method), **Qiita** (official API),
+and **note** / generic local drafts. This is the skill replacement for the former
+built-in `zenn_*` / `qiita_*` / `note_*` / `article_create` tools.
+
+## Tools
+
+| Tool | Notes |
+|------|-------|
+| `article_create` | Generic Markdown draft in the skill workspace. |
+| `zenn_create_article` | Draft (`published:false`) under `<repoPath>/articles`. |
+| `zenn_list_articles` | List article files in the repo. |
+| `zenn_publish_article` | Flip `published:true` (then commit & push to publish). |
+| `zenn_create_pr` | Commit changes on a new branch (`git` on PATH). |
+| `qiita_create_private_article` | Create a private Qiita article. |
+| `qiita_list_articles` | List your Qiita articles. |
+| `qiita_publish_article` | Make a Qiita article public. |
+| `note_create_draft` | Local note draft (note has no official write API). |
+
+## Setup
+
+1. **Qiita token** — store it as a secret named `QIITA_TOKEN` (dashboard → Secrets,
+   or `localant secrets set QIITA_TOKEN`). The skill reads it via `getSecret`; it is
+   never written by the skill. This replaces the old `qiita_configure_token` tool.
+2. **Zenn repo** — pass `repoPath` (your local Zenn content repo) on each Zenn call.
+   This replaces the old `zenn_configure_repo` tool.
+3. Enable the skill (skills are disabled by default), then call via `skill_run`:
+
+   ```
+   skill_run { name: "article-publisher", tool: "qiita_list_articles", input: {} }
+   ```
+
+## Differences from the old built-in tools
+
+- `qiita_configure_token` → use standard secret management (`QIITA_TOKEN`).
+- `zenn_configure_repo` → pass `repoPath` per call (stateless).
+- `note_configure` / `note_publish_article` were thin MCP-bridge shims and are **not**
+  ported — note has no official public write API; publish manually or via an MCP bridge.
+- Publish actions ran at risk 4 (double approval) as built-ins; as a skill they run
+  under `skill_run` (risk 3). Review before enabling.

package/examples/skills/article-publisher/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "@localant-skill/article-publisher",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "dependencies": {
+    "@localant/skill-sdk": "workspace:*"
+  }
+}