openwriter 0.28.0 → 0.28.2

package/dist/server/pending-overlay.js

@@ -859,6 +859,52 @@ function sameContent(a, b) {
     const bClean = sanitizeNodeForBaseline(b);
     return JSON.stringify(aClean) === JSON.stringify(bClean);
 }
+/**
+ * Repair canonical rewrite nodes that still hold the rewrite's NEW content.
+ *
+ * `splitMergedDoc` / `stripPendingFromDoc` can only revert a rewrite via the
+ * node's own `pendingOriginalContent` attr. When a merged doc arrives from an
+ * untrusted source — a browser doc-update (`syncBrowserDocUpdate`) — whose
+ * rewrite node dropped or staled that attr, the revert silently fails and the
+ * rewrite TEXT lands in canonical. The next `applyOverlayPure` then compares
+ * canonical-as-rewrite to the (still-correct) overlay baseline and falsely
+ * flags `pendingStaleBaseline` (the amber dotted-underline indicator).
+ *
+ * The server's overlay entry retains the authoritative `originalBaseline`, so
+ * re-assert it here — but ONLY when the canonical node currently equals the
+ * entry's `newContent`. That condition means "the revert failed." If canonical
+ * holds anything else (a genuine out-of-band edit), it is left untouched so
+ * real stale-baseline drift is still surfaced for review.
+ *
+ * adr: adr/pending-overlay-model.md · adr: adr/tweet-paragraph-convention.md
+ */
+export function reconcileCanonicalToBaselines(canonical, entries) {
+    const byId = new Map();
+    for (const e of entries) {
+        if (e.status === 'rewrite' && e.originalBaseline?.content && e.newContent?.content) {
+            byId.set(e.nodeId, e);
+        }
+    }
+    if (byId.size === 0)
+        return;
+    const key = (content) => JSON.stringify(sanitizeNodeForBaseline({ content }));
+    function walk(nodes) {
+        if (!Array.isArray(nodes))
+            return;
+        for (const n of nodes) {
+            const e = n?.attrs?.id ? byId.get(n.attrs.id) : undefined;
+            if (e && key(n.content) === key(e.newContent.content)) {
+                // Canonical is holding the rewrite text — the split couldn't revert it.
+                // Restore the authoritative baseline.
+                n.content = JSON.parse(JSON.stringify(e.originalBaseline.content));
+            }
+            else if (n.content) {
+                walk(n.content);
+            }
+        }
+    }
+    walk(canonical?.content || []);
+}
 function sanitizeNodeForBaseline(node) {
     // Strip volatile fields (ids, pending attrs) for content comparison.
     const cloned = JSON.parse(JSON.stringify(node));

package/dist/server/state.js

@@ -9,14 +9,14 @@ import matter from 'gray-matter';
 import { tiptapToMarkdown, tiptapToMarkdownChecked, tiptapToBody, markdownToTiptap } from './markdown.js';
 import { applyTextEditsToNode } from './text-edit.js';
 import { getDataDir, TEMP_PREFIX, ensureDataDir, filePathForTitle, tempFilePath, generateNodeId, LEAF_BLOCK_TYPES, resolveDocPath, isExternalDoc, atomicWriteFileSync, canonicalizePath, canonicalizeIdentifier } from './helpers.js';
-import { snapshotIfNeeded, ensureDocId } from './versions.js';
+import { snapshotIfNeeded, ensureDocId, forceSnapshot } from './versions.js';
 import { syncReferencesFromProse, invalidateBacklinksCache, writeFrontmatter } from './backlinks.js';
 import { isAutoAcceptInheritedForDoc } from './workspaces.js';
 import { matchNodes } from './node-matcher.js';
 import { tiptapToBlocks, applyIdsToTiptap } from './node-blocks.js';
 import { anyLegacyRaw } from './node-fingerprint.js';
 import { markdownToNodes, resolvePreviousNodes, resolveGraveyard } from './markdown-parse.js';
-import { extractOverlay, applyOverlayPure, splitMergedDoc, saveOverlay, loadOverlay, loadDocFromDisk, deleteOverlay, repairOverlaysOnStartup, diagLog } from './pending-overlay.js';
+import { extractOverlay, applyOverlayPure, splitMergedDoc, reconcileCanonicalToBaselines, saveOverlay, loadOverlay, loadDocFromDisk, deleteOverlay, repairOverlaysOnStartup, diagLog } from './pending-overlay.js';
 import { loadPendingMetadata, savePendingMetadata } from './pending-metadata.js';
 import { harvestSentenceHashes, harvestCharCount, isEnrichmentStale } from './enrichment.js';
 import { clearActivityBuffer } from './activity-log.js';
@@ -145,6 +145,42 @@ function setPrimaryFromMerged(merged) {
     state.canonical = canonical;
     setOverlayFromEntries(overlayEntries);
 }
+/**
+ * Browser-write body-fidelity invariant. adr: adr/browser-write-fidelity.md
+ *
+ * A browser editor surface can mount empty, or parse the canonical body
+ * through a NARROWER schema (the X-article / tweet compose extensions),
+ * then autosave that lossy view back — collapsing a populated body to
+ * empty/near-empty on disk. This is the "autosave-clobber" class: silent
+ * data loss the user never authored.
+ *
+ * The invariant lives at the BROWSER-WRITE BOUNDARY — every function that
+ * replaces canonical from a browser-sent doc (`updateDocument`,
+ * `syncBrowserDocUpdate`, `saveDocToFile`). It deliberately does NOT live
+ * at the disk chokepoint (`writeToDisk`): restore_version, MCP edits, and
+ * agent `applyChanges` mutate canonical directly and are TRUSTED to shrink
+ * a doc intentionally. Recovery-restores GROW the doc (incoming > current)
+ * and so pass freely here too.
+ *
+ * A replacement that collapses a substantial body (>5 nodes) to under 30%
+ * of its node count is a view artifact, not an edit — refuse it.
+ */
+export function wouldCollapseBody(current, incoming) {
+    const currentNodes = current?.content?.length ?? 0;
+    const incomingNodes = incoming?.content?.length ?? 0;
+    return currentNodes > 5 && incomingNodes < currentNodes * 0.3;
+}
+/**
+ * Checkpoint-then-refuse helper for the active doc. Forces a version
+ * snapshot of the current ON-DISK body — still the good content, since the
+ * clobbering write is being refused — so it is recoverable under a labeled
+ * version even if no prior autosave snapshot happened to retain it.
+ */
+function checkpointActiveBody() {
+    const docId = getDocId();
+    if (docId && state.filePath)
+        forceSnapshot(docId, state.filePath);
+}
 /**
  * Sync routing for a stale-version browser doc-update. The browser's
  * submission was captured at server version `browserVersion`; the server
@@ -168,6 +204,15 @@ function setPrimaryFromMerged(merged) {
  * adr: adr/pending-overlay-model.md
  */
 export function syncBrowserDocUpdate(browserDoc, browserVersion) {
+    // Browser-write fidelity: a STALE-version browser doc-update is the same
+    // autosave-clobber class as the current-version path — and this path
+    // previously bypassed the guard, writing the empty surface straight to
+    // canonical. Refuse + checkpoint here too. adr: adr/browser-write-fidelity.md
+    if (wouldCollapseBody(state.document, browserDoc)) {
+        checkpointActiveBody();
+        console.error(`[State] REFUSED body-collapse in syncBrowserDocUpdate: ${browserDoc?.content?.length ?? 0} nodes would replace ${state.document?.content?.length ?? 0} nodes (checkpointed, write refused)`);
+        return { preservedServerEntries: 0 };
+    }
     const { canonical: browserCanonical, overlayEntries: browserOverlay } = splitMergedDoc(browserDoc);
     // Identify server overlay entries to preserve: those added after browser's baseline.
     const preserved = [];
@@ -188,7 +233,14 @@ export function syncBrowserDocUpdate(browserDoc, browserVersion) {
     }
     // Apply: browser's canonical view + merged overlay.
     state.canonical = browserCanonical;
-    setOverlayFromEntries(Array.from(merged.values()));
+    // The browser-derived canonical may still hold a rewrite's NEW text when the
+    // browser dropped that node's pendingOriginalContent (stripPendingFromDoc
+    // couldn't revert it). Re-assert the authoritative baseline from the merged
+    // overlay so the next applyOverlayPure doesn't falsely flag pendingStaleBaseline.
+    // adr: adr/pending-overlay-model.md
+    const mergedEntries = Array.from(merged.values());
+    reconcileCanonicalToBaselines(state.canonical, mergedEntries);
+    setOverlayFromEntries(mergedEntries);
     return { preservedServerEntries: preserved.length };
 }
 const listeners = new Set();
@@ -846,13 +898,14 @@ export function getStatus() {
 // SETTERS
 // ============================================================================
 export function updateDocument(doc) {
-    // Safety: reject dramatically smaller documents (same logic as destructive save check).
-    // Prevents stale browser tabs from overwriting the correct in-memory state with
-    // corrupted content (e.g. tweet compose view sending 4-node doc vs 40-node original).
-    const currentNodes = state.document?.content?.length ?? 0;
-    const incomingNodes = doc?.content?.length ?? 0;
-    if (currentNodes > 5 && incomingNodes < currentNodes * 0.3) {
-        console.error(`[State] BLOCKED destructive updateDocument: ${incomingNodes} nodes would replace ${currentNodes} nodes`);
+    // Browser-write fidelity: refuse a clobbering body-collapse. A compose
+    // surface that mounted empty (wrong view) or parsed the body through a
+    // narrower schema can otherwise overwrite a populated body with near-
+    // nothing. Checkpoint the good on-disk body first, then refuse.
+    // adr: adr/browser-write-fidelity.md
+    if (wouldCollapseBody(state.document, doc)) {
+        checkpointActiveBody();
+        console.error(`[State] REFUSED body-collapse in updateDocument: ${doc?.content?.length ?? 0} nodes would replace ${state.document?.content?.length ?? 0} nodes (checkpointed, write refused)`);
         return;
     }
     // Trust the browser-sent doc as authoritative. The WebSocket handler's
@@ -2706,6 +2759,17 @@ export function saveDocToFile(filename, doc) {
     try {
         const raw = readFileSync(targetPath, 'utf-8');
         const parsed = markdownToTiptap(raw);
+        // Browser-write fidelity: this routes a doc-update to a NON-active file
+        // (the server switched away mid-flight). Refuse a clobbering collapse
+        // against the target's own on-disk body; checkpoint it first.
+        // adr: adr/browser-write-fidelity.md
+        if (wouldCollapseBody(parsed.document, doc)) {
+            const refuseDocId = (parsed.metadata && typeof parsed.metadata.docId === 'string') ? parsed.metadata.docId : '';
+            if (refuseDocId)
+                forceSnapshot(refuseDocId, targetPath);
+            console.error(`[State] REFUSED body-collapse in saveDocToFile(${filename}): ${doc?.content?.length ?? 0} nodes would replace ${parsed.document?.content?.length ?? 0} nodes (checkpointed, write refused)`);
+            return;
+        }
         // Transfer pending attrs from on-disk version to the incoming doc
         if (hasPendingChanges(parsed.document)) {
             transferPendingAttrs(parsed.document, doc);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openwriter",
-  "version": "0.28.0",
+  "version": "0.28.2",
   "description": "The open-source writing surface for AI agents. Markdown-native editor with pending change review — your agent writes, you accept or reject.",
   "type": "module",
   "license": "MIT",