openwriter 0.36.3 → 0.37.1

package/dist/server/image-upload.js

@@ -7,9 +7,151 @@ import multer from 'multer';
 import { existsSync, mkdirSync } from 'fs';
 import { join, extname } from 'path';
 import { randomUUID } from 'crypto';
+import { isIP } from 'net';
+import { lookup } from 'dns/promises';
 import { getDataDir, ensureDataDir } from './helpers.js';
 import express from 'express';
 function getImagesDir() { return join(getDataDir(), '_images'); }
+// ── SSRF guard for /api/download-image (MCP-8) ──────────────────────────────
+// The endpoint server-side-fetches a caller-supplied URL. Without a guard an
+// attacker can point it at internal services, the cloud metadata endpoint
+// (169.254.169.254), or loopback — a classic SSRF. We allow only https, block
+// every private / loopback / link-local / reserved IP range (resolving DNS
+// first), follow redirects manually with re-validation at each hop, and cap
+// both response size and request time.
+const MAX_IMAGE_BYTES = 10 * 1024 * 1024; // 10MB, matches the upload limit
+const FETCH_TIMEOUT_MS = 15_000;
+const MAX_REDIRECTS = 3;
+function isBlockedIpv4(ip) {
+    const parts = ip.split('.').map(Number);
+    if (parts.length !== 4 || parts.some((n) => Number.isNaN(n) || n < 0 || n > 255))
+        return true;
+    const [a, b] = parts;
+    if (a === 0)
+        return true; // 0.0.0.0/8 "this host"
+    if (a === 10)
+        return true; // 10.0.0.0/8 private
+    if (a === 127)
+        return true; // 127.0.0.0/8 loopback
+    if (a === 169 && b === 254)
+        return true; // 169.254.0.0/16 link-local (incl. metadata 169.254.169.254)
+    if (a === 172 && b >= 16 && b <= 31)
+        return true; // 172.16.0.0/12 private
+    if (a === 192 && b === 168)
+        return true; // 192.168.0.0/16 private
+    if (a === 100 && b >= 64 && b <= 127)
+        return true; // 100.64.0.0/10 CGNAT
+    if (a >= 224)
+        return true; // 224.0.0.0/4 multicast + 240/4 reserved + 255 broadcast
+    return false;
+}
+function isBlockedIpv6(ip) {
+    const s = ip.toLowerCase().replace(/^\[|\]$/g, '');
+    // IPv4-mapped (::ffff:a.b.c.d) — classify on the embedded v4 address.
+    const mapped = s.match(/(?:^|:)((?:\d{1,3}\.){3}\d{1,3})$/);
+    if (mapped)
+        return isBlockedIpv4(mapped[1]);
+    if (s === '::1' || s === '::')
+        return true; // loopback / unspecified
+    if (s.startsWith('fe8') || s.startsWith('fe9') || s.startsWith('fea') || s.startsWith('feb'))
+        return true; // fe80::/10 link-local
+    if (s.startsWith('fc') || s.startsWith('fd'))
+        return true; // fc00::/7 unique-local
+    if (s.startsWith('ff'))
+        return true; // ff00::/8 multicast
+    return false;
+}
+function isBlockedAddress(ip) {
+    const fam = isIP(ip);
+    if (fam === 4)
+        return isBlockedIpv4(ip);
+    if (fam === 6)
+        return isBlockedIpv6(ip);
+    return true; // not a recognizable IP → refuse
+}
+/** Throw unless `rawUrl` is an https URL whose host resolves only to public addresses. */
+async function assertSafeImageUrl(rawUrl) {
+    let parsed;
+    try {
+        parsed = new URL(rawUrl);
+    }
+    catch {
+        throw new Error('blocked');
+    }
+    if (parsed.protocol !== 'https:')
+        throw new Error('blocked');
+    const host = parsed.hostname.replace(/^\[|\]$/g, '');
+    if (isIP(host)) {
+        if (isBlockedAddress(host))
+            throw new Error('blocked');
+        return;
+    }
+    let addrs;
+    try {
+        addrs = await lookup(host, { all: true });
+    }
+    catch {
+        throw new Error('blocked');
+    }
+    if (addrs.length === 0)
+        throw new Error('blocked');
+    for (const a of addrs) {
+        if (isBlockedAddress(a.address))
+            throw new Error('blocked');
+    }
+}
+/** Fetch an image with SSRF guards: https-only, public-IP-only, manual
+ *  redirect re-validation, size cap, and timeout. Returns the response for a
+ *  caller to read (the caller still enforces the byte cap while streaming). */
+async function safeImageFetch(initialUrl) {
+    let current = initialUrl;
+    for (let hop = 0; hop <= MAX_REDIRECTS; hop++) {
+        await assertSafeImageUrl(current);
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+        let response;
+        try {
+            response = await fetch(current, { redirect: 'manual', signal: controller.signal });
+        }
+        finally {
+            clearTimeout(timer);
+        }
+        if (response.status >= 300 && response.status < 400) {
+            const location = response.headers.get('location');
+            if (!location)
+                return response;
+            current = new URL(location, current).toString(); // re-validated at loop top
+            continue;
+        }
+        return response;
+    }
+    throw new Error('blocked');
+}
+/** Read a response body into a Buffer, aborting (returns null) once `max` bytes
+ *  are exceeded so a server that lies about content-length can't blow past the cap. */
+async function readCapped(response, max) {
+    if (!response.body) {
+        const buf = Buffer.from(await response.arrayBuffer());
+        return buf.length > max ? null : buf;
+    }
+    const reader = response.body.getReader();
+    const chunks = [];
+    let total = 0;
+    while (true) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        if (value) {
+            total += value.length;
+            if (total > max) {
+                await reader.cancel().catch(() => { });
+                return null;
+            }
+            chunks.push(value);
+        }
+    }
+    return Buffer.concat(chunks);
+}
 function ensureImagesDir() {
     ensureDataDir();
     const dir = getImagesDir();
@@ -61,8 +203,17 @@ export function createImageRouter() {
             res.status(400).json({ error: 'No URL provided' });
             return;
         }
+        let response;
+        try {
+            response = await safeImageFetch(url);
+        }
+        catch {
+            // SSRF guard rejected the URL (bad scheme, private/blocked host, too many
+            // redirects). Generic message — never echo the resolved host or reason.
+            res.status(400).json({ error: 'URL not allowed' });
+            return;
+        }
         try {
-            const response = await fetch(url);
             if (!response.ok) {
                 res.status(400).json({ error: 'Failed to fetch image' });
                 return;
@@ -72,14 +223,25 @@ export function createImageRouter() {
                 res.status(400).json({ error: 'URL is not an image' });
                 return;
             }
+            // Reject early if the server declares an over-limit size.
+            const declaredLen = Number(response.headers.get('content-length'));
+            if (Number.isFinite(declaredLen) && declaredLen > MAX_IMAGE_BYTES) {
+                res.status(400).json({ error: 'Image too large' });
+                return;
+            }
             const ext = contentType.includes('jpeg') || contentType.includes('jpg') ? '.jpg'
                 : contentType.includes('gif') ? '.gif'
                     : contentType.includes('webp') ? '.webp'
                         : '.png';
+            // Stream with a hard byte cap so a lying/streaming server can't exhaust disk.
+            const buffer = await readCapped(response, MAX_IMAGE_BYTES);
+            if (!buffer) {
+                res.status(400).json({ error: 'Image too large' });
+                return;
+            }
             ensureImagesDir();
             const filename = `${randomUUID().slice(0, 8)}${ext}`;
             const filePath = join(getImagesDir(), filename);
-            const buffer = Buffer.from(await response.arrayBuffer());
             const { writeFileSync } = await import('fs');
             writeFileSync(filePath, buffer);
             const src = `/_images/${filename}`;

package/dist/server/index.js

@@ -45,6 +45,109 @@ const __dirname = dirname(__filename);
 let runtimePort = 5050;
 export function getRuntimePort() { return runtimePort; }
 export function getBaseUrl() { return `http://localhost:${runtimePort}`; }
+// ---- Trust boundary (anti-DNS-rebinding + CSRF) — MCP-5 ----
+// The HTTP API binds to loopback and historically trusted "localhost = the
+// user." That is false: with no Host/Origin validation a remote website can
+// reach this API via DNS rebinding (its page rebinds a hostname to 127.0.0.1,
+// the browser keeps sending the attacker's Host/Origin) and drive every
+// mutating route — switch profiles, enable plugins, rewrite plugin config.
+// The middleware below is the single gate for ALL routes. adr: see MCP-5.
+const LOOPBACK_HOSTS = new Set(['localhost', '127.0.0.1', '::1']);
+/** Split a Host header into hostname + optional port, handling [::1]:port. */
+function splitHostHeader(hostHeader) {
+    if (hostHeader.startsWith('[')) {
+        const close = hostHeader.indexOf(']');
+        if (close === -1)
+            return { host: hostHeader };
+        const host = hostHeader.slice(1, close);
+        const rest = hostHeader.slice(close + 1);
+        return { host, port: rest.startsWith(':') ? rest.slice(1) : undefined };
+    }
+    const colon = hostHeader.lastIndexOf(':');
+    if (colon === -1)
+        return { host: hostHeader };
+    return { host: hostHeader.slice(0, colon), port: hostHeader.slice(colon + 1) };
+}
+/** True when the Host header names loopback on the port we are serving. */
+function isAllowedHost(hostHeader, port) {
+    if (!hostHeader)
+        return false;
+    const { host, port: p } = splitHostHeader(hostHeader.trim());
+    if (!LOOPBACK_HOSTS.has(host.toLowerCase()))
+        return false;
+    if (p !== undefined && p !== String(port))
+        return false;
+    return true;
+}
+/** True when an Origin/Referer URL is same-origin (loopback on our port). */
+function isAllowedOrigin(value, port) {
+    if (!value)
+        return false;
+    try {
+        const u = new URL(value);
+        if (!LOOPBACK_HOSTS.has(u.hostname.toLowerCase()))
+            return false;
+        if (u.port && u.port !== String(port))
+            return false;
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+const STATE_CHANGING = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+/**
+ * Global security gate, applied before any route or body parsing.
+ *  (a) Host allowlist — the anti-DNS-rebinding control.
+ *  (b) Origin/Referer same-origin check on state-changing methods (CSRF).
+ *      Browsers always send Origin on cross-origin POST, so a rebound page is
+ *      rejected here too. A *missing* Origin is allowed only for state-changing
+ *      requests from non-browser local clients (the client-mode MCP-over-HTTP
+ *      proxy uses curl-style requests with no Origin); the Host gate still
+ *      bounds those to loopback.
+ *  (c) Restrictive security headers on every response.
+ */
+function securityGate(port) {
+    return (req, res, next) => {
+        res.setHeader('X-Content-Type-Options', 'nosniff');
+        res.setHeader('X-Frame-Options', 'DENY');
+        res.setHeader('Referrer-Policy', 'no-referrer');
+        res.setHeader('Content-Security-Policy', [
+            "default-src 'self'",
+            "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+            "style-src 'self' 'unsafe-inline'",
+            "img-src 'self' data: blob: https:",
+            "font-src 'self' data:",
+            "connect-src 'self' ws: wss:",
+            "frame-ancestors 'none'",
+            "base-uri 'self'",
+            "object-src 'none'",
+        ].join('; '));
+        if (!isAllowedHost(req.headers.host, port)) {
+            res.status(403).json({ error: 'Forbidden' });
+            return;
+        }
+        if (STATE_CHANGING.has(req.method)) {
+            const origin = req.headers.origin;
+            const referer = req.headers.referer;
+            if (origin) {
+                if (!isAllowedOrigin(origin, port)) {
+                    res.status(403).json({ error: 'Forbidden' });
+                    return;
+                }
+            }
+            else if (referer) {
+                if (!isAllowedOrigin(referer, port)) {
+                    res.status(403).json({ error: 'Forbidden' });
+                    return;
+                }
+            }
+            // No Origin and no Referer: non-browser local client; Host gate above
+            // already constrained it to loopback. Allow.
+        }
+        next();
+    };
+}
 export async function startHttpServer(options = {}) {
     const port = options.port || 5050;
     runtimePort = port;
@@ -55,6 +158,11 @@ export async function startHttpServer(options = {}) {
     initLogger();
     logger.info('state', 'server-boot', `OpenWriter starting on port ${port}`, { port });
     const app = express();
+    // Trust boundary FIRST — reject cross-host / cross-origin before body
+    // parsing or any route handler runs. Covers every route, including the
+    // unauth state-changers /api/profiles/switch, /api/plugins/enable,
+    // /api/plugins/config, and the universal /api/mcp-call dispatcher. MCP-5.
+    app.use(securityGate(port));
     app.use(express.json({ limit: '10mb' }));
     // API routes for direct HTTP access (fallback if WS not available)
     app.get('/api/status', (_req, res) => {
@@ -69,7 +177,13 @@ export async function startHttpServer(options = {}) {
         }));
         res.json({ tools });
     });
-    // MCP-over-HTTP: allows client-mode terminals to proxy tool calls
+    // MCP-over-HTTP: allows client-mode terminals to proxy tool calls.
+    // MCP-4: this dispatches ANY MCP tool with the user's platform credentials,
+    // so it MUST never be reachable cross-origin. That guarantee is provided by
+    // the global securityGate above (Host allowlist + Origin/Referer check on
+    // POST) — a DNS-rebound page cannot satisfy either. No tool is intentionally
+    // exposed beyond same-origin/local callers here; any future tool that must
+    // never be driven over HTTP should be denylisted at this entry point.
     app.post('/api/mcp-call', async (req, res) => {
         const { tool: toolName, arguments: args } = req.body;
         // Wrap the call in a request ID scope so every event logged during
@@ -480,6 +594,103 @@ export async function startHttpServer(options = {}) {
             res.status(500).json({ error: err.message });
         }
     });
+    // Author attribution (voice-shape heatmap data). Returns char-weighted
+    // composition + per-node origin (human|agent|mixed|unknown) for a doc.
+    // The heatmap colours the live editor by nodeOrigins; the header shows percent.
+    // adr: adr/document-history-attribution.md
+    app.get('/api/attribution/:docId', async (req, res) => {
+        try {
+            const { docId } = req.params;
+            const { readBlame, summarizeBlame } = await import('./attribution.js');
+            const { tiptapToBlocks } = await import('./node-blocks.js');
+            let doc = null;
+            if (getDocId() === docId) {
+                doc = getDocument();
+            }
+            else {
+                const { filenameByDocId } = await import('./documents.js');
+                const { loadDocFromDisk } = await import('./pending-overlay.js');
+                const fn = filenameByDocId(docId);
+                if (fn) {
+                    try {
+                        doc = loadDocFromDisk(fn).document;
+                    }
+                    catch {
+                        doc = null;
+                    }
+                }
+            }
+            const blame = readBlame(docId);
+            if (!doc) {
+                res.json({ tracked: blame !== null, percent: { human: 0, agent: 0, unknown: 0 }, chars: { human: 0, agent: 0, unknown: 0 }, nodeOrigins: {}, attributionSince: blame?.attributionSince ?? null });
+                return;
+            }
+            const summary = summarizeBlame(blame, tiptapToBlocks(doc));
+            res.json({ tracked: blame !== null, percent: summary.percent, chars: summary.chars, nodeOrigins: summary.nodes, attributionSince: blame?.attributionSince ?? null });
+        }
+        catch (err) {
+            res.status(500).json({ error: err.message });
+        }
+    });
+    // Version commits — the attributed git-history for a doc (newest first), each
+    // with a one-line changeset label. adr: adr/document-history-attribution.md
+    app.get('/api/commits/:docId', async (req, res) => {
+        try {
+            const { listCommits, summaryLine, commitSnapshotAvailable } = await import('./commits.js');
+            const commits = listCommits(req.params.docId)
+                .map((c) => ({ ...c, label: summaryLine(c.summary), restorable: commitSnapshotAvailable(req.params.docId, c.ts) }))
+                .reverse(); // newest first for the panel
+            res.json({ commits });
+        }
+        catch (err) {
+            res.status(500).json({ error: err.message });
+        }
+    });
+    // One commit's attributed change detail (the per-event diff data the panel
+    // renders when a commit row is expanded).
+    app.get('/api/commit-detail/:docId/:ts', async (req, res) => {
+        try {
+            const { getCommitDetail } = await import('./commits.js');
+            const detail = getCommitDetail(req.params.docId, Number(req.params.ts));
+            if (!detail) {
+                res.status(404).json({ error: 'commit not found' });
+                return;
+            }
+            res.json(detail);
+        }
+        catch (err) {
+            res.status(500).json({ error: err.message });
+        }
+    });
+    // Manual "Save version" — create a commit now with an optional note. The
+    // changeset is whatever attributed edits have accrued since the last commit.
+    app.post('/api/commit', async (req, res) => {
+        try {
+            const { docId, note } = req.body || {};
+            if (!docId || typeof docId !== 'string') {
+                res.status(400).json({ error: 'docId required' });
+                return;
+            }
+            // Flush the active doc so its latest edits are on disk before we snapshot.
+            if (getDocId() === docId) {
+                try {
+                    save();
+                }
+                catch { /* best-effort */ }
+            }
+            const { commitFromFile } = await import('./commits.js');
+            const { filenameByDocId } = await import('./documents.js');
+            const { resolveDocPath } = await import('./helpers.js');
+            const fn = filenameByDocId(docId);
+            const commit = fn
+                ? commitFromFile(docId, resolveDocPath(fn), { trigger: 'manual', actor: 'human', note: typeof note === 'string' ? note : undefined, nowTs: Date.now() })
+                : null;
+            res.json({ committed: commit !== null, commit });
+        }
+        catch (err) {
+            res.status(500).json({ error: err.message });
+        }
+    });
     // References: full rebuild across all docs (idempotent rescue path).
     // Walks every .md, extracts legacy prose `doc:` links from body, merges
     // their targets into `references:`, strips any legacy `backlinks:` field.

package/dist/server/mcp.js

@@ -12,6 +12,7 @@ import { z } from 'zod';
 import { getDataDir, ensureDataDir, resolveDocPath, generateNodeId, atomicWriteFileSync, readConfig } from './helpers.js';
 import { getDocument, getWordCount, getPendingChangeCount, getTitle, getStatus, getNodesByIds, findNodesByIds, getMetadata, setMetadata, mergeMetadataUpdates, applyChanges, applyTextEdits, updateDocument, save, markAllNodesAsPending, setAgentLock, setAgentLockActive, updatePendingCacheForActiveDoc, populateDocumentFile, applyChangesToFile, applyTextEditsToFile, getDocId, getFilePath, getIsTemp, extractText, countPending, addDocTag, removeDocTag, getCachedDocument, invalidateDocCache, isAutoAcceptActive, removePendingCacheEntry, getExternalMtimeDrift, reloadActiveDocFromDisk, getCanonical, cloneWithPendingReverted, bumpDocVersion, setSortProposalOnFile, clearSortRequestOnFile, } from './state.js';
 import { tiptapToBlocks } from './node-blocks.js';
+import { readBlame, summarizeBlame } from './attribution.js';
 import { outline, peek, searchInDoc, truncateRead } from './peek-outline.js';
 import { harvestSentenceHashes, harvestCharCount } from './enrichment.js';
 import { resolveTypeMeta } from './content-type-meta.js';
@@ -200,6 +201,13 @@ const READ_PAD_MAX_WORDS = 2000;
  *  learns the new behavior without repeating the explanation. Resets on
  *  server restart. */
 let firstTruncationShown = false;
+/** MCP-9: metadata keys an agent must NEVER set via set_metadata. `autoAccept`
+ *  governs the human accept/reject gate — letting the agent write it via
+ *  open-ended frontmatter would self-grant auto-accept and bypass human review.
+ *  These are operator-only (set through the UI toggle path). The metadata
+ *  surface is otherwise intentionally open-ended, so this is a denylist of the
+ *  finite, enumerable privileged keys rather than an allowlist of content keys. */
+const AGENT_FORBIDDEN_METADATA_KEYS = new Set(['autoAccept']);
 export const TOOL_REGISTRY = [
     {
         name: 'read_pad',
@@ -551,7 +559,7 @@ export const TOOL_REGISTRY = [
                         wsInfo = ` → workspace "${workspace}"${container ? ` / ${container}` : ''}`;
                     }
                     const newDocId = getDocId();
-                    save();
+                    save('agent');
                     broadcastDocumentsChanged();
                     broadcastWorkspacesChanged();
                     broadcastDocumentSwitched(getDocument(), getTitle(), getActiveFilename(), getMetadata());
@@ -692,7 +700,7 @@ export const TOOL_REGISTRY = [
                 }
                 updateDocument(doc);
                 updatePendingCacheForActiveDoc();
-                save();
+                save('agent');
                 // Broadcast sidebar updates first (deferred from create_document) so the doc
                 // entry and spinner removal arrive in the same render cycle
                 broadcastDocumentsChanged();
@@ -880,6 +888,31 @@ export const TOOL_REGISTRY = [
             return { content: [{ type: 'text', text: Object.keys(target.metadata).length > 0 ? JSON.stringify(target.metadata) : '{}' }] };
         },
     },
+    {
+        name: 'get_attribution',
+        description: 'Get human-vs-agent author attribution for a document. Returns the char-weighted composition (% human / % agent / % unknown) plus per-node coarse origin (human | agent | mixed | unknown). Attribution is captured automatically at save time and anchored to sentence content, so it survives edits, splits, and paste-back. "unknown" = content authored before attribution tracking began. Use to report how much of a doc is genuinely author-written vs agent-scaffolded.',
+        schema: {
+            docId: z.string().describe('Target document by docId (8-char hex from list_documents).'),
+        },
+        handler: async ({ docId }) => {
+            const target = resolveDocTarget(docId);
+            const blocks = tiptapToBlocks(target.document);
+            const blame = readBlame(docId);
+            const summary = summarizeBlame(blame, blocks);
+            const nodeCounts = { human: 0, agent: 0, mixed: 0, unknown: 0 };
+            for (const origin of Object.values(summary.nodes))
+                nodeCounts[origin] = (nodeCounts[origin] ?? 0) + 1;
+            return { content: [{ type: 'text', text: JSON.stringify({
+                            docId,
+                            percent: summary.percent,
+                            chars: summary.chars,
+                            nodeOrigins: summary.nodes,
+                            nodeCounts,
+                            tracked: blame !== null,
+                            attributionSince: blame?.attributionSince ?? null,
+                        }) }] };
+        },
+    },
     {
         name: 'set_metadata',
         description: 'Update frontmatter metadata on a document. Merges with existing metadata — only provided keys are changed. Use for summaries, character lists, tags, arc notes, or any organizational data. Saves to disk immediately. Lifecycle convention (v0.19.0): use `set_metadata({ status: "canonical" })` when a doc commits to the workspace spine (Beats locks, Research Note becomes load-bearing); use `set_metadata({ status: "draft" })` when a doc is superseded or demoted. Status is the agent\'s field — the enrichment minion never writes it.',
@@ -887,8 +920,23 @@ export const TOOL_REGISTRY = [
             docId: z.string().describe('Target document by docId (8-char hex from list_documents).'),
             metadata: z.record(z.any()).describe('Key-value pairs to merge into frontmatter. Set a key to null to remove it.'),
         },
-        handler: async ({ docId, metadata: updates }) => {
+        handler: async ({ docId, metadata: rawUpdates }) => {
             const target = resolveDocTarget(docId);
+            // MCP-9: strip control keys. `autoAccept` governs the human accept/reject
+            // gate — an agent that could set it via set_metadata would self-grant
+            // auto-accept and bypass human review entirely. The approval-mode flag is
+            // operator-only (UI toggle → setDocAutoAccept / setWorkspaceAutoAccept).
+            // Stripping covers both set AND remove: deleting an explicit
+            // `autoAccept: false` would re-enable workspace-inherited auto-accept.
+            const updates = {};
+            const blockedKeys = [];
+            for (const [key, value] of Object.entries(rawUpdates)) {
+                if (AGENT_FORBIDDEN_METADATA_KEYS.has(key)) {
+                    blockedKeys.push(key);
+                    continue;
+                }
+                updates[key] = value;
+            }
             const setKeys = [];
             const removed = [];
             for (const [key, value] of Object.entries(updates)) {
@@ -923,7 +971,7 @@ export const TOOL_REGISTRY = [
                 const meta = getMetadata();
                 for (const key of removed)
                     delete meta[key];
-                save();
+                save('agent');
                 broadcastMetadataChanged(getMetadata());
                 if (cleaned.title) {
                     // Reached only on temp-file creation titling — hot promote.
@@ -962,6 +1010,8 @@ export const TOOL_REGISTRY = [
                 parts.push(`set: ${keys.join(', ')}`);
             if (removed.length > 0)
                 parts.push(`removed: ${removed.join(', ')}`);
+            if (blockedKeys.length > 0)
+                parts.push(`ignored (operator-only): ${blockedKeys.join(', ')}`);
             return { content: [{ type: 'text', text: `Metadata updated (${parts.join('; ')})` }] };
         },
     },
@@ -1015,7 +1065,7 @@ export const TOOL_REGISTRY = [
                         for (const k of LEGACY_FIELDS_TO_RETIRE)
                             delete liveMeta[k];
                         bumpDocVersion();
-                        save();
+                        save('agent');
                         broadcastMetadataChanged(getMetadata());
                     }
                     else {
@@ -1647,7 +1697,7 @@ export const TOOL_REGISTRY = [
                         doc.content.push(pendingImage);
                     }
                     updateDocument(doc);
-                    save();
+                    save('agent');
                     setAgentLockActive();
                     broadcastDocumentSwitched(doc, getTitle(), getActiveFilename(), getMetadata());
                     return { content: [{ type: 'text', text: JSON.stringify({ success: true, src, lastNodeId: imgId }) }] };
@@ -1668,7 +1718,7 @@ export const TOOL_REGISTRY = [
                     articleContext.coverImage = src;
                     articleContext.coverImages = existing;
                     setMetadata({ articleContext });
-                    save();
+                    save('agent');
                     broadcastMetadataChanged(getMetadata());
                     return { content: [{ type: 'text', text: JSON.stringify({ success: true, src, coverSet: true }) }] };
                 }
@@ -1970,7 +2020,7 @@ export const TOOL_REGISTRY = [
                 // Active doc: mutate state.metadata and let save() persist the frontmatter.
                 // save()'s writeToDisk path invalidates the backlinks cache.
                 setMetadata({ references: newReferences });
-                save();
+                save('agent');
                 broadcastMetadataChanged(getMetadata());
             }
             else {

package/dist/server/plugin-manager.js

@@ -7,6 +7,23 @@ import { discoverPlugins, loadPluginModule } from './plugin-discovery.js';
 import { registerPluginTools, removePluginTools } from './mcp.js';
 import { readConfig, saveConfig, getDataDir } from './helpers.js';
 import { broadcastPluginsChanged } from './ws.js';
+import { isAllowedPublishApiUrl } from './connections.js';
+// MCP-2: plugin config holds raw secrets (publish ow_live_ key, X OAuth1
+// tokens, GitHub PAT, Gemini key). These must never cross the HTTP API. We
+// redact any config value whose KEY names a secret before it leaves the
+// server. Returned in place of the value is a sentinel that the settings UI
+// renders as "set"; updateConfig() treats an echoed sentinel as "unchanged"
+// so a naive save round-trip can never clobber the real secret with the mask.
+const SECRET_KEY_RE = /(key|secret|token|pat|password|auth|credential|bearer)/i;
+const REDACTED_SECRET = '__OW_SECRET_REDACTED__';
+/** Mask secret-valued config fields for safe transport over the API. */
+function redactConfig(config) {
+    const out = {};
+    for (const [k, v] of Object.entries(config)) {
+        out[k] = SECRET_KEY_RE.test(k) && v ? REDACTED_SECRET : v;
+    }
+    return out;
+}
 export class PluginManager {
     app;
     plugins = new Map();
@@ -101,7 +118,22 @@ export class PluginManager {
         const managed = this.plugins.get(name);
         if (!managed)
             return { success: false, error: `Plugin "${name}" not found` };
-        managed.config = { ...managed.config, ...values };
+        // Drop echoed redaction sentinels — the API never hands out real secrets
+        // (see redactConfig), so a value equal to the sentinel means "unchanged".
+        // Keeping the spread merge then preserves the stored secret. MCP-2.
+        const incoming = {};
+        for (const [k, v] of Object.entries(values)) {
+            if (v === REDACTED_SECRET)
+                continue;
+            incoming[k] = v;
+        }
+        // MCP-6: a hijacked publish `api-url` redirects the Bearer key off-host.
+        // Reject writes that point it anywhere but an allowed destination. The
+        // load-bearing pin lives in connections.ts; this rejects bad writes early.
+        if (typeof incoming['api-url'] === 'string' && incoming['api-url'] && !isAllowedPublishApiUrl(incoming['api-url'])) {
+            return { success: false, error: 'Invalid api-url: must point to an OpenWriter publish host' };
+        }
+        managed.config = { ...managed.config, ...incoming };
         this.savePluginState();
         return { success: true };
     }
@@ -113,7 +145,7 @@ export class PluginManager {
             description: m.discovered.description,
             enabled: m.enabled,
             configSchema: m.configSchema,
-            config: m.config,
+            config: redactConfig(m.config), // MCP-2: never leak raw secrets over the API
             source: m.discovered.source,
             displayName: m.discovered.displayName,
             category: m.discovered.category,