openwriter 0.37.0 → 0.38.0

package/dist/client/index.html

@@ -10,8 +10,8 @@
     <link rel="preconnect" href="https://fonts.googleapis.com" />
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
     <link href="https://fonts.googleapis.com/css2?family=Charter:ital,wght@0,400;0,700;1,400&family=Crimson+Pro:ital,wght@0,300;0,400;0,600;0,700;1,400&family=DM+Sans:ital,wght@0,400;0,500;0,600;0,700;1,400&family=DM+Serif+Display&family=IBM+Plex+Mono:wght@400;500;600&family=IBM+Plex+Sans:wght@400;500;600&family=Inter:wght@400;500;600;700&family=Libre+Baskerville:ital,wght@0,400;0,700;1,400&family=Literata:ital,opsz,wght@0,7..72,400;0,7..72,600;0,7..72,700;1,7..72,400&family=Newsreader:ital,opsz,wght@0,6..72,400;0,6..72,600;1,6..72,400&family=Playfair+Display:wght@400;600;700;900&family=Source+Serif+4:ital,opsz,wght@0,8..60,400;0,8..60,600;0,8..60,700;1,8..60,400&family=Space+Grotesk:wght@400;500;600;700&family=Space+Mono:wght@400;700&display=swap" rel="stylesheet" />
-    <script type="module" crossorigin src="/assets/index-BBEdpqBq.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/index-Dz0iuWDM.css">
+    <script type="module" crossorigin src="/assets/index-C_Zb7mUx.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-2miZWC8D.css">
   </head>
   <body>
     <div id="root"></div>

package/dist/server/connections.js

@@ -4,13 +4,45 @@
  */
 import { readConfig, getActiveProfile } from './helpers.js';
 const DEFAULT_API_URL = 'https://publish.openwriter.io';
+// MCP-6: the platform Bearer key is attached to every request sent to
+// `api-url`. Because plugin config is writable (and was writable unauth before
+// the MCP-5 gate), a hijacked `api-url` could redirect the next authenticated
+// call to an attacker host and exfiltrate the key. We PIN the destination: the
+// Bearer key only ever ships to an OpenWriter-controlled host (or loopback for
+// local platform dev). Anything else falls back to the default host.
+const ALLOWED_PUBLISH_HOSTS = new Set(['publish.openwriter.io', 'openwriter.io']);
+/** True when `url` is a safe destination for the platform Bearer key. */
+export function isAllowedPublishApiUrl(url) {
+    let u;
+    try {
+        u = new URL(url);
+    }
+    catch {
+        return false;
+    }
+    const host = u.hostname.toLowerCase();
+    // Local platform development over loopback (either scheme).
+    if (host === 'localhost' || host === '127.0.0.1' || host === '::1')
+        return true;
+    // Production: HTTPS only, OpenWriter-controlled host (incl. subdomains).
+    if (u.protocol !== 'https:')
+        return false;
+    return ALLOWED_PUBLISH_HOSTS.has(host) || host.endsWith('.openwriter.io');
+}
 /** Get API key and URL from plugin config */
 function getPublishConfig() {
     const config = readConfig();
     const publishConfig = config.plugins?.['@openwriter/plugin-publish']?.config || {};
+    const rawUrl = publishConfig['api-url'] || DEFAULT_API_URL;
+    // Pin to an allowed destination — never let a redirected api-url carry the
+    // Bearer key off-host. MCP-6.
+    const apiUrl = isAllowedPublishApiUrl(rawUrl) ? rawUrl : DEFAULT_API_URL;
+    if (apiUrl !== rawUrl) {
+        console.warn('[connections] publish api-url not on allowlist — pinned to default host');
+    }
     return {
         apiKey: publishConfig['api-key'] || '',
-        apiUrl: publishConfig['api-url'] || DEFAULT_API_URL,
+        apiUrl,
     };
 }
 /** Authenticated fetch to the platform API */

package/dist/server/content-type-meta.js

@@ -15,6 +15,7 @@ export function resolveTypeMeta(type, url) {
         case 'linkedin': return { content_type: 'linkedin', linkedinContext: { active: true } };
         case 'newsletter': return { content_type: 'newsletter', newsletterContext: { active: true } };
         case 'blog': return { content_type: 'blog', blogContext: { active: true } };
+        case 'manuscript': return { content_type: 'manuscript', manuscriptContext: { active: true } };
         default: return undefined;
     }
 }

package/dist/server/helpers.js

@@ -128,9 +128,9 @@ export function canonicalizeIdentifier(id) {
  * Canonicalizes both sides of the comparison so that mixed separators,
  * drive-letter case, and symlink-resolved variants of the same file all
  * classify consistently. The pre-canonicalization version compared raw
- * strings via `startsWith`, which let `C:/Users/.../data-dir/foo.md`
+ * strings via `startsWith`, which let `C:/Users/me/data-dir/foo.md`
  * be classified as external on Windows because `getDataDir()` returns
- * `C:\Users\...\data-dir` (different separators).
+ * `C:\Users\me\data-dir` (different separators).
  *
  * adr: adr/path-canonicalization.md
  */

package/dist/server/image-upload.js

@@ -7,9 +7,151 @@ import multer from 'multer';
 import { existsSync, mkdirSync } from 'fs';
 import { join, extname } from 'path';
 import { randomUUID } from 'crypto';
+import { isIP } from 'net';
+import { lookup } from 'dns/promises';
 import { getDataDir, ensureDataDir } from './helpers.js';
 import express from 'express';
 function getImagesDir() { return join(getDataDir(), '_images'); }
+// ── SSRF guard for /api/download-image (MCP-8) ──────────────────────────────
+// The endpoint server-side-fetches a caller-supplied URL. Without a guard an
+// attacker can point it at internal services, the cloud metadata endpoint
+// (169.254.169.254), or loopback — a classic SSRF. We allow only https, block
+// every private / loopback / link-local / reserved IP range (resolving DNS
+// first), follow redirects manually with re-validation at each hop, and cap
+// both response size and request time.
+const MAX_IMAGE_BYTES = 10 * 1024 * 1024; // 10MB, matches the upload limit
+const FETCH_TIMEOUT_MS = 15_000;
+const MAX_REDIRECTS = 3;
+function isBlockedIpv4(ip) {
+    const parts = ip.split('.').map(Number);
+    if (parts.length !== 4 || parts.some((n) => Number.isNaN(n) || n < 0 || n > 255))
+        return true;
+    const [a, b] = parts;
+    if (a === 0)
+        return true; // 0.0.0.0/8 "this host"
+    if (a === 10)
+        return true; // 10.0.0.0/8 private
+    if (a === 127)
+        return true; // 127.0.0.0/8 loopback
+    if (a === 169 && b === 254)
+        return true; // 169.254.0.0/16 link-local (incl. metadata 169.254.169.254)
+    if (a === 172 && b >= 16 && b <= 31)
+        return true; // 172.16.0.0/12 private
+    if (a === 192 && b === 168)
+        return true; // 192.168.0.0/16 private
+    if (a === 100 && b >= 64 && b <= 127)
+        return true; // 100.64.0.0/10 CGNAT
+    if (a >= 224)
+        return true; // 224.0.0.0/4 multicast + 240/4 reserved + 255 broadcast
+    return false;
+}
+function isBlockedIpv6(ip) {
+    const s = ip.toLowerCase().replace(/^\[|\]$/g, '');
+    // IPv4-mapped (::ffff:a.b.c.d) — classify on the embedded v4 address.
+    const mapped = s.match(/(?:^|:)((?:\d{1,3}\.){3}\d{1,3})$/);
+    if (mapped)
+        return isBlockedIpv4(mapped[1]);
+    if (s === '::1' || s === '::')
+        return true; // loopback / unspecified
+    if (s.startsWith('fe8') || s.startsWith('fe9') || s.startsWith('fea') || s.startsWith('feb'))
+        return true; // fe80::/10 link-local
+    if (s.startsWith('fc') || s.startsWith('fd'))
+        return true; // fc00::/7 unique-local
+    if (s.startsWith('ff'))
+        return true; // ff00::/8 multicast
+    return false;
+}
+function isBlockedAddress(ip) {
+    const fam = isIP(ip);
+    if (fam === 4)
+        return isBlockedIpv4(ip);
+    if (fam === 6)
+        return isBlockedIpv6(ip);
+    return true; // not a recognizable IP → refuse
+}
+/** Throw unless `rawUrl` is an https URL whose host resolves only to public addresses. */
+async function assertSafeImageUrl(rawUrl) {
+    let parsed;
+    try {
+        parsed = new URL(rawUrl);
+    }
+    catch {
+        throw new Error('blocked');
+    }
+    if (parsed.protocol !== 'https:')
+        throw new Error('blocked');
+    const host = parsed.hostname.replace(/^\[|\]$/g, '');
+    if (isIP(host)) {
+        if (isBlockedAddress(host))
+            throw new Error('blocked');
+        return;
+    }
+    let addrs;
+    try {
+        addrs = await lookup(host, { all: true });
+    }
+    catch {
+        throw new Error('blocked');
+    }
+    if (addrs.length === 0)
+        throw new Error('blocked');
+    for (const a of addrs) {
+        if (isBlockedAddress(a.address))
+            throw new Error('blocked');
+    }
+}
+/** Fetch an image with SSRF guards: https-only, public-IP-only, manual
+ *  redirect re-validation, size cap, and timeout. Returns the response for a
+ *  caller to read (the caller still enforces the byte cap while streaming). */
+async function safeImageFetch(initialUrl) {
+    let current = initialUrl;
+    for (let hop = 0; hop <= MAX_REDIRECTS; hop++) {
+        await assertSafeImageUrl(current);
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+        let response;
+        try {
+            response = await fetch(current, { redirect: 'manual', signal: controller.signal });
+        }
+        finally {
+            clearTimeout(timer);
+        }
+        if (response.status >= 300 && response.status < 400) {
+            const location = response.headers.get('location');
+            if (!location)
+                return response;
+            current = new URL(location, current).toString(); // re-validated at loop top
+            continue;
+        }
+        return response;
+    }
+    throw new Error('blocked');
+}
+/** Read a response body into a Buffer, aborting (returns null) once `max` bytes
+ *  are exceeded so a server that lies about content-length can't blow past the cap. */
+async function readCapped(response, max) {
+    if (!response.body) {
+        const buf = Buffer.from(await response.arrayBuffer());
+        return buf.length > max ? null : buf;
+    }
+    const reader = response.body.getReader();
+    const chunks = [];
+    let total = 0;
+    while (true) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        if (value) {
+            total += value.length;
+            if (total > max) {
+                await reader.cancel().catch(() => { });
+                return null;
+            }
+            chunks.push(value);
+        }
+    }
+    return Buffer.concat(chunks);
+}
 function ensureImagesDir() {
     ensureDataDir();
     const dir = getImagesDir();
@@ -61,8 +203,17 @@ export function createImageRouter() {
             res.status(400).json({ error: 'No URL provided' });
             return;
         }
+        let response;
+        try {
+            response = await safeImageFetch(url);
+        }
+        catch {
+            // SSRF guard rejected the URL (bad scheme, private/blocked host, too many
+            // redirects). Generic message — never echo the resolved host or reason.
+            res.status(400).json({ error: 'URL not allowed' });
+            return;
+        }
         try {
-            const response = await fetch(url);
             if (!response.ok) {
                 res.status(400).json({ error: 'Failed to fetch image' });
                 return;
@@ -72,14 +223,25 @@ export function createImageRouter() {
                 res.status(400).json({ error: 'URL is not an image' });
                 return;
             }
+            // Reject early if the server declares an over-limit size.
+            const declaredLen = Number(response.headers.get('content-length'));
+            if (Number.isFinite(declaredLen) && declaredLen > MAX_IMAGE_BYTES) {
+                res.status(400).json({ error: 'Image too large' });
+                return;
+            }
             const ext = contentType.includes('jpeg') || contentType.includes('jpg') ? '.jpg'
                 : contentType.includes('gif') ? '.gif'
                     : contentType.includes('webp') ? '.webp'
                         : '.png';
+            // Stream with a hard byte cap so a lying/streaming server can't exhaust disk.
+            const buffer = await readCapped(response, MAX_IMAGE_BYTES);
+            if (!buffer) {
+                res.status(400).json({ error: 'Image too large' });
+                return;
+            }
             ensureImagesDir();
             const filename = `${randomUUID().slice(0, 8)}${ext}`;
             const filePath = join(getImagesDir(), filename);
-            const buffer = Buffer.from(await response.arrayBuffer());
             const { writeFileSync } = await import('fs');
             writeFileSync(filePath, buffer);
             const src = `/_images/${filename}`;

package/dist/server/index.js

@@ -27,6 +27,7 @@ import { removeDocFromAllWorkspaces } from './workspaces.js';
 import { resolveDocPath, getActiveProfile, setActiveProfile, listProfiles, createProfile, deleteProfile, listTrashedProfiles, restoreProfile, saveConfig, readConfig } from './helpers.js';
 import { createImageRouter } from './image-upload.js';
 import { createExportRouter } from './export-routes.js';
+import { createManuscriptRouter } from './manuscript-routes.js';
 import { createConnectionRouter } from './connection-routes.js';
 import { createSchedulerRouter } from './scheduler-routes.js';
 import { createBillingRouter } from './billing-routes.js';
@@ -45,6 +46,109 @@ const __dirname = dirname(__filename);
 let runtimePort = 5050;
 export function getRuntimePort() { return runtimePort; }
 export function getBaseUrl() { return `http://localhost:${runtimePort}`; }
+// ---- Trust boundary (anti-DNS-rebinding + CSRF) — MCP-5 ----
+// The HTTP API binds to loopback and historically trusted "localhost = the
+// user." That is false: with no Host/Origin validation a remote website can
+// reach this API via DNS rebinding (its page rebinds a hostname to 127.0.0.1,
+// the browser keeps sending the attacker's Host/Origin) and drive every
+// mutating route — switch profiles, enable plugins, rewrite plugin config.
+// The middleware below is the single gate for ALL routes. adr: see MCP-5.
+const LOOPBACK_HOSTS = new Set(['localhost', '127.0.0.1', '::1']);
+/** Split a Host header into hostname + optional port, handling [::1]:port. */
+function splitHostHeader(hostHeader) {
+    if (hostHeader.startsWith('[')) {
+        const close = hostHeader.indexOf(']');
+        if (close === -1)
+            return { host: hostHeader };
+        const host = hostHeader.slice(1, close);
+        const rest = hostHeader.slice(close + 1);
+        return { host, port: rest.startsWith(':') ? rest.slice(1) : undefined };
+    }
+    const colon = hostHeader.lastIndexOf(':');
+    if (colon === -1)
+        return { host: hostHeader };
+    return { host: hostHeader.slice(0, colon), port: hostHeader.slice(colon + 1) };
+}
+/** True when the Host header names loopback on the port we are serving. */
+function isAllowedHost(hostHeader, port) {
+    if (!hostHeader)
+        return false;
+    const { host, port: p } = splitHostHeader(hostHeader.trim());
+    if (!LOOPBACK_HOSTS.has(host.toLowerCase()))
+        return false;
+    if (p !== undefined && p !== String(port))
+        return false;
+    return true;
+}
+/** True when an Origin/Referer URL is same-origin (loopback on our port). */
+function isAllowedOrigin(value, port) {
+    if (!value)
+        return false;
+    try {
+        const u = new URL(value);
+        if (!LOOPBACK_HOSTS.has(u.hostname.toLowerCase()))
+            return false;
+        if (u.port && u.port !== String(port))
+            return false;
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+const STATE_CHANGING = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+/**
+ * Global security gate, applied before any route or body parsing.
+ *  (a) Host allowlist — the anti-DNS-rebinding control.
+ *  (b) Origin/Referer same-origin check on state-changing methods (CSRF).
+ *      Browsers always send Origin on cross-origin POST, so a rebound page is
+ *      rejected here too. A *missing* Origin is allowed only for state-changing
+ *      requests from non-browser local clients (the client-mode MCP-over-HTTP
+ *      proxy uses curl-style requests with no Origin); the Host gate still
+ *      bounds those to loopback.
+ *  (c) Restrictive security headers on every response.
+ */
+function securityGate(port) {
+    return (req, res, next) => {
+        res.setHeader('X-Content-Type-Options', 'nosniff');
+        res.setHeader('X-Frame-Options', 'DENY');
+        res.setHeader('Referrer-Policy', 'no-referrer');
+        res.setHeader('Content-Security-Policy', [
+            "default-src 'self'",
+            "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+            "style-src 'self' 'unsafe-inline'",
+            "img-src 'self' data: blob: https:",
+            "font-src 'self' data:",
+            "connect-src 'self' ws: wss:",
+            "frame-ancestors 'none'",
+            "base-uri 'self'",
+            "object-src 'none'",
+        ].join('; '));
+        if (!isAllowedHost(req.headers.host, port)) {
+            res.status(403).json({ error: 'Forbidden' });
+            return;
+        }
+        if (STATE_CHANGING.has(req.method)) {
+            const origin = req.headers.origin;
+            const referer = req.headers.referer;
+            if (origin) {
+                if (!isAllowedOrigin(origin, port)) {
+                    res.status(403).json({ error: 'Forbidden' });
+                    return;
+                }
+            }
+            else if (referer) {
+                if (!isAllowedOrigin(referer, port)) {
+                    res.status(403).json({ error: 'Forbidden' });
+                    return;
+                }
+            }
+            // No Origin and no Referer: non-browser local client; Host gate above
+            // already constrained it to loopback. Allow.
+        }
+        next();
+    };
+}
 export async function startHttpServer(options = {}) {
     const port = options.port || 5050;
     runtimePort = port;
@@ -55,6 +159,11 @@ export async function startHttpServer(options = {}) {
     initLogger();
     logger.info('state', 'server-boot', `OpenWriter starting on port ${port}`, { port });
     const app = express();
+    // Trust boundary FIRST — reject cross-host / cross-origin before body
+    // parsing or any route handler runs. Covers every route, including the
+    // unauth state-changers /api/profiles/switch, /api/plugins/enable,
+    // /api/plugins/config, and the universal /api/mcp-call dispatcher. MCP-5.
+    app.use(securityGate(port));
     app.use(express.json({ limit: '10mb' }));
     // API routes for direct HTTP access (fallback if WS not available)
     app.get('/api/status', (_req, res) => {
@@ -69,7 +178,13 @@ export async function startHttpServer(options = {}) {
         }));
         res.json({ tools });
     });
-    // MCP-over-HTTP: allows client-mode terminals to proxy tool calls
+    // MCP-over-HTTP: allows client-mode terminals to proxy tool calls.
+    // MCP-4: this dispatches ANY MCP tool with the user's platform credentials,
+    // so it MUST never be reachable cross-origin. That guarantee is provided by
+    // the global securityGate above (Host allowlist + Origin/Referer check on
+    // POST) — a DNS-rebound page cannot satisfy either. No tool is intentionally
+    // exposed beyond same-origin/local callers here; any future tool that must
+    // never be driven over HTTP should be denylisted at this entry point.
     app.post('/api/mcp-call', async (req, res) => {
         const { tool: toolName, arguments: args } = req.body;
         // Wrap the call in a request ID scope so every event logged during
@@ -120,6 +235,8 @@ export async function startHttpServer(options = {}) {
     // if installed). SyncButton + SyncSetupModal hit /api/sync/* unchanged.
     // Mount export routes
     app.use(createExportRouter());
+    // Mount manuscript compile/render routes (book binding -> epub/docx/html/md)
+    app.use(createManuscriptRouter());
     // Mount connection CRUD + profile binding routes
     app.use(createConnectionRouter());
     // Mount scheduler proxy routes

package/dist/server/logger.js

@@ -5,7 +5,7 @@
  *   - One JSON-per-line file at `~/.openwriter/profiles/<profile>/events.log`.
  *     One file (not per-category) so grep/jq covers everything in one place.
  *   - Levels: error < warn < info < debug < trace. Default `error` — safe
- *     for public installs. Travis's machine overrides to `trace` via
+ *     for public installs. The operator's machine overrides to `trace` via
  *     `~/.openwriter/log-config.json`.
  *   - Document text is redacted unless `includeText: true` is set in the
  *     config file. Public users never have text content land in logs.
@@ -18,7 +18,7 @@
  *     restart. The current `diagnostic.log` proved this works.
  *
  * Public users see: errors only, no text, small file, share freely for
- * bug reports without privacy concern. Travis sees: everything, with text.
+ * bug reports without privacy concern. The operator sees: everything, with text.
  *
  * adr: adr/logging-system.md
  */

package/dist/server/manuscript/assemble.js

@@ -0,0 +1,128 @@
+/** Book heading level for a manifest heading. The manifest owns the book's whole
+ *  heading hierarchy: `## chapter` → book h1, `### section` → h2, `#### ` → h3,
+ *  etc. (level − 1, clamped ≥1). `## = chapter` keeps the existing convention, so
+ *  any current `##`-only manifest renders byte-identically; deeper levels are
+ *  purely additive. A `#` and a `##` both map to h1 (clamp). */
+function bookLevel(manifestLevel) {
+    return Math.max(1, manifestLevel - 1);
+}
+export function assemble(manifest, bodyMap) {
+    const warnings = [];
+    // Chapters-only navigation: TOC + tick-rail list book-h1 headings (manifest
+    // level ≤ 2), in document order, so they align with md.ts's `#ch-N` anchors.
+    // Sub-section headers still render in the book (and the EPUB's own nav), just
+    // not in the chapter contents list.
+    const tocEntries = manifest.sections
+        .filter((s) => s.heading && bookLevel(s.level) === 1)
+        .map((s) => s.heading);
+    let ordinal = 0; // per-doc footnote namespace counter
+    const out = [];
+    for (const section of manifest.sections) {
+        // Emit EVERY manifest heading at its mapped book level — including a
+        // structural divider with no beats under it (a "Part" line, a section title
+        // between beats). The book's heading structure is whatever the manifest says.
+        if (section.heading) {
+            const lvl = bookLevel(section.level);
+            out.push(`${'#'.repeat(lvl)} ${section.heading}`, '');
+        }
+        for (const item of section.items) {
+            if (item.kind === 'toc') {
+                const toc = renderToc(tocEntries);
+                if (toc)
+                    out.push(toc, '');
+                continue;
+            }
+            const resolved = item.docId ? bodyMap.get(item.docId) : undefined;
+            if (!resolved) {
+                warnings.push(`Unresolved docId ${item.docId} (${item.text ?? ''}) — not in workspace?`);
+                out.push(`> **[unresolved: ${item.text ?? item.docId}]**`, '');
+                continue;
+            }
+            ordinal += 1;
+            let body = resolved.body.trim();
+            body = namespaceFootnotes(body, ordinal);
+            // Nest a beat's own headings just below its enclosing manifest heading:
+            // under a book-h{N} section, the beat's internal h1 becomes h{N+1}.
+            // Pre-heading / front-matter beats (no enclosing heading) keep their structure.
+            if (section.heading)
+                body = demoteHeadings(body, bookLevel(section.level));
+            out.push(body, '');
+        }
+    }
+    const markdown = out.join('\n').replace(/\n{3,}/g, '\n\n').trim() + '\n';
+    return { markdown, warnings };
+}
+function renderToc(entries) {
+    if (entries.length === 0)
+        return '';
+    // Link each entry to its chapter anchor (#ch-N). md.ts stamps the matching id
+    // on the Nth h1, in the same order chapters are emitted here, so they align.
+    return ['## Contents', '', ...entries.map((e, i) => `- [${e}](#ch-${i + 1})`)].join('\n');
+}
+/**
+ * Make a doc's footnote labels globally unique by namespacing them with an
+ * ordinal. Handles both references `[^x]` and definitions `[^x]:`, numeric or
+ * mnemonic. Only labels that are actually DEFINED in this doc are remapped, so
+ * stray `[^...]`-looking text isn't touched. Fenced code blocks are skipped.
+ */
+function namespaceFootnotes(body, ordinal) {
+    const defRe = /^\s*\[\^([^\]]+)\]:/;
+    const labels = new Set();
+    forEachLineOutsideFence(body, (line) => {
+        const m = line.match(defRe);
+        if (m)
+            labels.add(m[1]);
+    });
+    if (labels.size === 0)
+        return body;
+    return mapLinesOutsideFence(body, (line) => line.replace(/\[\^([^\]]+)\]/g, (full, label) => labels.has(label) ? `[^fn${ordinal}-${label}]` : full));
+}
+/** Shift ATX heading levels down by `by`, clamped at h6, skipping code fences. */
+function demoteHeadings(body, by) {
+    if (by <= 0)
+        return body;
+    return mapLinesOutsideFence(body, (line) => {
+        const h = line.match(/^(#{1,6})(\s+)(.*)$/);
+        if (!h)
+            return line;
+        const newLevel = Math.min(6, h[1].length + by);
+        return '#'.repeat(newLevel) + h[2] + h[3];
+    });
+}
+// ── fenced-code-aware line helpers ──────────────────────────────────────────
+function isFenceLine(line) {
+    const m = line.match(/^\s*(```+|~~~+)/);
+    return m ? m[1][0] : null;
+}
+function forEachLineOutsideFence(body, fn) {
+    let fence = null;
+    for (const line of body.split('\n')) {
+        const f = isFenceLine(line);
+        if (f) {
+            if (fence === null)
+                fence = f;
+            else if (fence === f)
+                fence = null;
+            continue;
+        }
+        if (fence === null)
+            fn(line);
+    }
+}
+function mapLinesOutsideFence(body, fn) {
+    let fence = null;
+    const lines = body.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const f = isFenceLine(lines[i]);
+        if (f) {
+            if (fence === null)
+                fence = f;
+            else if (fence === f)
+                fence = null;
+            continue;
+        }
+        if (fence === null)
+            lines[i] = fn(lines[i]);
+    }
+    return lines.join('\n');
+}

package/dist/server/manuscript/index.js

@@ -0,0 +1,35 @@
+/**
+ * Manuscript compiler — orchestrator.
+ *
+ * compileManuscript(manifestBody) → one assembled master markdown document +
+ * any warnings (unresolved pointers, unrecognized manifest lines). Rendering to
+ * EPUB / DOCX / PDF / HTML is a separate adapter layer (later phase); every
+ * render target consumes this single master markdown, so preview and export are
+ * the same pipeline differing only in the final step.
+ *
+ * adr: adr/manuscript-engine.md
+ */
+import { parseManifest } from './parse.js';
+import { resolveManifestDocs } from './resolve.js';
+import { assemble } from './assemble.js';
+export function compileManuscript(manifestBody, meta = {}) {
+    const manifest = parseManifest(manifestBody);
+    const { bodyMap, warnings: resolveWarnings } = resolveManifestDocs(manifest);
+    const { markdown, warnings: assembleWarnings } = assemble(manifest, bodyMap);
+    return {
+        markdown,
+        // Caller meta (from the doc's frontmatter / manuscriptContext) wins; the body
+        // no longer carries a meta block (round-trip-fragile).
+        meta: { ...manifest.meta, ...meta },
+        warnings: [...manifest.warnings, ...resolveWarnings, ...assembleWarnings],
+    };
+}
+export { parseManifest } from './parse.js';
+export { assemble } from './assemble.js';
+// Render adapters — every target consumes the one master markdown compileManuscript
+// produces, so preview (html) and export (epub/docx) are the same pipeline.
+export { bookCss } from './render/css.js';
+export { renderBodyHtml } from './render/md.js';
+export { renderBookHtml } from './render/html.js';
+export { renderEpub } from './render/epub.js';
+export { renderDocx } from './render/docx.js';