openwriter 0.37.0 → 0.38.0

package/dist/server/mcp.js

@@ -9,7 +9,9 @@ import { randomUUID } from 'crypto';
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { z } from 'zod';
-import { getDataDir, ensureDataDir, resolveDocPath, generateNodeId, atomicWriteFileSync, readConfig } from './helpers.js';
+import { getDataDir, ensureDataDir, resolveDocPath, generateNodeId, atomicWriteFileSync, readConfig, ROOT_DIR } from './helpers.js';
+import { compileManuscript, renderBookHtml, renderEpub, renderDocx } from './manuscript/index.js';
+import { loadManifest, safeName } from './manuscript/load.js';
 import { getDocument, getWordCount, getPendingChangeCount, getTitle, getStatus, getNodesByIds, findNodesByIds, getMetadata, setMetadata, mergeMetadataUpdates, applyChanges, applyTextEdits, updateDocument, save, markAllNodesAsPending, setAgentLock, setAgentLockActive, updatePendingCacheForActiveDoc, populateDocumentFile, applyChangesToFile, applyTextEditsToFile, getDocId, getFilePath, getIsTemp, extractText, countPending, addDocTag, removeDocTag, getCachedDocument, invalidateDocCache, isAutoAcceptActive, removePendingCacheEntry, getExternalMtimeDrift, reloadActiveDocFromDisk, getCanonical, cloneWithPendingReverted, bumpDocVersion, setSortProposalOnFile, clearSortRequestOnFile, } from './state.js';
 import { tiptapToBlocks } from './node-blocks.js';
 import { readBlame, summarizeBlame } from './attribution.js';
@@ -201,6 +203,13 @@ const READ_PAD_MAX_WORDS = 2000;
  *  learns the new behavior without repeating the explanation. Resets on
  *  server restart. */
 let firstTruncationShown = false;
+/** MCP-9: metadata keys an agent must NEVER set via set_metadata. `autoAccept`
+ *  governs the human accept/reject gate — letting the agent write it via
+ *  open-ended frontmatter would self-grant auto-accept and bypass human review.
+ *  These are operator-only (set through the UI toggle path). The metadata
+ *  surface is otherwise intentionally open-ended, so this is a denylist of the
+ *  finite, enumerable privileged keys rather than an allowlist of content keys. */
+const AGENT_FORBIDDEN_METADATA_KEYS = new Set(['autoAccept']);
 export const TOOL_REGISTRY = [
     {
         name: 'read_pad',
@@ -482,7 +491,7 @@ export const TOOL_REGISTRY = [
             workspace: z.string().optional().describe('Workspace title to add this doc to. Creates the workspace if it doesn\'t exist.'),
             container: z.string().optional().describe('Container name within the workspace (e.g. "Chapters", "Notes", "References"). Creates the container if it doesn\'t exist. Requires workspace.'),
             empty: z.boolean().optional().describe('ONLY for content_type template docs (tweets, articles) that start blank. Skips the spinner and switches immediately. Do NOT set this for content documents — use the two-step flow (create_document → populate_document) instead.'),
-            content_type: z.enum(['document', 'tweet', 'reply', 'quote', 'article', 'linkedin', 'newsletter', 'blog']).describe('Required. Use "document" for plain documents. Tweet/reply/quote/article/linkedin/newsletter/blog set type-specific metadata automatically.'),
+            content_type: z.enum(['document', 'tweet', 'reply', 'quote', 'article', 'linkedin', 'newsletter', 'blog', 'manuscript']).describe('Required. Use "document" for plain documents. Tweet/reply/quote/article/linkedin/newsletter/blog set type-specific metadata automatically. "manuscript" = a binding doc whose body is an ordered list of [text](doc:ID) pointers under ## chapter headings; populate it with the manifest, then it compiles to EPUB/DOCX via the manuscript routes.'),
             url: z.string().optional().describe('Tweet URL — REQUIRED for content_type "reply" or "quote" (e.g. "https://x.com/user/status/123"). Sets tweetContext.url automatically. Ignored for other content types.'),
             afterId: z.string().optional().describe('Place the new doc immediately after this docId (8-char hex) or containerId inside its parent. Omit to append to the bottom of the parent (the default — matches ascending-order convention: newest at bottom). Requires workspace.'),
             status: z.enum(['canonical', 'draft']).optional().describe('Agent-owned lifecycle. "canonical" = committed to spine / load-bearing for the workspace (use for Beats docs that have locked, Research Notes, Master References). "draft" = working / not load-bearing yet / scratch (DUMP docs, first-pass beats). Defaults to "draft" when omitted. Change later via set_metadata({ status: ... }) on lifecycle transitions. v0.19.0.'),
@@ -721,7 +730,7 @@ export const TOOL_REGISTRY = [
         schema: {
             writes: z.array(z.object({
                 title: z.string().describe('Title for the document.'),
-                content_type: z.enum(['document', 'tweet', 'reply', 'quote', 'article', 'linkedin', 'newsletter', 'blog']).describe('Content type. Use "document" for plain docs.'),
+                content_type: z.enum(['document', 'tweet', 'reply', 'quote', 'article', 'linkedin', 'newsletter', 'blog', 'manuscript']).describe('Content type. Use "document" for plain docs. "manuscript" = a binding doc of ordered doc: pointers.'),
                 workspace: z.string().optional().describe('Workspace title to add this doc to. Creates the workspace if it does not exist.'),
                 container: z.string().optional().describe('Container name within the workspace (e.g. "Chapters"). Requires workspace.'),
                 url: z.string().optional().describe('Tweet URL — REQUIRED for content_type "reply" or "quote".'),
@@ -870,6 +879,78 @@ export const TOOL_REGISTRY = [
             return { content: [{ type: 'text', text: `Restored "${result.title}" [${docId}] from archive` }] };
         },
     },
+    {
+        name: 'compile_manuscript',
+        description: 'Compile a manuscript doc (content_type "manuscript") into the assembled master book and report its structure + any problems — WITHOUT writing a file. Resolves every `doc:` pointer in the manifest, concatenates the canonical (accepted) bodies in manifest order under their chapter headings, namespaces footnotes, then returns: title, per-chapter word counts, chapter count, total word count, and warnings. Warnings flag unresolved pointers — a beat that points at a missing/renamed/archived doc — so this is the build-time feedback loop: run it to confirm the binding resolves and see how each chapter is sizing up. Pass includeMarkdown:true to also return the full assembled markdown (large for a real book). Target the manifest by docId (8-char hex).',
+        schema: {
+            docId: z.string().describe('The manuscript doc (the manifest) by docId (8-char hex from list_documents).'),
+            includeMarkdown: z.boolean().optional().describe('Also return the full assembled master markdown. Off by default — for a long book this is very large.'),
+        },
+        handler: async ({ docId, includeMarkdown }) => {
+            const ms = loadManifest(docId);
+            if (!ms)
+                return { content: [{ type: 'text', text: `No manuscript doc found for docId ${docId}. Is it content_type "manuscript"?` }] };
+            const { markdown, meta, warnings } = compileManuscript(ms.body, ms.meta);
+            const wc = (s) => { const t = s.trim(); return t ? t.split(/\s+/).length : 0; };
+            const chapters = [];
+            let cur = null;
+            for (const line of markdown.split('\n')) {
+                const h = line.match(/^# (.+)/);
+                if (h) {
+                    cur = { title: h[1].trim(), words: 0 };
+                    chapters.push(cur);
+                }
+                else if (cur)
+                    cur.words += wc(line);
+            }
+            const summary = {
+                title: meta.title,
+                chapterCount: chapters.length,
+                totalWords: wc(markdown),
+                chapters,
+                warnings,
+            };
+            if (includeMarkdown)
+                summary.markdown = markdown;
+            return { content: [{ type: 'text', text: JSON.stringify(summary, null, 2) }] };
+        },
+    },
+    {
+        name: 'export_manuscript',
+        description: 'Compile a manuscript doc and WRITE the rendered book to a file: epub (KDP-ready ebook), docx (Word), html (single styled file), or md (the raw assembled master markdown). Same compile + render path as the in-app preview, so the file matches what you see there. Writes to ~/.openwriter/exports/<title>.<ext> by default (or an explicit outputPath) and returns the absolute path plus any compile warnings. EPUB/HTML ship print-light (e-readers handle their own dark mode). Target the manifest by docId (8-char hex).',
+        schema: {
+            docId: z.string().describe('The manuscript doc (the manifest) by docId (8-char hex from list_documents).'),
+            format: z.enum(['epub', 'docx', 'html', 'md']).describe('Output format. epub = KDP-ready ebook; docx = Word; html = single styled file; md = raw assembled master markdown.'),
+            outputPath: z.string().optional().describe('Absolute file path to write. Defaults to ~/.openwriter/exports/<title>.<ext>.'),
+        },
+        handler: async ({ docId, format, outputPath }) => {
+            const ms = loadManifest(docId);
+            if (!ms)
+                return { content: [{ type: 'text', text: `No manuscript doc found for docId ${docId}. Is it content_type "manuscript"?` }] };
+            const result = compileManuscript(ms.body, ms.meta);
+            const dir = join(ROOT_DIR, 'exports');
+            mkdirSync(dir, { recursive: true });
+            const outPath = outputPath || join(dir, `${safeName(result.meta.title || '')}.${format}`);
+            switch (format) {
+                case 'epub':
+                    writeFileSync(outPath, await renderEpub(result.markdown, result.meta));
+                    break;
+                case 'docx':
+                    writeFileSync(outPath, await renderDocx(result.markdown, result.meta));
+                    break;
+                case 'html':
+                    writeFileSync(outPath, renderBookHtml(result.markdown, result.meta), 'utf-8');
+                    break;
+                case 'md':
+                    writeFileSync(outPath, result.markdown, 'utf-8');
+                    break;
+            }
+            const warn = result.warnings.length
+                ? ` — ${result.warnings.length} warning(s): ${result.warnings.slice(0, 3).join('; ')}${result.warnings.length > 3 ? ' …' : ''}`
+                : '';
+            return { content: [{ type: 'text', text: `Exported "${result.meta.title}" (${format}) → ${outPath}${warn}` }] };
+        },
+    },
     {
         name: 'get_metadata',
         description: 'Get the JSON frontmatter metadata for a document. Returns all key-value pairs stored in frontmatter (title, summary, characters, tags, etc.). Useful for understanding document context without reading full content.',
@@ -913,8 +994,23 @@ export const TOOL_REGISTRY = [
             docId: z.string().describe('Target document by docId (8-char hex from list_documents).'),
             metadata: z.record(z.any()).describe('Key-value pairs to merge into frontmatter. Set a key to null to remove it.'),
         },
-        handler: async ({ docId, metadata: updates }) => {
+        handler: async ({ docId, metadata: rawUpdates }) => {
             const target = resolveDocTarget(docId);
+            // MCP-9: strip control keys. `autoAccept` governs the human accept/reject
+            // gate — an agent that could set it via set_metadata would self-grant
+            // auto-accept and bypass human review entirely. The approval-mode flag is
+            // operator-only (UI toggle → setDocAutoAccept / setWorkspaceAutoAccept).
+            // Stripping covers both set AND remove: deleting an explicit
+            // `autoAccept: false` would re-enable workspace-inherited auto-accept.
+            const updates = {};
+            const blockedKeys = [];
+            for (const [key, value] of Object.entries(rawUpdates)) {
+                if (AGENT_FORBIDDEN_METADATA_KEYS.has(key)) {
+                    blockedKeys.push(key);
+                    continue;
+                }
+                updates[key] = value;
+            }
             const setKeys = [];
             const removed = [];
             for (const [key, value] of Object.entries(updates)) {
@@ -988,6 +1084,8 @@ export const TOOL_REGISTRY = [
                 parts.push(`set: ${keys.join(', ')}`);
             if (removed.length > 0)
                 parts.push(`removed: ${removed.join(', ')}`);
+            if (blockedKeys.length > 0)
+                parts.push(`ignored (operator-only): ${blockedKeys.join(', ')}`);
             return { content: [{ type: 'text', text: `Metadata updated (${parts.join('; ')})` }] };
         },
     },
@@ -1334,7 +1432,7 @@ export const TOOL_REGISTRY = [
                 settings: z.record(z.string()).optional().describe('Setting name → description (merged)'),
                 rules: z.array(z.string()).optional().describe('Writing rules for this workspace (replaces)'),
                 logline: z.string().nullable().optional().describe('One-sentence "what this workspace is for". Set null to clear.'),
-                domain: z.string().nullable().optional().describe('Subject area (e.g. "Male ethology"). Set null to clear.'),
+                domain: z.string().nullable().optional().describe('Subject area (e.g. "Marine biology"). Set null to clear.'),
                 schema: z.string().nullable().optional().describe('Workspace kind: book / concept-library / inbox / social / reference. Set null to clear.'),
                 vocab: z.array(z.string()).nullable().optional().describe('Closed list of valid domain names — Haiku classifies docs INTO these. Set null to clear (opens vocab to free-form).'),
                 relatedWorkspaces: z.array(z.string()).nullable().optional().describe('Sibling workspace filenames. Set null to clear.'),

package/dist/server/plugin-manager.js

@@ -7,6 +7,23 @@ import { discoverPlugins, loadPluginModule } from './plugin-discovery.js';
 import { registerPluginTools, removePluginTools } from './mcp.js';
 import { readConfig, saveConfig, getDataDir } from './helpers.js';
 import { broadcastPluginsChanged } from './ws.js';
+import { isAllowedPublishApiUrl } from './connections.js';
+// MCP-2: plugin config holds raw secrets (publish ow_live_ key, X OAuth1
+// tokens, GitHub PAT, Gemini key). These must never cross the HTTP API. We
+// redact any config value whose KEY names a secret before it leaves the
+// server. Returned in place of the value is a sentinel that the settings UI
+// renders as "set"; updateConfig() treats an echoed sentinel as "unchanged"
+// so a naive save round-trip can never clobber the real secret with the mask.
+const SECRET_KEY_RE = /(key|secret|token|pat|password|auth|credential|bearer)/i;
+const REDACTED_SECRET = '__OW_SECRET_REDACTED__';
+/** Mask secret-valued config fields for safe transport over the API. */
+function redactConfig(config) {
+    const out = {};
+    for (const [k, v] of Object.entries(config)) {
+        out[k] = SECRET_KEY_RE.test(k) && v ? REDACTED_SECRET : v;
+    }
+    return out;
+}
 export class PluginManager {
     app;
     plugins = new Map();
@@ -101,7 +118,22 @@ export class PluginManager {
         const managed = this.plugins.get(name);
         if (!managed)
             return { success: false, error: `Plugin "${name}" not found` };
-        managed.config = { ...managed.config, ...values };
+        // Drop echoed redaction sentinels — the API never hands out real secrets
+        // (see redactConfig), so a value equal to the sentinel means "unchanged".
+        // Keeping the spread merge then preserves the stored secret. MCP-2.
+        const incoming = {};
+        for (const [k, v] of Object.entries(values)) {
+            if (v === REDACTED_SECRET)
+                continue;
+            incoming[k] = v;
+        }
+        // MCP-6: a hijacked publish `api-url` redirects the Bearer key off-host.
+        // Reject writes that point it anywhere but an allowed destination. The
+        // load-bearing pin lives in connections.ts; this rejects bad writes early.
+        if (typeof incoming['api-url'] === 'string' && incoming['api-url'] && !isAllowedPublishApiUrl(incoming['api-url'])) {
+            return { success: false, error: 'Invalid api-url: must point to an OpenWriter publish host' };
+        }
+        managed.config = { ...managed.config, ...incoming };
         this.savePluginState();
         return { success: true };
     }
@@ -113,7 +145,7 @@ export class PluginManager {
             description: m.discovered.description,
             enabled: m.enabled,
             configSchema: m.configSchema,
-            config: m.config,
+            config: redactConfig(m.config), // MCP-2: never leak raw secrets over the API
             source: m.discovered.source,
             displayName: m.discovered.displayName,
             category: m.discovered.category,

package/dist/server/state.js

@@ -831,7 +831,7 @@ export function mergeMetadataUpdates(existing, updates) {
             return null;
     }
     // Deep-merge known context objects
-    const CONTEXT_KEYS = ['blogContext', 'newsletterContext', 'articleContext', 'tweetContext', 'linkedinContext'];
+    const CONTEXT_KEYS = ['blogContext', 'newsletterContext', 'articleContext', 'tweetContext', 'linkedinContext', 'manuscriptContext'];
     for (const key of CONTEXT_KEYS) {
         if (updates[key] && typeof updates[key] === 'object' && existing?.[key] && typeof existing[key] === 'object') {
             updates[key] = { ...existing[key], ...updates[key] };

package/dist/server/workspaces.js

@@ -4,7 +4,7 @@
  * Manifests live in ~/.openwriter/_workspaces/*.json.
  */
 import { existsSync, readFileSync, writeFileSync, readdirSync } from 'fs';
-import { join } from 'path';
+import { join, resolve, isAbsolute, sep } from 'path';
 import { randomUUID } from 'crypto';
 import matter from 'gray-matter';
 import trash from 'trash';
@@ -17,8 +17,44 @@ import { addDocToContainer, addContainer as addContainerToTree, removeNode, move
 // ============================================================================
 // INTERNAL HELPERS
 // ============================================================================
+/**
+ * Resolve a workspace manifest filename to an absolute path that is GUARANTEED
+ * to live inside the active profile's `_workspaces/` directory.
+ *
+ * The `filename` originates from MCP tool args (`wsFile`, `filename`), so it is
+ * untrusted. Without this guard a value like `../../OtherProfile/_workspaces/x.json`
+ * or an absolute path would escape the active profile and read/write/delete
+ * another profile's manifests (and, via the doc files they reference, another
+ * profile's documents). Profile scoping in OpenWriter is enforced by anchoring
+ * every manifest path under `getWorkspacesDir()` (which encodes the active
+ * profile) — so containment IS profile scoping. Escaping containment is the
+ * only way to cross profiles, and this resolver makes that impossible.
+ *
+ * Rules: no separators, no `..`, not absolute, no null byte, must end in
+ * `.json`, never the reserved `_order.json`. Then a `path.resolve` +
+ * prefix-containment assert is the authoritative backstop.
+ *
+ * adr: (MCP-7 — workspace path traversal + profile scoping)
+ */
 function workspacePath(filename) {
-    return join(getWorkspacesDir(), filename);
+    if (!filename || typeof filename !== 'string') {
+        throw new Error('Invalid workspace identifier');
+    }
+    if (filename.includes('\0') ||
+        filename.includes('/') ||
+        filename.includes('\\') ||
+        filename.includes('..') ||
+        isAbsolute(filename) ||
+        !filename.endsWith('.json') ||
+        filename === '_order.json') {
+        throw new Error('Invalid workspace identifier');
+    }
+    const baseDir = resolve(getWorkspacesDir());
+    const resolved = resolve(baseDir, filename);
+    if (resolved !== baseDir && !resolved.startsWith(baseDir + sep)) {
+        throw new Error('Invalid workspace identifier');
+    }
+    return resolved;
 }
 /**
  * Migrate workspace-level tags into document frontmatter.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openwriter",
-  "version": "0.37.0",
+  "version": "0.38.0",
   "description": "The open-source writing surface for AI agents. Markdown-native editor with pending change review — your agent writes, you accept or reject.",
   "type": "module",
   "license": "MIT",
@@ -63,6 +63,7 @@
     "@xdevplatform/xdk": "^0.4.0",
     "express": "^4.21.0",
     "gray-matter": "^4.0.3",
+    "jszip": "^3.10.1",
     "lowlight": "^3.3.0",
     "markdown-it": "^14.1.1",
     "markdown-it-footnote": "^4.0.0",