feat(annotate): support HTML files and URL annotation (#545)

* fix(annotate): sanitize dangerous link protocols in markdown renderer

Block javascript:, data:, and vbscript: URLs in InlineMarkdown link
rendering. Links with dangerous protocols render as plain text instead
of clickable anchors. Uses a blocklist approach so existing links with
custom protocols (obsidian://, vscode://, Windows C:\ paths) continue
to work.

For provenance purposes, this commit was AI assisted.

* feat(annotate): add HTML-to-markdown and URL-to-markdown utilities

- html-to-markdown.ts: Turndown wrapper with GFM table rule, strips
  script/style/noscript tags
- url-to-markdown.ts: Jina Reader (free, returns markdown) with
  fetch+Turndown fallback. Warns on Jina failure, auto-skips Jina for
  local/private URLs (localhost, 192.168.*, 10.*, etc.)
- config.ts: add jina setting and resolveUseJina() with priority chain
  --no-jina flag > PLANNOTATOR_JINA env > config.json > default true

For provenance purposes, this commit was AI assisted.

* feat(annotate): support HTML files and URLs in annotate command

Extend the annotate subcommand to accept .html/.htm local files
(converted via Turndown) and https:// URLs (fetched via Jina Reader
with fetch+Turndown fallback). URL content is fetched terminal-side
before opening the browser.

Add --no-jina global flag to disable Jina Reader per-invocation.
Add 10MB file size guard for local HTML files.

For provenance purposes, this commit was AI assisted.

* feat(annotate): HTML files in folder browser and on-demand conversion

- Widen file browser glob to include .html/.htm alongside markdown
- handleDoc converts HTML files via Turndown on demand when selected
- hasMarkdownFiles accepts optional extensions param for folder validation
- Add sourceInfo field to annotate server API response
- Add _site/, public/, out/, .docusaurus/, .jekyll-cache/,
  storybook-static/ to FILE_BROWSER_EXCLUDED

For provenance purposes, this commit was AI assisted.

* feat(annotate): source attribution badge for HTML/URL annotations

Show a subtle badge in DocBadges displaying the URL hostname or HTML
filename for converted content. Thread sourceInfo from API response
through App → Viewer → DocBadges.

Also update Pi extension to accept HTML-only folders in annotate mode.

For provenance purposes, this commit was AI assisted.

* test: update CLI help text assertion for HTML/URL annotate support

For provenance purposes, this commit was AI assisted.

* fix(annotate): address PR review findings

Security:
- Add project-root containment check for HTML files in /api/doc handler
  using exported isWithinProjectRoot() from resolve-file.ts
- Blocks path traversal via absolute paths or ../ escapes

isLocalUrl fixes:
- Add bracketed IPv6 loopback [::1] detection
- Replace hostname.startsWith('10.') with proper IPv4 regex to avoid
  matching public hostnames like 10.example.com

Revert Pi extension change:
- Pi server doesn't implement HTML file browsing or conversion yet
- Keep Pi folder validation markdown-only until both implementations
  are updated per CLAUDE.md guidelines

Cleanup:
- Remove dead el.children || el.childNodes fallback in table rule
- Extract hostnameOrFallback() helper to @plannotator/shared/project
  replacing duplicated try/catch IIFEs in DocBadges and index.ts

For provenance purposes, this commit was AI assisted.

* feat(annotate): Pi extension HTML annotation parity

Bring the Pi extension to full parity with the Bun server for HTML
annotation support:

- Vendor html-to-markdown and url-to-markdown via vendor.sh
- walkMarkdownFiles now scans .html/.htm alongside markdown
- handleDocRequest converts HTML files on-demand via Turndown with
  isWithinProjectRoot containment check
- serverAnnotate includes sourceInfo in /api/plan response
- index.ts supports URL detection (Jina Reader + fallback), HTML file
  detection with Turndown conversion, folder HTML validation, and 10MB
  file size guard
- openMarkdownAnnotation accepts and threads sourceInfo
- Add turndown as a Pi extension dependency

For provenance purposes, this commit was AI assisted.

* fix(pi): Obsidian vault walks stay markdown-only, add try/catch for HTML

- Add extensions param to walkMarkdownFiles (default: HTML-inclusive)
- Obsidian callers pass /\.mdx?$/i to match Bun server behavior
- Add try/catch around HTML file reads in handleDocRequest

For provenance purposes, this commit was AI assisted.

* fix(annotate): address second review — base-block traversal, metadata IP, dead code

Security:
- Add isWithinProjectRoot check to the base-relative block for HTML
  files in both Bun and Pi /api/doc handlers. Previously HTML files
  served via the base query param bypassed the containment guard.
- Add 169.254.0.0/16 (link-local / cloud metadata) to isLocalUrl
  private IP ranges

Cleanup:
- Remove dead hostname === "[::1]" check (WHATWG URL parser strips
  brackets; hostname === "::1" already handles it)
- Remove dead parent?.childNodes fallback in table cell() function

For provenance purposes, this commit was AI assisted.

* refactor(annotate): replace custom table rules with turndown-plugin-gfm

Drop ~60 lines of hand-rolled GFM table conversion that had a bug
(tables without explicit <thead> produced invalid GFM). Use the
official turndown-plugin-gfm plugin (24KB) which correctly handles
all table patterns plus adds strikethrough and task list support.

For provenance purposes, this commit was AI assisted.

* fix(annotate): handle all CommonMark backslash escapes in InlineMarkdown

Expand the backslash escape regex to cover all CommonMark-defined
escapable characters (. ) - # > + | { } &), not just the subset
the parser uses for formatting. Fixes literal backslashes appearing
in rendered output for Turndown-escaped content like "1\." → "1.".

For provenance purposes, this commit was AI assisted.

* fix(annotate): prevent SSRF via redirect to private/local URLs

Replace redirect: "follow" with redirect: "manual" in fetchViaTurndown
and validate each redirect hop against isLocalUrl. Blocks attacks where
an external URL redirects to cloud metadata endpoints (169.254.169.254)
or other private IPs. Limits redirect chain to 10 hops.

For provenance purposes, this commit was AI assisted.

* chore: update lockfile for turndown-plugin-gfm in Pi extension

bun install needed to resolve turndown-plugin-gfm in the Pi extension
workspace after adding it to apps/pi-extension/package.json.

For provenance purposes, this commit was AI assisted.

* fix(annotate): switch to @joplin/turndown-plugin-gfm, fix TS errors

Replace unmaintained turndown-plugin-gfm (2017, v1.0.2) with the
actively maintained Joplin fork (2025, v1.0.64, 16KB).

Fix TypeScript errors that broke CI:
- Add @ts-expect-error for untyped @joplin/turndown-plugin-gfm import
- Restructure fetchViaTurndown redirect loop to avoid uninitialized
  variable — first fetch before loop, loop only for redirects

For provenance purposes, this commit was AI assisted.

* fix(annotate): use proper declarations.d.ts instead of ts-expect-error

Add declarations.d.ts for @joplin/turndown-plugin-gfm with typed
function signatures, remove the ts-expect-error suppression.

For provenance purposes, this commit was AI assisted.

* fix: explicitly include declarations.d.ts in shared tsconfig

CI's tsc wasn't finding the ambient module declaration with implicit
include. Add explicit include to ensure declarations.d.ts is always
picked up regardless of environment.

For provenance purposes, this commit was AI assisted.

* fix: use ts-expect-error for @joplin/turndown-plugin-gfm types

CI's tsc does not pick up ambient declarations.d.ts files despite
local tsc finding them — likely a module resolution discrepancy
between environments. Revert to @ts-expect-error which passes in
both CI and local typecheck.

For provenance purposes, this commit was AI assisted.

* fix(annotate): body size limit for URL fetches, redirect error, file: protocol

- Add 10MB body size limit to both Jina and fetch+Turndown URL paths,
  matching the local HTML file guard. Streams response body and aborts
  if limit exceeded.
- Distinguish "Too many redirects" from a genuine 3xx response after
  redirect loop exhaustion.
- Add file: to the dangerous protocol blocklist in sanitizeLinkUrl.

For provenance purposes, this commit was AI assisted.

* fix(annotate): HTML folder outside cwd, HTML linked doc navigation

- Remove containment check from base-relative block for HTML files in
  both Bun and Pi /api/doc handlers. Matches markdown behavior so HTML
  files in annotated folders outside cwd are served correctly.
  Standalone block (no base) retains its cwd check as fallback.
- Widen isLocalMd → isLocalDoc to treat .html/.htm links as linked
  documents. Clicking [Next](next.html) in a converted page now opens
  it via /api/doc with Turndown conversion instead of a new browser tab.

For provenance purposes, this commit was AI assisted.

* fix(annotate): full loopback range, drain redirect bodies, document env vars

- Expand loopback check from just 127.0.0.1 to the full 127.0.0.0/8
  range so all loopback addresses skip Jina Reader
- Cancel redirect response body before re-fetching to avoid leaking
  TCP connections back to the pool
- Document PLANNOTATOR_JINA and JINA_API_KEY in CLAUDE.md env var table

For provenance purposes, this commit was AI assisted.

* fix(annotate): IPv6 loopback, readBodyWithLimit fallback, env var docs, comments

- Add [::1] back to isLocalUrl — WHATWG URL hostname getter preserves
  brackets for IPv6 (verified: Bun and Node both return "[::1]").
  Add comment explaining the empirical verification so future reviewers
  don't re-flag.
- Fix readBodyWithLimit null-body fallback to still enforce the 10MB
  limit via text length check instead of silently falling through.
- Document PLANNOTATOR_JINA and JINA_API_KEY in AGENTS.md env var table
  (CLAUDE.md is a symlink to AGENTS.md).
- Add comments to base-relative blocks in both Bun and Pi handleDoc
  explaining the intentional lack of containment check (matches
  pre-existing markdown behavior, base is set server-side).

For provenance purposes, this commit was AI assisted.

* fix(annotate): block IPv4-mapped IPv6 and private IPv6 ranges in isLocalUrl

Add PRIVATE_IPV6 regex matching bracketed IPv6 private/reserved ranges:
- ::ffff: (IPv4-mapped — embeds private IPv4 as hex, e.g. [::ffff:c0a8:1])
- fe80: (link-local)
- fc00::/7 (unique-local, covers fc00:: through fdff::)

Closes the redirect-SSRF bypass where a public URL redirects to a
private address expressed as IPv4-mapped IPv6, e.g.
http://[::ffff:169.254.169.254]/latest/meta-data/

For provenance purposes, this commit was AI assisted.

* fix(annotate): document IPv6 hostname verification, sourceInfo type, annotate flow

- Expand isLocalUrl comment with full empirical verification table
  showing actual hostname getter output for every IPv6 format in both
  Bun and Node — prevents false-positive review findings about brackets
- Add sourceInfo to /api/plan response type in App.tsx for type safety
- Update CLAUDE.md annotate flow diagram to reflect HTML/URL/folder
  input types

For provenance purposes, this commit was AI assisted.

* fix(annotate): escape \(, cancel response bodies on error, doc sourceInfo

- Add ( to backslash escape regex alongside existing ) — Turndown
  emits \( in link-adjacent contexts
- Cancel response body before throwing on !res.ok in both fetchViaJina
  and fetchViaTurndown error paths (redirect loop already did this)
- Document sourceInfo field in AGENTS.md annotate server API table

For provenance purposes, this commit was AI assisted.

* fix(annotate): skip base injection for URL annotations, body cleanup

- Skip dirname(filePath) base injection when filePath is a URL in both
  Bun and Pi annotate servers. dirname on a URL string produces a
  nonsensical filesystem path, causing linked doc clicks to 404.
  URL annotations now let links open normally instead.
- Cancel response body before throwing on content-type mismatch and
  content-length overflow in fetchViaTurndown/readBodyWithLimit.
- Fix double parseInt in readBodyWithLimit content-length check.
- Correct AGENTS.md flow diagram: OpenCode not yet implemented for
  HTML/URL annotation.

For provenance purposes, this commit was AI assisted.

* feat(annotate): OpenCode HTML file and URL annotation support

Add URL detection (Jina Reader + fallback), HTML file detection with
Turndown conversion, 10MB file size guard, and sourceInfo threading
to OpenCode's handleAnnotateCommand. Uses the same shared utilities
as the Bun CLI and Pi extension.

OpenCode uses the Bun server directly (startAnnotateServer from
@plannotator/server/annotate), so no server-side changes needed —
only the command handler routing was missing.

Note: folder annotation mode is not added (OpenCode didn't have it
before this PR for markdown either — separate scope).

For provenance purposes, this commit was AI assisted.

* chore(annotate): update slash command description, align fetch log messages

- OpenCode plannotator-annotate.md description now mentions HTML/URL
- Align fetch progress messages across all three clients: all now show
  "(via Jina Reader)" or "(via fetch+Turndown)" consistently

For provenance purposes, this commit was AI assisted.

* fix(annotate): skip conversion for .md URLs, wikilink HTML targets, cleanup

- URLs ending in .md/.mdx are fetched raw — no Jina, no Turndown.
  Content is already markdown. Removes text/plain from fetchViaTurndown
  content-type whitelist since .md URLs are now short-circuited.
- Wikilink regex widened to preserve .html/.htm targets instead of
  appending .md (e.g. [[page.html]] no longer becomes page.html.md)
- Remove redundant existsSync before statSync in OpenCode handler

For provenance purposes, this commit was AI assisted.

* test(annotate): add htmlToMarkdown conversion tests

Tests cover the core conversion utility that all three clients depend on:
- Basic HTML → markdown (headings, paragraphs, links, code blocks)
- Tables with and without <thead> (the GFM plugin bug that was caught)
- Script/style/noscript stripping
- Strikethrough (GFM)
- Empty HTML handling
- Dangerous links preserved (sanitization is in the renderer, not here)

For provenance purposes, this commit was AI assisted.

* fix(annotate): check content-type before treating .md URLs as raw markdown

URLs ending in .md/.mdx (e.g. GitHub's viewer page for README.md)
may return HTML instead of raw markdown. fetchRawText now checks the
response content-type — if the server returns HTML, returns null so
the caller falls through to Jina/Turndown for proper conversion.

For provenance purposes, this commit was AI assisted.

* fix(annotate): add SSRF redirect protection to fetchRawText

fetchRawText (for .md/.mdx URLs) was using default redirect: "follow"
with no isLocalUrl validation on redirect hops — a .md URL redirecting
to 169.254.169.254 would be followed and credentials returned as
"markdown". Now uses redirect: "manual" with per-hop isLocalUrl checks,
matching fetchViaTurndown's SSRF protection.

For provenance purposes, this commit was AI assisted.

Author: backnotprop

AGENTS.md

@@ -104,6 +104,8 @@ claude --plugin-dir ./apps/hook
 | `PLANNOTATOR_SHARE` | Set to `disabled` to turn off URL sharing entirely. Default: enabled. |
 | `PLANNOTATOR_SHARE_URL` | Custom base URL for share links (self-hosted portal). Default: `https://share.plannotator.ai`. |
 | `PLANNOTATOR_PASTE_URL` | Base URL of the paste service API for short URL sharing. Default: `https://plannotator-paste.plannotator.workers.dev`. |
+| `PLANNOTATOR_JINA` | Set to `0` / `false` to disable Jina Reader for URL annotation, or `1` / `true` to enable. Default: enabled. Can also be set via `~/.plannotator/config.json` (`{ "jina": false }`) or per-invocation via `--no-jina`. |
+| `JINA_API_KEY` | Optional Jina Reader API key for higher rate limits (500 RPM vs 20 RPM unauthenticated). Free keys include 10M tokens. |
 | `PLANNOTATOR_VERIFY_ATTESTATION` | **Read by the install scripts only**, not by the runtime binary. Set to `1` / `true` to have `scripts/install.sh` / `install.ps1` / `install.cmd` run `gh attestation verify` on every install. Off by default. Can also be set persistently via `~/.plannotator/config.json` (`{ "verifyAttestation": true }`) or per-invocation via `--verify-attestation`. Requires `gh` installed and authenticated. |
 
 **Legacy:** `SSH_TTY` and `SSH_CONNECTION` are still detected when `PLANNOTATOR_REMOTE` is unset. Set `PLANNOTATOR_REMOTE=1` / `true` to force remote mode or `0` / `false` to force local mode.
@@ -152,16 +154,20 @@ Approve → "LGTM" sent to agent session
 ## Annotate Flow
 
 ```
-User runs /plannotator-annotate <file.md> command
+User runs /plannotator-annotate <file.md | file.html | https://... | folder/>
         ↓
 Claude Code: plannotator annotate subcommand runs
-OpenCode: event handler intercepts command
+OpenCode/Pi: event handler intercepts command
         ↓
-Markdown file read from disk
+Input type detected:
+  .md/.mdx   → file read from disk
+  .html/.htm → file read, converted to markdown via Turndown
+  https://   → fetched via Jina Reader (default) or fetch+Turndown (--no-jina)
+  folder/    → file browser opened, files converted on demand
         ↓
 Annotate server starts (reuses plan editor HTML with mode:"annotate")
         ↓
-User annotates markdown, provides feedback
+User annotates content, provides feedback
         ↓
 Send Annotations → feedback sent to agent session
 ```
@@ -247,7 +253,7 @@ During normal plan review, an Archive sidebar tab provides the same browsing via
 
 | Endpoint              | Method | Purpose                                    |
 | --------------------- | ------ | ------------------------------------------ |
-| `/api/plan`           | GET    | Returns `{ plan, origin, mode: "annotate", filePath }` |
+| `/api/plan`           | GET    | Returns `{ plan, origin, mode: "annotate", filePath, sourceInfo? }` |
 | `/api/feedback`       | POST   | Submit annotations (body: feedback, annotations) |
 | `/api/image`          | GET    | Serve image by path query param            |
 | `/api/upload`         | POST   | Upload image, returns `{ path, originalName }` |

apps/hook/server/cli.test.ts

@@ -19,7 +19,7 @@ describe("CLI top-level help", () => {
     expect(output).toContain("plannotator --help");
     expect(output).toContain("plannotator [--browser <name>]");
     expect(output).toContain("plannotator review [PR_URL]");
-    expect(output).toContain("plannotator annotate <file.md | folder/>");
+    expect(output).toContain("plannotator annotate <file.md | file.html | https://... | folder/>");
     expect(output).toContain("running 'plannotator' without arguments is for hook integration");
   });
 });

apps/hook/server/cli.ts

@@ -15,7 +15,7 @@ export function formatTopLevelHelp(): string {
     "  plannotator --help",
     "  plannotator [--browser <name>]",
     "  plannotator review [PR_URL]",
-    "  plannotator annotate <file.md | folder/>",
+    "  plannotator annotate <file.md | file.html | https://... | folder/>  [--no-jina]",
     "  plannotator last",
     "  plannotator archive",
     "  plannotator sessions",
@@ -33,7 +33,7 @@ export function formatInteractiveNoArgClarification(): string {
     "",
     "For interactive use, try:",
     "  plannotator review",
-    "  plannotator annotate <file.md>",
+    "  plannotator annotate <file.md | file.html | https://...>",
     "  plannotator last",
     "  plannotator archive",
     "  plannotator sessions",

apps/hook/server/index.ts

@@ -64,17 +64,20 @@ import {
   handleAnnotateServerReady,
 } from "@plannotator/server/annotate";
 import { type DiffType, getVcsContext, runVcsDiff, gitRuntime } from "@plannotator/server/vcs";
-import { loadConfig, resolveDefaultDiffType } from "@plannotator/shared/config";
+import { loadConfig, resolveDefaultDiffType, resolveUseJina } from "@plannotator/shared/config";
+import { htmlToMarkdown } from "@plannotator/shared/html-to-markdown";
+import { urlToMarkdown } from "@plannotator/shared/url-to-markdown";
 import { fetchRef, createWorktree, removeWorktree, ensureObjectAvailable } from "@plannotator/shared/worktree";
 import { parsePRUrl, checkPRAuth, fetchPR, getCliName, getCliInstallUrl, getMRLabel, getMRNumberLabel, getDisplayRepo } from "@plannotator/server/pr";
 import { writeRemoteShareLink } from "@plannotator/server/share-url";
 import { resolveMarkdownFile, hasMarkdownFiles } from "@plannotator/shared/resolve-file";
 import { FILE_BROWSER_EXCLUDED } from "@plannotator/shared/reference-common";
-import { statSync, rmSync, realpathSync } from "fs";
+import { statSync, rmSync, realpathSync, existsSync } from "fs";
 import { parseRemoteUrl } from "@plannotator/shared/repo";
 import { registerSession, unregisterSession, listSessions } from "@plannotator/server/sessions";
 import { openBrowser } from "@plannotator/server/browser";
 import { detectProjectName } from "@plannotator/server/project";
+import { hostnameOrFallback } from "@plannotator/shared/project";
 import { planDenyFeedback } from "@plannotator/shared/feedback-templates";
 import { readImprovementHook } from "@plannotator/shared/improvement-hooks";
 import type { Origin } from "@plannotator/shared/agents";
@@ -109,6 +112,11 @@ if (browserIdx !== -1 && args[browserIdx + 1]) {
   args.splice(browserIdx, 2);
 }
 
+// Global flag: --no-jina (disables Jina Reader for URL annotation)
+const noJinaIdx = args.indexOf("--no-jina");
+const cliNoJina = noJinaIdx !== -1;
+if (cliNoJina) args.splice(noJinaIdx, 1);
+
 if (isTopLevelHelpInvocation(args)) {
   console.log(formatTopLevelHelp());
   process.exit(0);
@@ -451,7 +459,7 @@ if (args[0] === "sessions") {
 
   let filePath = args[1];
   if (!filePath) {
-    console.error("Usage: plannotator annotate <file.md | folder/>");
+    console.error("Usage: plannotator annotate <file.md | file.html | https://... | folder/>  [--no-jina]");
     process.exit(1);
   }
 
@@ -468,50 +476,87 @@ if (args[0] === "sessions") {
     console.error(`[DEBUG] File path arg: ${filePath}`);
   }
 
-  // Check if the argument is a directory (folder annotation mode)
-  const resolvedArg = path.resolve(projectRoot, filePath);
-  let isFolder = false;
-  try {
-    isFolder = statSync(resolvedArg).isDirectory();
-  } catch {
-    // Not a directory, fall through to file resolution
-  }
-
   let markdown: string;
   let absolutePath: string;
   let folderPath: string | undefined;
   let annotateMode: "annotate" | "annotate-folder" = "annotate";
+  let sourceInfo: string | undefined;
 
-  if (isFolder) {
-    // Folder annotation mode
-    if (!hasMarkdownFiles(resolvedArg, FILE_BROWSER_EXCLUDED)) {
-      console.error(`No markdown files found in ${resolvedArg}`);
-      process.exit(1);
-    }
-    folderPath = resolvedArg;
-    absolutePath = resolvedArg;
-    markdown = "";
-    annotateMode = "annotate-folder";
-    console.error(`Folder: ${resolvedArg}`);
-  } else {
-    // Single file annotation mode
-    const resolved = resolveMarkdownFile(filePath, projectRoot);
+  // --- URL annotation ---
+  const isUrl = /^https?:\/\//i.test(filePath);
 
-    if (resolved.kind === "ambiguous") {
-      console.error(`Ambiguous filename "${resolved.input}" — found ${resolved.matches.length} matches:`);
-      for (const match of resolved.matches) {
-        console.error(`  ${match}`);
+  if (isUrl) {
+    const useJina = resolveUseJina(cliNoJina, loadConfig());
+    console.error(`Fetching: ${filePath}${useJina ? " (via Jina Reader)" : " (via fetch+Turndown)"}`);
+    try {
+      const result = await urlToMarkdown(filePath, { useJina });
+      markdown = result.markdown;
+      if (process.env.PLANNOTATOR_DEBUG) {
+        console.error(`[DEBUG] Fetched via ${result.source} (${markdown.length} chars)`);
       }
+    } catch (err) {
+      console.error(`Failed to fetch URL: ${err instanceof Error ? err.message : String(err)}`);
       process.exit(1);
     }
-    if (resolved.kind === "not_found") {
-      console.error(`File not found: ${resolved.input}`);
-      process.exit(1);
+    absolutePath = filePath; // Use URL as the "path" for display
+    sourceInfo = filePath;   // Full URL for source attribution
+  } else {
+    // Check if the argument is a directory (folder annotation mode)
+    const resolvedArg = path.resolve(projectRoot, filePath);
+    let isFolder = false;
+    try {
+      isFolder = statSync(resolvedArg).isDirectory();
+    } catch {
+      // Not a directory, fall through to file resolution
     }
 
-    absolutePath = resolved.path;
-    markdown = await Bun.file(absolutePath).text();
-    console.error(`Resolved: ${absolutePath}`);
+    if (isFolder) {
+      // Folder annotation mode (markdown + HTML files)
+      if (!hasMarkdownFiles(resolvedArg, FILE_BROWSER_EXCLUDED, /\.(mdx?|html?)$/i)) {
+        console.error(`No markdown or HTML files found in ${resolvedArg}`);
+        process.exit(1);
+      }
+      folderPath = resolvedArg;
+      absolutePath = resolvedArg;
+      markdown = "";
+      annotateMode = "annotate-folder";
+      console.error(`Folder: ${resolvedArg}`);
+    } else if (/\.html?$/i.test(resolvedArg)) {
+      // HTML file annotation mode — convert to markdown via Turndown
+      if (!existsSync(resolvedArg)) {
+        console.error(`File not found: ${filePath}`);
+        process.exit(1);
+      }
+      const htmlFile = Bun.file(resolvedArg);
+      if (htmlFile.size > 10 * 1024 * 1024) {
+        console.error(`File too large (${Math.round(htmlFile.size / 1024 / 1024)}MB, max 10MB): ${resolvedArg}`);
+        process.exit(1);
+      }
+      const html = await htmlFile.text();
+      markdown = htmlToMarkdown(html);
+      absolutePath = resolvedArg;
+      sourceInfo = path.basename(resolvedArg);
+      console.error(`Converted: ${absolutePath}`);
+    } else {
+      // Single markdown file annotation mode
+      const resolved = resolveMarkdownFile(filePath, projectRoot);
+
+      if (resolved.kind === "ambiguous") {
+        console.error(`Ambiguous filename "${resolved.input}" — found ${resolved.matches.length} matches:`);
+        for (const match of resolved.matches) {
+          console.error(`  ${match}`);
+        }
+        process.exit(1);
+      }
+      if (resolved.kind === "not_found") {
+        console.error(`File not found: ${resolved.input}`);
+        process.exit(1);
+      }
+
+      absolutePath = resolved.path;
+      markdown = await Bun.file(absolutePath).text();
+      console.error(`Resolved: ${absolutePath}`);
+    }
   }
 
   const annotateProject = (await detectProjectName()) ?? "_unknown";
@@ -523,6 +568,7 @@ if (args[0] === "sessions") {
     origin: detectedOrigin,
     mode: annotateMode,
     folderPath,
+    sourceInfo,
     sharingEnabled,
     shareBaseUrl,
     pasteApiUrl,
@@ -543,7 +589,9 @@ if (args[0] === "sessions") {
     mode: "annotate",
     project: annotateProject,
     startedAt: new Date().toISOString(),
-    label: folderPath ? `annotate-${path.basename(folderPath)}` : `annotate-${path.basename(absolutePath)}`,
+    label: folderPath
+      ? `annotate-${path.basename(folderPath)}`
+      : `annotate-${isUrl ? hostnameOrFallback(absolutePath) : path.basename(absolutePath)}`,
   });
 
   // Wait for user feedback

apps/opencode-plugin/commands.ts

@@ -20,8 +20,12 @@ import {
 } from "@plannotator/server/annotate";
 import { getGitContext, runGitDiffWithContext } from "@plannotator/server/git";
 import { parsePRUrl, checkPRAuth, fetchPR, getCliName, getMRLabel, getMRNumberLabel, getDisplayRepo } from "@plannotator/server/pr";
-import { loadConfig, resolveDefaultDiffType } from "@plannotator/shared/config";
+import { loadConfig, resolveDefaultDiffType, resolveUseJina } from "@plannotator/shared/config";
 import { resolveMarkdownFile } from "@plannotator/shared/resolve-file";
+import { htmlToMarkdown } from "@plannotator/shared/html-to-markdown";
+import { urlToMarkdown } from "@plannotator/shared/url-to-markdown";
+import { statSync } from "fs";
+import path from "path";
 
 /** Shared dependencies injected by the plugin */
 export interface CommandDeps {
@@ -149,35 +153,79 @@ export async function handleAnnotateCommand(
   const filePath = event.properties?.arguments || event.arguments || "";
 
   if (!filePath) {
-    client.app.log({ level: "error", message: "Usage: /plannotator-annotate <file.md>" });
+    client.app.log({ level: "error", message: "Usage: /plannotator-annotate <file.md | file.html | https://...>" });
     return;
   }
 
-  client.app.log({ level: "info", message: `Opening annotation UI for ${filePath}...` });
+  let markdown: string;
+  let absolutePath: string;
+  let sourceInfo: string | undefined;
 
-  const projectRoot = process.cwd();
-  const resolved = await resolveMarkdownFile(filePath, projectRoot);
+  // --- URL annotation ---
+  const isUrl = /^https?:\/\//i.test(filePath);
 
-  if (resolved.kind === "ambiguous") {
-    client.app.log({
-      level: "error",
-      message: `Ambiguous filename "${resolved.input}" — found ${resolved.matches.length} matches:\n${resolved.matches.map((m) => `  ${m}`).join("\n")}`,
-    });
-    return;
-  }
-  if (resolved.kind === "not_found") {
-    client.app.log({ level: "error", message: `File not found: ${resolved.input}` });
-    return;
-  }
+  if (isUrl) {
+    const useJina = resolveUseJina(false, loadConfig());
+    client.app.log({ level: "info", message: `Fetching: ${filePath}${useJina ? " (via Jina Reader)" : " (via fetch+Turndown)"}...` });
+    try {
+      const result = await urlToMarkdown(filePath, { useJina });
+      markdown = result.markdown;
+    } catch (err) {
+      client.app.log({ level: "error", message: `Failed to fetch URL: ${err instanceof Error ? err.message : String(err)}` });
+      return;
+    }
+    absolutePath = filePath;
+    sourceInfo = filePath;
+  } else {
+    const projectRoot = process.cwd();
+    const resolvedArg = path.resolve(projectRoot, filePath);
 
-  const absolutePath = resolved.path;
-  client.app.log({ level: "info", message: `Resolved: ${absolutePath}` });
-  const markdown = await Bun.file(absolutePath).text();
+    if (/\.html?$/i.test(resolvedArg)) {
+      // HTML file annotation — convert to markdown via Turndown
+      let fileSize: number;
+      try {
+        fileSize = statSync(resolvedArg).size;
+      } catch {
+        client.app.log({ level: "error", message: `File not found: ${filePath}` });
+        return;
+      }
+      if (fileSize > 10 * 1024 * 1024) {
+        client.app.log({ level: "error", message: `File too large (${Math.round(fileSize / 1024 / 1024)}MB, max 10MB)` });
+        return;
+      }
+      const html = await Bun.file(resolvedArg).text();
+      markdown = htmlToMarkdown(html);
+      absolutePath = resolvedArg;
+      sourceInfo = path.basename(resolvedArg);
+      client.app.log({ level: "info", message: `Converted: ${absolutePath}` });
+    } else {
+      // Markdown file annotation
+      client.app.log({ level: "info", message: `Opening annotation UI for ${filePath}...` });
+      const resolved = await resolveMarkdownFile(filePath, projectRoot);
+
+      if (resolved.kind === "ambiguous") {
+        client.app.log({
+          level: "error",
+          message: `Ambiguous filename "${resolved.input}" — found ${resolved.matches.length} matches:\n${resolved.matches.map((m) => `  ${m}`).join("\n")}`,
+        });
+        return;
+      }
+      if (resolved.kind === "not_found") {
+        client.app.log({ level: "error", message: `File not found: ${resolved.input}` });
+        return;
+      }
+
+      absolutePath = resolved.path;
+      client.app.log({ level: "info", message: `Resolved: ${absolutePath}` });
+      markdown = await Bun.file(absolutePath).text();
+    }
+  }
 
   const server = await startAnnotateServer({
     markdown,
     filePath: absolutePath,
     origin: "opencode",
+    sourceInfo,
     sharingEnabled: await getSharingEnabled(),
     shareBaseUrl: getShareBaseUrl(),
     htmlContent,

apps/opencode-plugin/commands/plannotator-annotate.md

@@ -1,5 +1,5 @@
 ---
-description: Open interactive annotation UI for a markdown file
+description: Open interactive annotation UI for a markdown file, HTML file, or URL
 ---
 
 The Plannotator Annotate UI has been triggered. Opening the annotation UI...