Google Docs import
Import a Google Doc as a draft blog post or info page — converted to safe engine markdown (never raw HTML), so shared docs can't carry stored XSS.
docsImport turns a Google Doc into a draft blog Post or /info Page, via the Google Workspace connector (Docs API v1).
Enable it
docsImport in /admin/features (runtime)./admin/docs-import, paste a Doc ID/URL, pick post or page, and import.Safe by construction — no stored XSS
The converter emits Cartwright engine markdown (## headings, > quotes, **bold**, - bullets) — never HTML. Imported content is stored in body with bodyFormat="text" and rendered through the existing safe renderContentBlocks() path (React text nodes, no dangerouslySetInnerHTML).
Because body is rendered as text, a shared Doc containing <script>, <img onerror> or a javascript: link cannot become stored XSS — those appear as literal escaped text. Raw-HTML rendering remains only for the trusted admin vibeHtml field, which import never writes. Malicious/unsafe link URLs are dropped during conversion (the visible text is kept).
Tool & defaults
The AI/MCP surface gains docs.import (pages:write scope). Imported posts/pages land as drafts for review before publishing.
| Flag | docsImport |
| Tier | runtime |
| Default | off |
| Needs | Workspace connector + Docs scope |
Existing posts/pages (no bodyFormat) render exactly as before — the new column is additive and defaults to text.
Google Drive media & backup
Import images from a Drive folder into the media library, and push DB/media backups to Drive — reusing the existing media pipeline and backup dump.
Contact-form attachments
Let visitors attach an image to the contact form — image-only, size-capped, magic-byte-validated, stored in Vercel Blob and shown in the admin inbox.