diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 705be8c..4cc7c6f 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -14,8 +14,26 @@
     },
     "ghcr.io/devcontainers/features/sshd:1": {
       "version": "latest"
+    },
+    // Playwright + browsers + Linux runtime libs in one shot. The
+    // feature's install.sh runs `npx playwright install --with-deps`
+    // as the remote user, so the browser binaries land in
+    // /home/vscode/.cache/ms-playwright/ and the apt-side runtime
+    // libs (libnss3, libgbm1, etc.) are pulled in too. Reproducible
+    // and dramatically simpler than maintaining the dep list in our
+    // Dockerfile.
+    "ghcr.io/schlich/devcontainer-features/playwright:0": {
+      "browsers": "chromium"
     }
   },
+  // Runs on the HOST before the container is created/started. Picks a
+  // free TCP port, writes it to .devcontainer/ports.env. The container
+  // runs with --network host (see runArgs) so the same port number is
+  // both the in-container bind and the host-visible address — no port
+  // forwarding involved. See the wiki page
+  // [[preferences/devcontainer-ports]] for the full rationale and the
+  // consumer recipes (launch.json, tasks.json, host scripts).
+  "initializeCommand": ".devcontainer/initializeCommand.sh",
   "postCreateCommand": "go version && node --version",
   "postAttachCommand": "npm install --prefix webui",
   "customizations": {
@@ -26,7 +44,10 @@
         "ethan-reesor.vscode-go-test-adapter",
         "idered.npm",
         "qwtel.sqlite-viewer",
-        "dbaeumer.vscode-eslint"
+        "dbaeumer.vscode-eslint",
+        // shellCommand.execute input type, used by launch.json to read
+        // .devcontainer/ports.env into the Chrome launch URL.
+        "augustocdias.tasks-shell-input"
       ],
       "settings": {
         "go.buildTags": "",
@@ -36,7 +57,19 @@
       }
     }
   },
-  "appPort": ["127.0.0.1:51888:4242"],
+  // No appPort: --network host below means no port forwarding is
+  // involved, so there's no host:container mapping to specify. The
+  // server binds directly on the host's network namespace at whatever
+  // port initializeCommand picked.
+  //
+  // --env-file injects MIND_MAP_HOST_PORT into the container so the
+  // mind-map binary (which reads it via `serve --addr`) listens on
+  // the right port. host-side consumers (launch.json, scripts) read
+  // the same file directly.
+  "runArgs": [
+    "--network", "host",
+    "--env-file", ".devcontainer/ports.env"
+  ],
   "portsAttributes": {
     "4242": {
       "label": "mind-map Server (devcontainer)",
diff --git a/.devcontainer/initializeCommand.sh b/.devcontainer/initializeCommand.sh
new file mode 100755
index 0000000..ecee54f
--- /dev/null
+++ b/.devcontainer/initializeCommand.sh
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# Runs on the HOST (not in the container) before docker run. Picks a
+# free TCP port for the mind-map server and writes it to
+# .devcontainer/ports.env. The value is consumed in two places:
+#
+#   1. Inside the container, via runArgs --env-file, so the mind-map
+#      binary's `serve --addr` reads $MIND_MAP_HOST_PORT.
+#   2. On the host, by tools (launch.json, the screenshot harness,
+#      ad-hoc curl) that need to know what URL to hit.
+#
+# Because the container runs with --network host (see devcontainer.json
+# runArgs), there is no port forwarding involved — the container binds
+# directly to the host's network namespace, so the same port number is
+# the host port. That's why we don't need ${localEnv:...} substitution
+# in appPort (which doesn't work for values produced by
+# initializeCommand anyway, since appPort substitution happens before
+# initializeCommand runs).
+#
+# See: [[preferences/devcontainer-ports]] in the mind-map wiki for the
+# full pattern and the rationale.
+set -euo pipefail
+
+# Preferred starting points. The value is stable across normal runs
+# when the preferred slot is free, so browser history / bookmarks /
+# muscle memory keep working. Only drifts when there's a real
+# collision (another worktree's devcontainer, a stray host process,
+# a VS Code port-forwarding daemon squatting on it).
+PREFERRED=(51888 51889 51890 51891 51892 51893)
+
+pick_port() {
+  local p
+  for p in "${PREFERRED[@]}"; do
+    if ! ss -tln "sport = :$p" 2>/dev/null | grep -q LISTEN; then
+      echo "$p"
+      return
+    fi
+  done
+  # Kernel-assigned fallback. Bind a socket to port 0, read what we
+  # got, close it. Tiny TOCTOU window before the container claims it;
+  # in practice we don't hit it.
+  python3 -c 'import socket; s = socket.socket(); s.bind(("127.0.0.1", 0)); print(s.getsockname()[1]); s.close()'
+}
+
+PORT=$(pick_port)
+
+# `cd` so the relative path is stable regardless of where the
+# devcontainer CLI was invoked from.
+cd "$(dirname "$0")"
+
+# `--env-file` (used in runArgs) accepts bare KEY=VALUE lines. Don't
+# quote the value — docker chokes on that.
+cat > ports.env <<EOF
+MIND_MAP_HOST_PORT=$PORT
+EOF
+
+echo "devcontainer host port: $PORT (written to .devcontainer/ports.env)"
diff --git a/.gitignore b/.gitignore
index 93f9a60..96ed349 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,9 @@ webui/node_modules/
 .vscode/cache/
 __debug_bin*
 *.exe
+
+# Devcontainer host-port pick. Written by .devcontainer/initializeCommand.sh
+# at container-create time. Host-specific + per-run, so it must never be
+# committed. See the wiki page preferences/devcontainer-ports for the
+# pattern.
+.devcontainer/ports.env
diff --git a/.vscode/launch.json b/.vscode/launch.json
index 51d2cca..4098a7b 100644
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -12,12 +12,19 @@
     ],
     "configurations": [
         {
+            // The devcontainer runs with --network host (see
+            // .devcontainer/devcontainer.json), so the in-container
+            // port IS the host port. initializeCommand.sh picks the
+            // value at create time and writes it to
+            // .devcontainer/ports.env; --env-file in runArgs makes
+            // $MIND_MAP_HOST_PORT available in the container's env.
+            // See [[preferences/devcontainer-ports]].
             "name": "mind-map Server",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/cmd/mind-map",
-            "args": ["serve", "--addr", "0.0.0.0:4242", "--webui", "${workspaceFolder}/webui/dist"],
+            "args": ["serve", "--addr", "0.0.0.0:${env:MIND_MAP_HOST_PORT}", "--webui", "${workspaceFolder}/webui/dist"],
             "preLaunchTask": "build-webui"
         },
         {
@@ -26,7 +33,7 @@
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/cmd/mind-map",
-            "args": ["serve", "--addr", "0.0.0.0:4242", "--webui", "${workspaceFolder}/webui/dist"],
+            "args": ["serve", "--addr", "0.0.0.0:${env:MIND_MAP_HOST_PORT}", "--webui", "${workspaceFolder}/webui/dist"],
         },
         {
             "name": "mind-map (stdio)",
@@ -37,12 +44,16 @@
             "args": ["serve", "--stdio"],
         },
         {
+            // Same port the server binds to (host == container under
+            // --network host). The mindMapHostPort input reads
+            // .devcontainer/ports.env so the URL tracks whatever value
+            // initializeCommand picked.
             "name": "WebUI",
             "type": "chrome",
             "request": "launch",
             "browserLaunchLocation": "ui",
             "runtimeExecutable": "stable",
-            "url": "http://localhost:51888",
+            "url": "http://localhost:${input:mindMapHostPort}",
             "webRoot": "${workspaceFolder}/webui",
             "preLaunchTask": "waitForServer",
             "userDataDir": "${workspaceFolder}/.vscode/cache",
@@ -58,5 +69,25 @@
             "mode": "test",
             "program": "${workspaceFolder}/internal/wiki",
         }
+    ],
+    "inputs": [
+        {
+            // Reads MIND_MAP_HOST_PORT out of .devcontainer/ports.env
+            // every time the WebUI launch is invoked. Evaluated lazily,
+            // so even if the container is rebuilt and the port changes
+            // (because initializeCommand picked something else), the
+            // next launch picks up the new value with no manual edit.
+            //
+            // Requires the augustocdias.tasks-shell-input extension,
+            // which is declared in .devcontainer/devcontainer.json so
+            // contributors get it automatically.
+            "id": "mindMapHostPort",
+            "type": "command",
+            "command": "shellCommand.execute",
+            "args": {
+                "command": "grep ^MIND_MAP_HOST_PORT= ${workspaceFolder}/.devcontainer/ports.env | cut -d= -f2 | tr -d '\\n'",
+                "useSingleResult": true
+            }
+        }
     ]
 }
diff --git a/.vscode/tasks.json b/.vscode/tasks.json
index 46f4a73..df40e4e 100644
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -45,9 +45,19 @@
             "problemMatcher": ["$go"]
         },
         {
+            // Probes the port the server is bound to. The container
+            // runs with --network host (see devcontainer.json), so
+            // the host and container see the same port number —
+            // whatever value initializeCommand.sh wrote to
+            // .devcontainer/ports.env and propagated into the
+            // container via --env-file. Sourcing the file in the
+            // shell command is the simplest portable way to read it;
+            // it avoids the need for the tasks-shell-input extension
+            // for tasks (the input is only used by launch.json's
+            // Chrome URL). See [[preferences/devcontainer-ports]].
             "label": "waitForServer",
             "type": "shell",
-            "command": "while ! nc -z localhost 4242; do sleep 1; done",
+            "command": "set -a; source ${workspaceFolder}/.devcontainer/ports.env; set +a; while ! nc -z localhost \"$MIND_MAP_HOST_PORT\"; do sleep 1; done",
             "group": "none",
             "dependsOn": ["build-webui"],
             "problemMatcher": {
diff --git a/internal/config/config.go b/internal/config/config.go
index 84dc10f..81603ac 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -41,6 +41,30 @@ type SyncMapping struct {
 	Prefix    string        `json:"prefix"`
 	Remote    string        `json:"remote"`
 	Direction SyncDirection `json:"direction,omitempty"`
+	// LFS, when true, configures the synced shadow clone to track
+	// the patterns in LFSPatterns via git-lfs. Useful when binary
+	// assets (uploaded via the image-support tools) would otherwise
+	// balloon the git repo. Requires git-lfs on the host. Defaults
+	// off because GitHub wikis don't support LFS — flip it on only
+	// for plain repos / providers that do.
+	LFS bool `json:"lfs,omitempty"`
+	// LFSPatterns is the list of .gitattributes patterns to route
+	// through LFS. If empty when LFS is true, a sensible default
+	// (the browser-renderable image extensions plus .pdf) is used
+	// — see DefaultLFSPatterns.
+	LFSPatterns []string `json:"lfs_patterns,omitempty"`
+}
+
+// DefaultLFSPatterns returns the default set of file patterns to route
+// through LFS when a sync mapping enables LFS but doesn't override the
+// patterns explicitly. Tracks the browser-renderable image set used by
+// the upload tools, plus common companion formats agents are likely to
+// reach for next.
+func DefaultLFSPatterns() []string {
+	return []string{
+		"*.png", "*.jpg", "*.jpeg", "*.gif", "*.webp",
+		"*.avif", "*.svg", "*.bmp", "*.ico",
+	}
 }
 
 // SyncConfig holds git sync settings.
@@ -90,7 +114,8 @@ func (s *SyncConfig) ResolveRemote(pagePath string) string {
 // If a mapping for prefix already exists, its remote and direction are
 // both replaced — this is treated as a re-registration, not an additive
 // op, so an existing mapping switching from bidirectional to pull-only
-// (or vice versa) propagates cleanly.
+// (or vice versa) propagates cleanly. LFS settings on an existing
+// mapping are preserved; use AddMappingWithLFS to update them.
 func (s *SyncConfig) AddMapping(prefix, remote string, direction SyncDirection) {
 	direction = direction.Normalize()
 	for i, m := range s.Mappings {
@@ -103,6 +128,34 @@ func (s *SyncConfig) AddMapping(prefix, remote string, direction SyncDirection)
 	s.Mappings = append(s.Mappings, SyncMapping{Prefix: prefix, Remote: remote, Direction: direction})
 }
 
+// AddMappingWithLFS is like AddMapping but also sets the LFS flag and
+// (optionally) the LFS patterns. Patterns default to DefaultLFSPatterns
+// when LFS is true and patterns is nil. Pass an empty (non-nil) slice
+// to explicitly track nothing — that's a usable no-op state for an
+// operator who wants to flip LFS on later.
+func (s *SyncConfig) AddMappingWithLFS(prefix, remote string, direction SyncDirection, lfs bool, patterns []string) {
+	direction = direction.Normalize()
+	if lfs && patterns == nil {
+		patterns = DefaultLFSPatterns()
+	}
+	for i, m := range s.Mappings {
+		if m.Prefix == prefix {
+			s.Mappings[i].Remote = remote
+			s.Mappings[i].Direction = direction
+			s.Mappings[i].LFS = lfs
+			s.Mappings[i].LFSPatterns = patterns
+			return
+		}
+	}
+	s.Mappings = append(s.Mappings, SyncMapping{
+		Prefix:      prefix,
+		Remote:      remote,
+		Direction:   direction,
+		LFS:         lfs,
+		LFSPatterns: patterns,
+	})
+}
+
 // Remotes returns all unique remotes (default + mappings).
 func (s *SyncConfig) Remotes() []string {
 	seen := make(map[string]bool)
diff --git a/internal/httpapi/images.go b/internal/httpapi/images.go
new file mode 100644
index 0000000..72171a7
--- /dev/null
+++ b/internal/httpapi/images.go
@@ -0,0 +1,248 @@
+// Asset HTTP handlers.
+//
+// Two endpoints:
+//
+//   - POST /api/assets — upload an image. Accepts either a JSON body
+//     ({page, name, content_base64}) for parity with the MCP tool, or
+//     a multipart/form-data body with fields {page, name, file=<binary>}
+//     for browser-friendly uploads.
+//
+//   - GET /assets/<page-path>.assets/<filename> — serve the bytes of an
+//     uploaded asset. Lives outside the /api/ prefix so the web UI can
+//     reference it directly from <img src> tags rendered by Goldmark.
+//     For SVG specifically, a strict Content-Security-Policy is set so
+//     embedded scripts and external loads cannot execute.
+
+package httpapi
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"io"
+	"log/slog"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/aniongithub/mind-map/internal/wiki"
+)
+
+// registerAssets wires the asset routes. Called from register().
+func (s *Server) registerAssets(mux *http.ServeMux) {
+	mux.HandleFunc("POST /api/assets", s.uploadAsset)
+	mux.HandleFunc("DELETE /api/assets/{path...}", s.deleteAsset)
+	mux.HandleFunc("GET /assets/{path...}", s.serveAsset)
+}
+
+// uploadAssetJSON is the JSON-body shape for asset uploads. Mirrors
+// the MCP tool's input so a client picking either transport sees the
+// same field names.
+type uploadAssetJSON struct {
+	Page          string `json:"page"`
+	Name          string `json:"name"`
+	ContentBase64 string `json:"content_base64"`
+}
+
+// uploadAssetResponse is the success payload for POST /api/assets.
+type uploadAssetResponse struct {
+	Path      string `json:"path"`
+	URL       string `json:"url"`
+	SizeBytes int64  `json:"size_bytes"`
+	MIME      string `json:"mime"`
+}
+
+// uploadAsset handles POST /api/assets. Accepts JSON or multipart bodies.
+// The page and name fields are required; content arrives as either
+// base64-encoded JSON or a multipart "file" part.
+func (s *Server) uploadAsset(rw http.ResponseWriter, r *http.Request) {
+	page, name, content, err := readAssetUpload(r)
+	if err != nil {
+		http.Error(rw, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	uploaded, err := s.deps.Wiki.UploadAsset(r.Context(), page, name, content)
+	if err != nil {
+		slog.Warn("http upload_asset failed",
+			slog.String("page", page),
+			slog.String("name", name),
+			slog.Int("bytes", len(content)),
+			slog.Any("error", err),
+		)
+		switch {
+		case errors.Is(err, wiki.ErrAssetTooLarge):
+			http.Error(rw, err.Error(), http.StatusRequestEntityTooLarge)
+		case errors.Is(err, wiki.ErrUnsupportedAssetType):
+			http.Error(rw, err.Error(), http.StatusUnsupportedMediaType)
+		default:
+			http.Error(rw, err.Error(), http.StatusBadRequest)
+		}
+		return
+	}
+
+	info, statErr := s.deps.Wiki.StatAsset(r.Context(), uploaded)
+	if statErr != nil {
+		slog.Warn("http upload_asset stat failed",
+			slog.String("path", uploaded), slog.Any("error", statErr))
+		info = &wiki.AssetInfo{Path: uploaded}
+	}
+
+	rw.WriteHeader(http.StatusCreated)
+	writeJSON(rw, uploadAssetResponse{
+		Path:      uploaded,
+		URL:       "/assets/" + uploaded,
+		SizeBytes: info.SizeBytes,
+		MIME:      info.MIME,
+	})
+}
+
+// readAssetUpload extracts (page, name, content) from either a JSON
+// body or a multipart/form-data body. Returns descriptive errors that
+// the caller can pass straight to http.Error.
+//
+// Body size is bounded by http.MaxBytesReader using the wiki's
+// MaxAssetBytes (or default) plus a small overhead for the multipart
+// framing. Going over the cap is reported as "request entity too
+// large" by the standard library.
+func readAssetUpload(r *http.Request) (page, name string, content []byte, err error) {
+	maxBytes := defaultUploadCapForRequest(r)
+	r.Body = http.MaxBytesReader(nil, r.Body, maxBytes)
+
+	ct := r.Header.Get("Content-Type")
+	switch {
+	case strings.HasPrefix(ct, "multipart/form-data"):
+		// 32 MiB in-memory threshold matches stdlib defaults for
+		// form parsing; anything larger gets spooled to a temp
+		// file by the multipart reader.
+		if err := r.ParseMultipartForm(32 << 20); err != nil {
+			return "", "", nil, errors.New("parse multipart: " + err.Error())
+		}
+		page = r.FormValue("page")
+		name = r.FormValue("name")
+
+		f, hdr, ferr := r.FormFile("file")
+		if ferr != nil {
+			return "", "", nil, errors.New("missing 'file' part: " + ferr.Error())
+		}
+		defer f.Close()
+		if name == "" {
+			name = hdr.Filename
+		}
+		data, rerr := io.ReadAll(f)
+		if rerr != nil {
+			return "", "", nil, errors.New("read 'file' part: " + rerr.Error())
+		}
+		content = data
+
+	default:
+		// Treat anything else as JSON for simplicity. application/
+		// json is the documented happy path; other content types
+		// either decode as JSON or get a clear parse error.
+		var body uploadAssetJSON
+		if derr := json.NewDecoder(r.Body).Decode(&body); derr != nil {
+			return "", "", nil, errors.New("invalid JSON: " + derr.Error())
+		}
+		page = body.Page
+		name = body.Name
+		if body.ContentBase64 == "" {
+			return "", "", nil, errors.New("content_base64 is required for JSON uploads")
+		}
+		data, derr := base64.StdEncoding.DecodeString(body.ContentBase64)
+		if derr != nil {
+			if alt, altErr := base64.URLEncoding.DecodeString(body.ContentBase64); altErr == nil {
+				data = alt
+			} else {
+				return "", "", nil, errors.New("decode content_base64: " + derr.Error())
+			}
+		}
+		content = data
+	}
+
+	if page == "" {
+		return "", "", nil, errors.New("page is required")
+	}
+	if name == "" {
+		return "", "", nil, errors.New("name is required")
+	}
+	return page, name, content, nil
+}
+
+// defaultUploadCapForRequest returns the HTTP-level body cap for an
+// upload. We don't have a clean handle on Wiki.MaxAssetBytes from
+// here without expanding the Deps surface, so we use a generous
+// constant upper bound (128 MiB) and let the wiki layer report the
+// precise cap to the client when it rejects via ErrAssetTooLarge.
+// The cap mostly exists to bound multipart parsing memory.
+func defaultUploadCapForRequest(_ *http.Request) int64 {
+	return 128 * 1024 * 1024
+}
+
+// deleteAsset handles DELETE /api/assets/<path>. Removes the asset
+// file (and any index rows referencing it). Pages that still embed
+// the asset will have a dangling markdown reference until they are
+// edited — the caller is expected to clean those up if it cares.
+func (s *Server) deleteAsset(rw http.ResponseWriter, r *http.Request) {
+	assetPath := r.PathValue("path")
+	if assetPath == "" {
+		http.Error(rw, "asset path is required", http.StatusBadRequest)
+		return
+	}
+
+	if err := s.deps.Wiki.DeleteAsset(r.Context(), assetPath); err != nil {
+		if errors.Is(err, wiki.ErrAssetNotFound) {
+			http.NotFound(rw, r)
+			return
+		}
+		slog.Warn("http delete_asset failed",
+			slog.String("path", assetPath), slog.Any("error", err))
+		http.Error(rw, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	writeJSON(rw, map[string]string{"status": "deleted", "path": assetPath})
+}
+
+// serveAsset handles GET /assets/<path>. Reads the asset from the
+// wiki and streams it back with the correct Content-Type. SVG is
+// served with a strict CSP to neutralize script-injection from
+// hand-crafted SVG payloads.
+//
+// The /assets prefix is deliberately distinct from the SPA static
+// handler at "/" so URLs in markdown (rewritten by the web UI to
+// /assets/<path>) don't conflict with the React/Preact routes.
+func (s *Server) serveAsset(rw http.ResponseWriter, r *http.Request) {
+	assetPath := r.PathValue("path")
+	if assetPath == "" {
+		http.NotFound(rw, r)
+		return
+	}
+
+	data, mime, err := s.deps.Wiki.ReadAsset(r.Context(), assetPath)
+	if err != nil {
+		if errors.Is(err, wiki.ErrAssetNotFound) {
+			http.NotFound(rw, r)
+			return
+		}
+		slog.Warn("http serve_asset failed",
+			slog.String("path", assetPath), slog.Any("error", err))
+		http.Error(rw, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	rw.Header().Set("Content-Type", mime)
+	rw.Header().Set("Cache-Control", "public, max-age=300")
+	// Conservative CSP for SVG: no scripts, no external loads, no
+	// inline event handlers. Stops script-injection attacks via
+	// embedded <script> or javascript: URLs in hand-crafted SVG.
+	if strings.HasPrefix(mime, "image/svg") {
+		rw.Header().Set("Content-Security-Policy",
+			"default-src 'none'; style-src 'unsafe-inline'; sandbox")
+	}
+	// http.ServeContent gives us conditional GET and byte-range
+	// support; it needs an io.ReadSeeker, which bytes.NewReader
+	// satisfies. We've already loaded the bytes into memory, so
+	// wrapping is essentially free.
+	http.ServeContent(rw, r, assetPath, time.Time{}, bytes.NewReader(data))
+}
diff --git a/internal/httpapi/images_test.go b/internal/httpapi/images_test.go
new file mode 100644
index 0000000..5de3ecc
--- /dev/null
+++ b/internal/httpapi/images_test.go
@@ -0,0 +1,199 @@
+package httpapi
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"io"
+	"mime/multipart"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+// onePixelPNG mirrors the wiki package's fixture; duplicated to keep
+// the httpapi tests free of cross-package internal imports.
+var onePixelPNG = []byte{
+	0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a,
+	0x00, 0x00, 0x00, 0x0d, 0x49, 0x48, 0x44, 0x52,
+	0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+	0x08, 0x06, 0x00, 0x00, 0x00, 0x1f, 0x15, 0xc4, 0x89,
+	0x00, 0x00, 0x00, 0x0d, 0x49, 0x44, 0x41, 0x54,
+	0x78, 0x9c, 0x62, 0x00, 0x01, 0x00, 0x00, 0x05,
+	0x00, 0x01, 0x0d, 0x0a, 0x2d, 0xb4,
+	0x00, 0x00, 0x00, 0x00, 0x49, 0x45, 0x4e, 0x44,
+	0xae, 0x42, 0x60, 0x82,
+}
+
+func TestUploadAssetJSON(t *testing.T) {
+	h := newTestServer(t)
+
+	// The temporary wiki has no pages, so create one first.
+	doJSON(t, h, "POST", "/api/pages", map[string]string{
+		"path":    "projects/mind-map",
+		"content": "# mm\n",
+	})
+
+	enc := base64.StdEncoding.EncodeToString(onePixelPNG)
+	rec := doJSON(t, h, "POST", "/api/assets", map[string]string{
+		"page":           "projects/mind-map",
+		"name":           "diagram.png",
+		"content_base64": enc,
+	})
+	if rec.Code != http.StatusCreated {
+		t.Fatalf("status = %d, want 201; body=%s", rec.Code, rec.Body.String())
+	}
+	var resp uploadAssetResponse
+	if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("unmarshal: %v", err)
+	}
+	if resp.Path != "projects/mind-map.assets/diagram.png" {
+		t.Errorf("Path = %q", resp.Path)
+	}
+	if resp.URL != "/assets/projects/mind-map.assets/diagram.png" {
+		t.Errorf("URL = %q", resp.URL)
+	}
+	if resp.MIME != "image/png" {
+		t.Errorf("MIME = %q", resp.MIME)
+	}
+	if resp.SizeBytes != int64(len(onePixelPNG)) {
+		t.Errorf("SizeBytes = %d, want %d", resp.SizeBytes, len(onePixelPNG))
+	}
+}
+
+func TestUploadAssetMultipart(t *testing.T) {
+	h := newTestServer(t)
+	doJSON(t, h, "POST", "/api/pages", map[string]string{
+		"path":    "projects/mind-map",
+		"content": "# mm\n",
+	})
+
+	body := &bytes.Buffer{}
+	writer := multipart.NewWriter(body)
+	_ = writer.WriteField("page", "projects/mind-map")
+	_ = writer.WriteField("name", "shot.png")
+	part, err := writer.CreateFormFile("file", "shot.png")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if _, err := part.Write(onePixelPNG); err != nil {
+		t.Fatal(err)
+	}
+	writer.Close()
+
+	req := httptest.NewRequest("POST", "/api/assets", body)
+	req.Header.Set("Content-Type", writer.FormDataContentType())
+	rec := httptest.NewRecorder()
+	h.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusCreated {
+		t.Fatalf("status = %d, want 201; body=%s", rec.Code, rec.Body.String())
+	}
+	var resp uploadAssetResponse
+	if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("unmarshal: %v", err)
+	}
+	if !strings.HasSuffix(resp.Path, "shot.png") {
+		t.Errorf("Path = %q", resp.Path)
+	}
+}
+
+func TestUploadAssetRejectsNonImage(t *testing.T) {
+	h := newTestServer(t)
+	doJSON(t, h, "POST", "/api/pages", map[string]string{
+		"path":    "projects/mind-map",
+		"content": "# mm\n",
+	})
+
+	enc := base64.StdEncoding.EncodeToString([]byte("definitely not a png"))
+	rec := doJSON(t, h, "POST", "/api/assets", map[string]string{
+		"page":           "projects/mind-map",
+		"name":           "evil.png",
+		"content_base64": enc,
+	})
+	if rec.Code != http.StatusUnsupportedMediaType {
+		t.Errorf("status = %d, want 415; body=%s", rec.Code, rec.Body.String())
+	}
+}
+
+func TestServeAsset(t *testing.T) {
+	h := newTestServer(t)
+	doJSON(t, h, "POST", "/api/pages", map[string]string{
+		"path":    "projects/mind-map",
+		"content": "# mm\n",
+	})
+	enc := base64.StdEncoding.EncodeToString(onePixelPNG)
+	doJSON(t, h, "POST", "/api/assets", map[string]string{
+		"page":           "projects/mind-map",
+		"name":           "d.png",
+		"content_base64": enc,
+	})
+
+	req := httptest.NewRequest("GET", "/assets/projects/mind-map.assets/d.png", nil)
+	rec := httptest.NewRecorder()
+	h.ServeHTTP(rec, req)
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status = %d, want 200", rec.Code)
+	}
+	if got := rec.Header().Get("Content-Type"); got != "image/png" {
+		t.Errorf("Content-Type = %q", got)
+	}
+	body, _ := io.ReadAll(rec.Body)
+	if !bytes.Equal(body, onePixelPNG) {
+		t.Errorf("body differs from uploaded PNG")
+	}
+}
+
+func TestServeAssetSVGCSP(t *testing.T) {
+	h := newTestServer(t)
+	doJSON(t, h, "POST", "/api/pages", map[string]string{
+		"path":    "projects/mind-map",
+		"content": "# mm\n",
+	})
+	svg := `<svg xmlns="http://www.w3.org/2000/svg" width="1" height="1"><rect/></svg>`
+	enc := base64.StdEncoding.EncodeToString([]byte(svg))
+	doJSON(t, h, "POST", "/api/assets", map[string]string{
+		"page":           "projects/mind-map",
+		"name":           "vec.svg",
+		"content_base64": enc,
+	})
+
+	req := httptest.NewRequest("GET", "/assets/projects/mind-map.assets/vec.svg", nil)
+	rec := httptest.NewRecorder()
+	h.ServeHTTP(rec, req)
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status = %d", rec.Code)
+	}
+	csp := rec.Header().Get("Content-Security-Policy")
+	if csp == "" {
+		t.Fatal("SVG response missing Content-Security-Policy header")
+	}
+	if !strings.Contains(csp, "default-src 'none'") {
+		t.Errorf("CSP = %q, expected restrictive default-src 'none'", csp)
+	}
+}
+
+func TestServeAssetNotFound(t *testing.T) {
+	h := newTestServer(t)
+	req := httptest.NewRequest("GET", "/assets/does/not/exist.png", nil)
+	rec := httptest.NewRecorder()
+	h.ServeHTTP(rec, req)
+	if rec.Code != http.StatusNotFound {
+		t.Errorf("status = %d, want 404", rec.Code)
+	}
+}
+
+func TestServeAssetRejectsTraversal(t *testing.T) {
+	h := newTestServer(t)
+	// The Go 1.22 routing pattern auto-cleans paths, so "../" usually
+	// gets stripped before reaching the handler. We still want to
+	// confirm the wiki-layer guard returns a 4xx for any path that
+	// somehow makes it through.
+	req := httptest.NewRequest("GET", "/assets/..%2F..%2Fetc%2Fpasswd", nil)
+	rec := httptest.NewRecorder()
+	h.ServeHTTP(rec, req)
+	if rec.Code == http.StatusOK {
+		t.Errorf("traversal accepted: status %d", rec.Code)
+	}
+}
diff --git a/internal/httpapi/server.go b/internal/httpapi/server.go
index 8b4874a..c8ae0a0 100644
--- a/internal/httpapi/server.go
+++ b/internal/httpapi/server.go
@@ -176,6 +176,7 @@ func (s *Server) register(mux *http.ServeMux) {
 	mux.HandleFunc("POST /api/restart", s.postRestart)
 	mux.HandleFunc("POST /api/reindex", s.postReindex)
 	mux.HandleFunc("GET /api/sync/status", s.getSyncStatus)
+	s.registerAssets(mux)
 	mux.Handle("/", s.staticHandler())
 }
 
diff --git a/internal/mcp/images.go b/internal/mcp/images.go
new file mode 100644
index 0000000..8d476d1
--- /dev/null
+++ b/internal/mcp/images.go
@@ -0,0 +1,304 @@
+// MCP tool handlers for image support.
+//
+// Three new tools surface the wiki's asset layer to agents:
+//
+//   - upload_image: write binary content into the page's sidecar and
+//     return a markdown-ready path. The agent embeds the reference
+//     itself via update_page / edit_page; this keeps tool
+//     responsibilities crisp (we considered an insert_image
+//     convenience tool but deferred it — see the design doc).
+//
+//   - download_image: fetch an asset and return it as MCP ImageContent
+//     so vision-capable agents see the image inline.
+//
+//   - get_page and search_pages gain include_images and
+//     include_image_metadata flags, opt-in by design (default off so
+//     token cost stays predictable). When the operator forces images
+//     off (Server.ForceImagesOff) those flags are silently overridden
+//     and a notice is appended to the response so callers don't reason
+//     as if they got what they asked for.
+
+package mcp
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log/slog"
+	"time"
+
+	"github.com/aniongithub/mind-map/internal/wiki"
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+)
+
+// ForceImagesOff, when set on the Server, makes get_page and
+// search_pages behave as if include_images=false and
+// include_image_metadata=false regardless of caller request. Intended
+// for token-constrained deployments. See SetForceImagesOff.
+func (s *Server) SetForceImagesOff(off bool) { s.forceImagesOff = off }
+
+// uploadImageInput is the request shape for the upload_image tool.
+//
+// Content is base64-encoded so the JSON-over-stdio MCP transport can
+// carry arbitrary binary safely. The Go SDK doesn't currently support
+// passing []byte through tool inputs as raw bytes — base64 is the
+// universal idiom.
+type uploadImageInput struct {
+	Page          string `json:"page" jsonschema:"page path (without .md) under which to store the image; the asset lives in <page>.assets/<name>"`
+	Name          string `json:"name" jsonschema:"filename for the uploaded image, e.g. diagram.png; collisions auto-suffix"`
+	ContentBase64 string `json:"content_base64" jsonschema:"image bytes encoded as base64. Supported formats: PNG, JPEG, GIF, WebP, AVIF, SVG, BMP, ICO."`
+}
+
+// uploadImageOutput is the success payload. `Path` is the markdown-
+// ready relative path the agent should embed; `URL` is the convenience
+// HTTP path served by the static asset handler.
+type uploadImageOutput struct {
+	Path      string `json:"path"`
+	URL       string `json:"url"`
+	SizeBytes int64  `json:"size_bytes"`
+	MIME      string `json:"mime"`
+}
+
+func (s *Server) uploadImage(ctx context.Context, _ *mcp.CallToolRequest, in uploadImageInput) (*mcp.CallToolResult, any, error) {
+	start := time.Now()
+
+	content, err := base64.StdEncoding.DecodeString(in.ContentBase64)
+	if err != nil {
+		// Be forgiving of URL-safe base64 too — vision tooling often
+		// emits one or the other.
+		if alt, altErr := base64.URLEncoding.DecodeString(in.ContentBase64); altErr == nil {
+			content = alt
+		} else {
+			return nil, nil, fmt.Errorf("decode content_base64: %w", err)
+		}
+	}
+
+	uploaded, err := s.wiki.UploadAsset(ctx, in.Page, in.Name, content)
+	if err != nil {
+		slog.Warn("tool.upload_image failed",
+			slog.String("page", in.Page),
+			slog.String("name", in.Name),
+			slog.Int("bytes", len(content)),
+			slog.Any("error", err),
+		)
+		switch {
+		case errors.Is(err, wiki.ErrAssetTooLarge):
+			return nil, nil, fmt.Errorf("%w. Compress or split the image before retrying", err)
+		case errors.Is(err, wiki.ErrUnsupportedAssetType):
+			return nil, nil, fmt.Errorf("%w. Supported formats: PNG, JPEG, GIF, WebP, AVIF, SVG, BMP, ICO", err)
+		}
+		return nil, nil, err
+	}
+
+	info, err := s.wiki.StatAsset(ctx, uploaded)
+	if err != nil {
+		// We just wrote the file, so stat failing is genuinely
+		// unexpected. Surface a usable response anyway — the
+		// upload itself succeeded.
+		slog.Warn("tool.upload_image stat after upload failed",
+			slog.String("path", uploaded), slog.Any("error", err))
+		info = &wiki.AssetInfo{Path: uploaded}
+	}
+
+	out := uploadImageOutput{
+		Path:      uploaded,
+		URL:       "/api/assets/" + uploaded,
+		SizeBytes: info.SizeBytes,
+		MIME:      info.MIME,
+	}
+	slog.Info("tool.upload_image",
+		slog.String("page", in.Page),
+		slog.String("path", uploaded),
+		slog.Int64("bytes", info.SizeBytes),
+		slog.String("mime", info.MIME),
+		slog.Duration("elapsed", time.Since(start)),
+	)
+	return textResult(out)
+}
+
+// downloadImageInput is the request shape for download_image. The path
+// is the wiki-relative asset path (as it appears in markdown).
+type downloadImageInput struct {
+	Path string `json:"path" jsonschema:"wiki-relative path to the image, e.g. projects/mind-map.assets/diagram.png"`
+}
+
+func (s *Server) downloadImage(ctx context.Context, _ *mcp.CallToolRequest, in downloadImageInput) (*mcp.CallToolResult, any, error) {
+	start := time.Now()
+	data, mime, err := s.wiki.ReadAsset(ctx, in.Path)
+	if err != nil {
+		slog.Warn("tool.download_image failed",
+			slog.String("path", in.Path), slog.Any("error", err))
+		return nil, nil, err
+	}
+	slog.Info("tool.download_image",
+		slog.String("path", in.Path),
+		slog.Int("bytes", len(data)),
+		slog.String("mime", mime),
+		slog.Duration("elapsed", time.Since(start)),
+	)
+	return &mcp.CallToolResult{
+		Content: []mcp.Content{
+			&mcp.ImageContent{
+				Data:     data,
+				MIMEType: mime,
+			},
+		},
+	}, nil, nil
+}
+
+// deleteImageInput is the request shape for delete_image.
+type deleteImageInput struct {
+	Path string `json:"path" jsonschema:"wiki-relative path to the image to delete, e.g. projects/mind-map.assets/diagram.png"`
+}
+
+func (s *Server) deleteImage(ctx context.Context, _ *mcp.CallToolRequest, in deleteImageInput) (*mcp.CallToolResult, any, error) {
+	start := time.Now()
+	if err := s.wiki.DeleteAsset(ctx, in.Path); err != nil {
+		slog.Warn("tool.delete_image failed",
+			slog.String("path", in.Path), slog.Any("error", err))
+		return nil, nil, err
+	}
+	slog.Info("tool.delete_image",
+		slog.String("path", in.Path),
+		slog.Duration("elapsed", time.Since(start)),
+	)
+	return &mcp.CallToolResult{
+		Content: []mcp.Content{
+			&mcp.TextContent{Text: "Deleted image: " + in.Path},
+		},
+	}, nil, nil
+}
+
+// pageReadFlags carries the optional image-related read flags used by
+// get_page and search_pages. Kept as a named type so the schema
+// descriptions land on the same set of fields everywhere.
+type pageReadFlags struct {
+	IncludeImages         bool `json:"include_images,omitempty" jsonschema:"if true, include referenced images as MCP image content blocks alongside the page body. Default false — opt in only when a vision-capable agent needs to see the images inline. Server may force this off for token-constrained deployments."`
+	IncludeImageMetadata  bool `json:"include_image_metadata,omitempty" jsonschema:"if true, include { path, size_bytes, mime } for each referenced image without the bytes. Cheap mode for non-vision agents or planning a follow-up download_image call. Default false."`
+}
+
+// getPageInput replaces the legacy pagePathInput for get_page so we can
+// add the new flags without affecting other tools that still take a
+// bare path.
+type getPageInput struct {
+	Path string `json:"path" jsonschema:"page path without .md extension, e.g. projects/mind-map"`
+	pageReadFlags
+}
+
+// imageMetadata is the cheap-mode shape included in get_page responses
+// when include_image_metadata=true. Subset of wiki.AssetInfo; we keep
+// the JSON identical so callers parsing either source see the same
+// fields.
+type imageMetadata struct {
+	Path      string `json:"path"`
+	SizeBytes int64  `json:"size_bytes"`
+	MIME      string `json:"mime"`
+	// Missing reports whether the file was missing on disk despite
+	// being indexed. Lets agents distinguish "we couldn't read it"
+	// from "it's a zero-byte file".
+	Missing bool `json:"missing,omitempty"`
+}
+
+// pageWithImages is the JSON payload for include_image_metadata mode.
+// We embed the wiki.Page directly so existing fields appear unchanged.
+type pageWithImages struct {
+	*wiki.Page
+	Images []imageMetadata `json:"images,omitempty"`
+	// ImagesForced, when true, signals that the operator-level kill
+	// switch overrode the caller's request to include images or
+	// image metadata. Agents should treat this as authoritative —
+	// retrying with the flag set again won't help.
+	ImagesForcedOff bool `json:"images_forced_off,omitempty"`
+}
+
+// getPageWithFlags is the new get_page handler. The signature change
+// (from pagePathInput to getPageInput) is back-compat at the JSON
+// level: the original `path` field is still required, the new fields
+// are optional and default to false.
+func (s *Server) getPageWithFlags(ctx context.Context, _ *mcp.CallToolRequest, in getPageInput) (*mcp.CallToolResult, any, error) {
+	start := time.Now()
+	page, err := s.wiki.GetPage(ctx, in.Path)
+	if err != nil {
+		slog.Warn("tool.get_page failed", slog.String("page", in.Path), slog.Any("error", err))
+		return nil, nil, err
+	}
+
+	wantMeta := in.IncludeImageMetadata
+	wantBytes := in.IncludeImages
+	forcedOff := s.forceImagesOff && (wantMeta || wantBytes)
+	if s.forceImagesOff {
+		wantMeta = false
+		wantBytes = false
+	}
+
+	// Fast path: no image work requested → same response shape as
+	// before. Keeps existing agents and tooling untouched.
+	if !wantMeta && !wantBytes && !forcedOff {
+		slog.Info("tool.get_page",
+			slog.String("page", in.Path),
+			slog.Duration("elapsed", time.Since(start)),
+		)
+		return textResult(page)
+	}
+
+	imageRefs, err := s.wiki.ImageRefsForPage(ctx, in.Path)
+	if err != nil {
+		slog.Warn("tool.get_page image refs failed", slog.String("page", in.Path), slog.Any("error", err))
+		// Don't fail the call — the page body is still useful.
+		imageRefs = nil
+	}
+
+	resp := pageWithImages{Page: page, ImagesForcedOff: forcedOff}
+
+	if wantMeta {
+		resp.Images = make([]imageMetadata, 0, len(imageRefs))
+		for _, ref := range imageRefs {
+			info, statErr := s.wiki.StatAsset(ctx, ref)
+			if statErr != nil {
+				resp.Images = append(resp.Images, imageMetadata{Path: ref, Missing: true})
+				continue
+			}
+			resp.Images = append(resp.Images, imageMetadata{
+				Path:      info.Path,
+				SizeBytes: info.SizeBytes,
+				MIME:      info.MIME,
+			})
+		}
+	}
+
+	// Build the multi-block response: JSON page body first (so non-
+	// vision agents still get text), then optional image content
+	// blocks for vision agents.
+	data, err := json.MarshalIndent(resp, "", "  ")
+	if err != nil {
+		return nil, nil, err
+	}
+	content := []mcp.Content{&mcp.TextContent{Text: string(data)}}
+
+	if wantBytes {
+		for _, ref := range imageRefs {
+			body, mime, readErr := s.wiki.ReadAsset(ctx, ref)
+			if readErr != nil {
+				slog.Warn("tool.get_page include_images read failed",
+					slog.String("asset", ref), slog.Any("error", readErr))
+				continue
+			}
+			content = append(content, &mcp.ImageContent{
+				Data:     body,
+				MIMEType: mime,
+			})
+		}
+	}
+
+	slog.Info("tool.get_page",
+		slog.String("page", in.Path),
+		slog.Bool("include_images", wantBytes),
+		slog.Bool("include_image_metadata", wantMeta),
+		slog.Bool("forced_off", forcedOff),
+		slog.Int("image_count", len(imageRefs)),
+		slog.Duration("elapsed", time.Since(start)),
+	)
+	return &mcp.CallToolResult{Content: content}, nil, nil
+}
diff --git a/internal/mcp/images_test.go b/internal/mcp/images_test.go
new file mode 100644
index 0000000..f31d19e
--- /dev/null
+++ b/internal/mcp/images_test.go
@@ -0,0 +1,249 @@
+package mcp
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"strings"
+	"testing"
+
+	"github.com/aniongithub/mind-map/internal/wiki"
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+)
+
+// onePixelPNG mirrors the test fixture from internal/wiki/assets_test.go.
+// Duplicated here so the MCP tests don't need a cross-package import.
+var onePixelPNG = []byte{
+	0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a,
+	0x00, 0x00, 0x00, 0x0d, 0x49, 0x48, 0x44, 0x52,
+	0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+	0x08, 0x06, 0x00, 0x00, 0x00, 0x1f, 0x15, 0xc4, 0x89,
+	0x00, 0x00, 0x00, 0x0d, 0x49, 0x44, 0x41, 0x54,
+	0x78, 0x9c, 0x62, 0x00, 0x01, 0x00, 0x00, 0x05,
+	0x00, 0x01, 0x0d, 0x0a, 0x2d, 0xb4,
+	0x00, 0x00, 0x00, 0x00, 0x49, 0x45, 0x4e, 0x44,
+	0xae, 0x42, 0x60, 0x82,
+}
+
+func TestUploadImageTool(t *testing.T) {
+	session := setupTestServer(t)
+
+	enc := base64.StdEncoding.EncodeToString(onePixelPNG)
+	text := callTool(t, session, "upload_image", map[string]any{
+		"page":           "projects/mind-map",
+		"name":           "diagram.png",
+		"content_base64": enc,
+	})
+
+	var out struct {
+		Path      string `json:"path"`
+		URL       string `json:"url"`
+		SizeBytes int64  `json:"size_bytes"`
+		MIME      string `json:"mime"`
+	}
+	if err := json.Unmarshal([]byte(text), &out); err != nil {
+		t.Fatalf("unmarshal upload_image: %v\n%s", err, text)
+	}
+	wantPath := "projects/mind-map.assets/diagram.png"
+	if out.Path != wantPath {
+		t.Errorf("path = %q, want %q", out.Path, wantPath)
+	}
+	if !strings.HasSuffix(out.URL, wantPath) {
+		t.Errorf("URL = %q, want suffix %q", out.URL, wantPath)
+	}
+	if out.MIME != "image/png" {
+		t.Errorf("MIME = %q, want image/png", out.MIME)
+	}
+	if out.SizeBytes != int64(len(onePixelPNG)) {
+		t.Errorf("SizeBytes = %d, want %d", out.SizeBytes, len(onePixelPNG))
+	}
+}
+
+func TestDownloadImageTool(t *testing.T) {
+	session := setupTestServer(t)
+	ctx := context.Background()
+
+	enc := base64.StdEncoding.EncodeToString(onePixelPNG)
+	callTool(t, session, "upload_image", map[string]any{
+		"page":           "projects/mind-map",
+		"name":           "d.png",
+		"content_base64": enc,
+	})
+
+	result, err := session.CallTool(ctx, &mcp.CallToolParams{
+		Name: "download_image",
+		Arguments: map[string]any{
+			"path": "projects/mind-map.assets/d.png",
+		},
+	})
+	if err != nil {
+		t.Fatalf("CallTool download_image: %v", err)
+	}
+	if len(result.Content) != 1 {
+		t.Fatalf("expected 1 content block, got %d", len(result.Content))
+	}
+	img, ok := result.Content[0].(*mcp.ImageContent)
+	if !ok {
+		t.Fatalf("expected ImageContent, got %T", result.Content[0])
+	}
+	if img.MIMEType != "image/png" {
+		t.Errorf("MIME = %q, want image/png", img.MIMEType)
+	}
+	// The Go SDK base64-encodes ImageContent.Data on the wire and
+	// decodes back into []byte on the client side, so we can compare
+	// directly here.
+	if string(img.Data) != string(onePixelPNG) {
+		t.Errorf("image bytes differ; got %d bytes, want %d", len(img.Data), len(onePixelPNG))
+	}
+}
+
+func TestGetPageIncludeImageMetadata(t *testing.T) {
+	session := setupTestServer(t)
+	enc := base64.StdEncoding.EncodeToString(onePixelPNG)
+	callTool(t, session, "upload_image", map[string]any{
+		"page":           "projects/mind-map",
+		"name":           "d.png",
+		"content_base64": enc,
+	})
+	// Reference the asset from the page so the index picks it up.
+	callTool(t, session, "update_page", map[string]any{
+		"path":    "projects/mind-map",
+		"content": "# mm\n\n![d](projects/mind-map.assets/d.png)\n",
+	})
+
+	text := callTool(t, session, "get_page", map[string]any{
+		"path":                   "projects/mind-map",
+		"include_image_metadata": true,
+	})
+
+	// Loose check: the JSON should mention the asset path and a size.
+	if !strings.Contains(text, "projects/mind-map.assets/d.png") {
+		t.Errorf("expected metadata to mention asset path, got: %s", text)
+	}
+	if !strings.Contains(text, "size_bytes") {
+		t.Errorf("expected metadata to include size_bytes, got: %s", text)
+	}
+}
+
+func TestGetPageIncludeImagesBytes(t *testing.T) {
+	session := setupTestServer(t)
+	enc := base64.StdEncoding.EncodeToString(onePixelPNG)
+	callTool(t, session, "upload_image", map[string]any{
+		"page":           "projects/mind-map",
+		"name":           "d.png",
+		"content_base64": enc,
+	})
+	callTool(t, session, "update_page", map[string]any{
+		"path":    "projects/mind-map",
+		"content": "# mm\n\n![d](projects/mind-map.assets/d.png)\n",
+	})
+
+	ctx := context.Background()
+	result, err := session.CallTool(ctx, &mcp.CallToolParams{
+		Name: "get_page",
+		Arguments: map[string]any{
+			"path":           "projects/mind-map",
+			"include_images": true,
+		},
+	})
+	if err != nil {
+		t.Fatalf("CallTool: %v", err)
+	}
+
+	// First block is the text payload; subsequent blocks are images.
+	if len(result.Content) < 2 {
+		t.Fatalf("expected text + at least one image, got %d blocks", len(result.Content))
+	}
+	if _, ok := result.Content[0].(*mcp.TextContent); !ok {
+		t.Fatalf("first block = %T, want TextContent", result.Content[0])
+	}
+	gotImage := false
+	for _, c := range result.Content[1:] {
+		if img, ok := c.(*mcp.ImageContent); ok {
+			gotImage = true
+			if img.MIMEType != "image/png" {
+				t.Errorf("image MIME = %q, want image/png", img.MIMEType)
+			}
+		}
+	}
+	if !gotImage {
+		t.Errorf("no image content block in response")
+	}
+}
+
+func TestUploadImageRejectsNonImage(t *testing.T) {
+	session := setupTestServer(t)
+	ctx := context.Background()
+	enc := base64.StdEncoding.EncodeToString([]byte("not an image"))
+	result, err := session.CallTool(ctx, &mcp.CallToolParams{
+		Name: "upload_image",
+		Arguments: map[string]any{
+			"page":           "projects/mind-map",
+			"name":           "nope.png",
+			"content_base64": enc,
+		},
+	})
+	// The Go SDK surfaces handler errors as result.IsError rather
+	// than as a transport error (the call itself succeeded; the tool
+	// just reported failure). Both shapes are valid signals.
+	if err == nil && !result.IsError {
+		t.Fatal("upload_image accepted non-image content")
+	}
+}
+
+func TestForceImagesOff(t *testing.T) {
+	// Build a server with the kill-switch flipped on and verify the
+	// flags are silently overridden.
+	session, srv := setupTestServerForceOff(t)
+
+	enc := base64.StdEncoding.EncodeToString(onePixelPNG)
+	callTool(t, session, "upload_image", map[string]any{
+		"page":           "projects/mind-map",
+		"name":           "d.png",
+		"content_base64": enc,
+	})
+	callTool(t, session, "update_page", map[string]any{
+		"path":    "projects/mind-map",
+		"content": "# mm\n\n![d](projects/mind-map.assets/d.png)\n",
+	})
+
+	text := callTool(t, session, "get_page", map[string]any{
+		"path":           "projects/mind-map",
+		"include_images": true,
+	})
+	if !strings.Contains(text, "\"images_forced_off\": true") {
+		t.Errorf("expected images_forced_off in response when force-off is set:\n%s", text)
+	}
+	_ = srv
+}
+
+// setupTestServerForceOff wires a server with force-images-off enabled.
+// Mirrors setupTestServer but exposes the *Server too so tests can poke
+// at server-level flags.
+func setupTestServerForceOff(t *testing.T) (*mcp.ClientSession, *Server) {
+	t.Helper()
+	dir := t.TempDir()
+	writeTestFile(t, dir, "index.md", "# Home\n")
+	writeTestFile(t, dir, "projects/mind-map.md", "# mm\n")
+	w, err := wiki.Open(dir)
+	if err != nil {
+		t.Fatalf("Open wiki: %v", err)
+	}
+	t.Cleanup(func() { w.Close() })
+
+	s := NewServer(w, nil, "test")
+	s.SetForceImagesOff(true)
+
+	client := mcp.NewClient(&mcp.Implementation{Name: "test-client", Version: "v0.0.1"}, nil)
+	ct, st := mcp.NewInMemoryTransports()
+	ctx := context.Background()
+	if _, err := s.MCPServer().Connect(ctx, st, nil); err != nil {
+		t.Fatalf("server connect: %v", err)
+	}
+	session, err := client.Connect(ctx, ct, nil)
+	if err != nil {
+		t.Fatalf("client connect: %v", err)
+	}
+	t.Cleanup(func() { session.Close() })
+	return session, s
+}
diff --git a/internal/mcp/server.go b/internal/mcp/server.go
index 86d622f..0b2e61b 100644
--- a/internal/mcp/server.go
+++ b/internal/mcp/server.go
@@ -23,11 +23,30 @@ type SyncRegistrar interface {
 	HasMapping(pagePath string) bool
 }
 
+// SyncRegistrarWithLFS is satisfied by sync managers that accept an
+// LFS option alongside the direction. MCP's register_sync tool prefers
+// this when available; if the wired registrar only implements
+// SyncRegistrar (older mocks / tests), the LFS flags from the tool
+// input are silently dropped and a warning is logged.
+//
+// We keep the LFS arguments as plain types (bool + []string) rather
+// than a named struct so that *sync.Manager can implement this
+// interface without the mcp package depending on the sync package's
+// types or vice versa.
+type SyncRegistrarWithLFS interface {
+	RegisterMappingWithLFS(prefix, remote string, direction config.SyncDirection, lfs bool, lfsPatterns []string) error
+}
+
 // Server wraps a Wiki and exposes it as MCP tools.
 type Server struct {
 	wiki   *wiki.Wiki
 	sync   SyncRegistrar
 	server *mcp.Server
+	// forceImagesOff, when true, makes get_page / search_pages behave
+	// as if include_images and include_image_metadata are both false
+	// regardless of caller request. Set by operators for token-
+	// constrained deployments via SetForceImagesOff.
+	forceImagesOff bool
 }
 
 // NewServer creates an MCP server backed by the given wiki.
@@ -71,8 +90,8 @@ func (s *Server) registerTools() {
 
 	mcp.AddTool(s.server, &mcp.Tool{
 		Name:        "get_page",
-		Description: "Read a wiki page with parsed frontmatter, body, outgoing links, and backlinks.",
-	}, s.getPage)
+		Description: "Read a wiki page with parsed frontmatter, body, outgoing links, and backlinks. Optional flags include_images (returns referenced images as MCP image content for vision agents) and include_image_metadata (returns {path,size,mime} per image without bytes). Both default off to keep token cost predictable.",
+	}, s.getPageWithFlags)
 
 	mcp.AddTool(s.server, &mcp.Tool{
 		Name:        "create_page",
@@ -113,6 +132,21 @@ func (s *Server) registerTools() {
 		Name:        "reindex_wiki",
 		Description: "Force a full reindex pass over the wiki's on-disk markdown files. Use when you've edited files outside the wiki API and want the index (search, page list, backlinks) to reflect disk state without restarting the server. The pass is incremental — unchanged files are skipped via mtime — so it's cheap to call. Returns stats: total/added/updated/removed/unchanged/elapsed_ms.",
 	}, s.reindexWiki)
+
+	mcp.AddTool(s.server, &mcp.Tool{
+		Name:        "upload_image",
+		Description: "Upload an image to a page's sidecar directory and return its markdown-ready path. The agent then embeds the reference (e.g. ![alt](returned/path)) via update_page or edit_page. Image bytes must be base64-encoded; supported formats track what browsers render natively (PNG, JPEG, GIF, WebP, AVIF, SVG, BMP, ICO). Collisions auto-suffix.",
+	}, s.uploadImage)
+
+	mcp.AddTool(s.server, &mcp.Tool{
+		Name:        "download_image",
+		Description: "Read an image asset and return it as MCP ImageContent so vision-capable agents can see it directly. Path is the wiki-relative asset path as it appears in markdown references.",
+	}, s.downloadImage)
+
+	mcp.AddTool(s.server, &mcp.Tool{
+		Name:        "delete_image",
+		Description: "Remove an image asset from the wiki. Pages that still reference the deleted image will have a dangling markdown link until edited — the caller is responsible for cleaning up references. Useful for capture tooling that wants a clean canonical filename across re-runs rather than auto-suffixed duplicates.",
+	}, s.deleteImage)
 }
 
 // --- Tool input types ---
@@ -145,6 +179,14 @@ type registerSyncInput struct {
 	Remote string `json:"remote" jsonschema:"git remote URL, e.g. https://github.com/user/repo.wiki.git"`
 	// Direction is optional. Omitted or empty means bidirectional.
 	Direction string `json:"direction,omitempty" jsonschema:"sync direction: 'bidirectional' (default), 'pull' (mirror remote read-only into wiki), or 'push' (publish wiki to remote, never pulling)"`
+	// LFS, when true, configures the synced clone to track binary
+	// assets through git-lfs. Requires git-lfs on the host. Leave
+	// off for GitHub wikis (which reject LFS pointers) and other
+	// providers that don't support LFS.
+	LFS bool `json:"lfs,omitempty" jsonschema:"if true, route binary assets through git-lfs in the synced clone. Requires git-lfs on the host. Defaults false. Do not enable for GitHub wikis (LFS unsupported)."`
+	// LFSPatterns, when set, overrides the default LFS .gitattributes
+	// patterns (the browser-renderable image set).
+	LFSPatterns []string `json:"lfs_patterns,omitempty" jsonschema:"optional .gitattributes patterns to route through LFS. If LFS=true and this is empty, the default image-format set is used."`
 }
 
 type moveInput struct {
@@ -180,6 +222,15 @@ func (s *Server) getWikiContext(ctx context.Context, _ *mcp.CallToolRequest, _ a
 	return textResult(wctx)
 }
 
+// get_page is implemented in images.go as getPageWithFlags so the
+// image-related flags live next to the rest of the image tooling.
+// The old getPage handler that landed on main is intentionally
+// dropped during this merge: its signature (pagePathInput, no
+// flags) was superseded by getPageWithFlags (getPageInput with the
+// IncludeImages / IncludeImageMetadata flags) in this branch's
+// slice 3 — keeping both would mean two handlers for the same tool
+// name.
+
 func (s *Server) getWikiDigest(ctx context.Context, _ *mcp.CallToolRequest, _ any) (*mcp.CallToolResult, any, error) {
 	start := time.Now()
 	d, err := s.wiki.Digest(ctx)
@@ -198,17 +249,6 @@ func (s *Server) getWikiDigest(ctx context.Context, _ *mcp.CallToolRequest, _ an
 	return textResult(d)
 }
 
-func (s *Server) getPage(ctx context.Context, _ *mcp.CallToolRequest, input pagePathInput) (*mcp.CallToolResult, any, error) {
-	start := time.Now()
-	page, err := s.wiki.GetPage(ctx, input.Path)
-	if err != nil {
-		slog.Warn("tool.get_page failed", slog.String("page", input.Path), slog.Any("error", err))
-		return nil, nil, err
-	}
-	slog.Info("tool.get_page", slog.String("page", input.Path), slog.Duration("elapsed", time.Since(start)))
-	return textResult(page)
-}
-
 func (s *Server) createPage(ctx context.Context, _ *mcp.CallToolRequest, input createInput) (*mcp.CallToolResult, any, error) {
 	start := time.Now()
 	if err := s.wiki.CreatePage(ctx, input.Path, input.Content); err != nil {
@@ -354,10 +394,11 @@ func (s *Server) registerSync(_ context.Context, _ *mcp.CallToolRequest, input r
 		direction = config.SyncBidirectional
 	}
 
-	if err := s.sync.RegisterMapping(input.Prefix, input.Remote, direction); err != nil {
+	if err := s.registerSyncMapping(input.Prefix, input.Remote, direction, input.LFS, input.LFSPatterns); err != nil {
 		slog.Error("tool.register_sync failed",
 			slog.String("prefix", input.Prefix),
 			slog.String("direction", string(direction)),
+			slog.Bool("lfs", input.LFS),
 			slog.Any("error", err),
 		)
 		return nil, nil, err
@@ -367,6 +408,7 @@ func (s *Server) registerSync(_ context.Context, _ *mcp.CallToolRequest, input r
 		slog.String("prefix", input.Prefix),
 		slog.String("remote", input.Remote),
 		slog.String("direction", string(direction)),
+		slog.Bool("lfs", input.LFS),
 	)
 
 	msg := fmt.Sprintf("Sync registered: pages under '%s' will sync to %s", input.Prefix, input.Remote)
@@ -378,6 +420,9 @@ func (s *Server) registerSync(_ context.Context, _ *mcp.CallToolRequest, input r
 	default:
 		msg += " (bidirectional)"
 	}
+	if input.LFS {
+		msg += "; binary assets routed through git-lfs"
+	}
 	return &mcp.CallToolResult{
 		Content: []mcp.Content{
 			&mcp.TextContent{Text: msg},
@@ -385,6 +430,23 @@ func (s *Server) registerSync(_ context.Context, _ *mcp.CallToolRequest, input r
 	}, nil, nil
 }
 
+// registerSyncMapping dispatches the registration call to either the
+// LFS-aware variant (when the wired registrar implements it) or the
+// back-compat variant (which silently drops LFS settings). Logs a
+// warning when LFS was requested but the registrar can't honor it
+// so the operator isn't misled about the resulting behavior.
+func (s *Server) registerSyncMapping(prefix, remote string, direction config.SyncDirection, lfs bool, patterns []string) error {
+	if rw, ok := s.sync.(SyncRegistrarWithLFS); ok {
+		return rw.RegisterMappingWithLFS(prefix, remote, direction, lfs, patterns)
+	}
+	if lfs {
+		slog.Warn("register_sync LFS requested but registrar doesn't support it; falling back to non-LFS",
+			slog.String("prefix", prefix),
+			slog.String("remote", remote))
+	}
+	return s.sync.RegisterMapping(prefix, remote, direction)
+}
+
 // topPrefix extracts the top-level prefix from a page path.
 // "projects/mind-map/design" -> "projects/mind-map"
 // "notes" -> ""
diff --git a/internal/sync/assets_test.go b/internal/sync/assets_test.go
new file mode 100644
index 0000000..4cd60ba
--- /dev/null
+++ b/internal/sync/assets_test.go
@@ -0,0 +1,186 @@
+package sync
+
+import (
+	"context"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/aniongithub/mind-map/internal/config"
+)
+
+// TestSyncableRel covers the predicate the asset-aware sync uses to
+// decide which files cross between the wiki and the shadow clone.
+// Markdown is always carried; non-markdown files only travel when
+// they live inside a *.assets/ sidecar directory.
+func TestSyncableRel(t *testing.T) {
+	cases := []struct {
+		rel  string
+		want bool
+	}{
+		// pages — any *.md travels
+		{"index.md", true},
+		{"projects/mm.md", true},
+		{"projects/mm.scratch/notes.md", true},
+		// sidecar assets
+		{"projects/mm.assets/diagram.png", true},
+		{"foo.assets/a.svg", true},
+		// not ours
+		{"random.txt", false},
+		{"projects/mm.scratch/notes.txt", false},
+		{"", false},
+		// substring traps
+		{"projects/notassets/x.png", false},
+		{"projects/.assets-private/x.png", false},
+	}
+	for _, c := range cases {
+		if got := syncableRel(c.rel); got != c.want {
+			t.Errorf("syncableRel(%q) = %v, want %v", c.rel, got, c.want)
+		}
+	}
+}
+
+// TestSyncCarriesAssets exercises the end-to-end happy path: write a
+// markdown file plus a sidecar asset on the wiki side, sync, and
+// verify both ended up in the bare remote.
+func TestSyncCarriesAssets(t *testing.T) {
+	if _, err := exec.LookPath("git"); err != nil {
+		t.Skip("git not found")
+	}
+
+	remotePath := setupBareRemote(t)
+	seedRemote(t, remotePath)
+
+	wikiDir := t.TempDir()
+	cfg := config.DefaultConfig()
+	cfg.Sync.Enabled = true
+	cfg.Sync.Default = remotePath
+	cfg.Sync.Interval = "5s"
+
+	cfgPath := filepath.Join(t.TempDir(), "config.json")
+	config.Save(cfgPath, cfg)
+
+	mgr := NewManager(wikiDir, cfgPath, cfg, &mockReindexer{})
+	if err := mgr.Start(context.Background()); err != nil {
+		t.Fatalf("Start: %v", err)
+	}
+	defer mgr.Stop()
+
+	// Drop a page + a sidecar asset on the wiki side.
+	pageDir := filepath.Join(wikiDir, "projects")
+	os.MkdirAll(filepath.Join(pageDir, "mm.assets"), 0o755)
+	os.WriteFile(filepath.Join(pageDir, "mm.md"),
+		[]byte("# mm\n\n![d](projects/mm.assets/d.png)\n"), 0o644)
+	// onePixelPNG bytes inline so the test doesn't depend on cross-
+	// package fixtures.
+	png := []byte{
+		0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a,
+		0x00, 0x00, 0x00, 0x0d, 0x49, 0x48, 0x44, 0x52,
+		0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+		0x08, 0x06, 0x00, 0x00, 0x00, 0x1f, 0x15, 0xc4, 0x89,
+		0x00, 0x00, 0x00, 0x0d, 0x49, 0x44, 0x41, 0x54,
+		0x78, 0x9c, 0x62, 0x00, 0x01, 0x00, 0x00, 0x05,
+		0x00, 0x01, 0x0d, 0x0a, 0x2d, 0xb4,
+		0x00, 0x00, 0x00, 0x00, 0x49, 0x45, 0x4e, 0x44,
+		0xae, 0x42, 0x60, 0x82,
+	}
+	os.WriteFile(filepath.Join(pageDir, "mm.assets", "d.png"), png, 0o644)
+
+	// Force a sync cycle deterministically (the ticker is 5s; the
+	// initial Start already runs one syncAll, but the wiki writes
+	// landed after Start so we need a second pass). Easiest: trigger
+	// Reload, which calls rebuildTargets but not sync; instead, just
+	// call syncAll directly via the test helper.
+	mgr.syncAll(context.Background())
+
+	// Inspect the bare remote by cloning it into a scratch dir.
+	scratch := t.TempDir()
+	if out, err := exec.Command("git", "clone", remotePath, scratch).CombinedOutput(); err != nil {
+		t.Fatalf("clone bare: %s: %v", out, err)
+	}
+	if _, err := os.Stat(filepath.Join(scratch, "projects/mm.md")); err != nil {
+		t.Errorf("page not pushed: %v", err)
+	}
+	if _, err := os.Stat(filepath.Join(scratch, "projects/mm.assets/d.png")); err != nil {
+		t.Errorf("asset not pushed: %v", err)
+	}
+}
+
+// TestRegisterMappingWithOptionsLFS verifies that LFS settings round-
+// trip through config and into the syncTarget. We don't push to a
+// remote here — that requires git-lfs on the host and we want this
+// test to run anywhere git is available.
+func TestRegisterMappingWithOptionsLFS(t *testing.T) {
+	cfg := config.DefaultConfig()
+	cfg.Sync.Enabled = true
+	cfg.Sync.Interval = "5s"
+	cfgPath := filepath.Join(t.TempDir(), "config.json")
+	config.Save(cfgPath, cfg)
+
+	mgr := NewManager(t.TempDir(), cfgPath, cfg, &mockReindexer{})
+
+	err := mgr.RegisterMappingWithOptions("projects/alpha", "https://example.com/alpha.git",
+		MappingOptions{
+			Direction: config.SyncBidirectional,
+			LFS:       true,
+		})
+	if err != nil {
+		t.Fatalf("RegisterMappingWithOptions: %v", err)
+	}
+
+	// Reload the config from disk and confirm it was persisted.
+	reloaded, err := config.Load(cfgPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(reloaded.Sync.Mappings) != 1 {
+		t.Fatalf("expected 1 mapping, got %d", len(reloaded.Sync.Mappings))
+	}
+	m := reloaded.Sync.Mappings[0]
+	if !m.LFS {
+		t.Error("LFS not persisted to config")
+	}
+	if len(m.LFSPatterns) == 0 {
+		t.Error("LFSPatterns not defaulted on persist")
+	}
+	if !strings.Contains(strings.Join(m.LFSPatterns, ","), "*.png") {
+		t.Errorf("LFSPatterns missing *.png: %v", m.LFSPatterns)
+	}
+
+	// The in-memory target should also reflect LFS=true.
+	mgr.mu.Lock()
+	tgt, ok := mgr.targets["https://example.com/alpha.git"]
+	mgr.mu.Unlock()
+	if !ok {
+		t.Fatal("target not registered")
+	}
+	if !tgt.lfs {
+		t.Error("syncTarget.lfs not set")
+	}
+	if len(tgt.lfsPatterns) == 0 {
+		t.Error("syncTarget.lfsPatterns not populated")
+	}
+}
+
+// TestRegisterMappingBackCompatNoLFS verifies that the original
+// RegisterMapping API still works and leaves LFS off.
+func TestRegisterMappingBackCompatNoLFS(t *testing.T) {
+	cfg := config.DefaultConfig()
+	cfg.Sync.Enabled = true
+	cfgPath := filepath.Join(t.TempDir(), "config.json")
+	config.Save(cfgPath, cfg)
+	mgr := NewManager(t.TempDir(), cfgPath, cfg, &mockReindexer{})
+
+	if err := mgr.RegisterMapping("p", "https://example.com/r.git", config.SyncPull); err != nil {
+		t.Fatal(err)
+	}
+	reloaded, _ := config.Load(cfgPath)
+	if len(reloaded.Sync.Mappings) != 1 {
+		t.Fatal("expected 1 mapping")
+	}
+	if reloaded.Sync.Mappings[0].LFS {
+		t.Error("LFS should be false for RegisterMapping callers")
+	}
+}
diff --git a/internal/sync/sync.go b/internal/sync/sync.go
index fa7d55f..81c41e0 100644
--- a/internal/sync/sync.go
+++ b/internal/sync/sync.go
@@ -64,6 +64,11 @@ type syncTarget struct {
 	cloneDir  string
 	prefixes  []string // wiki prefixes that map to this remote
 	direction config.SyncDirection
+	// lfs and lfsPatterns mirror the SyncMapping fields. When lfs is
+	// true the target ensures git-lfs is initialized in the shadow
+	// clone and writes .gitattributes routing lfsPatterns through it.
+	lfs         bool
+	lfsPatterns []string
 
 	mu        sync.Mutex
 	lastSync  time.Time
@@ -155,12 +160,38 @@ func (m *Manager) Interval() time.Duration {
 // RegisterMapping adds a prefix-to-remote mapping with the given
 // direction, saves config, and sets up the sync target. An empty
 // direction normalizes to bidirectional. Returns immediately; sync
-// happens on the next cycle.
+// happens on the next cycle. LFS is left at its existing value for
+// the prefix (false by default for new mappings).
 func (m *Manager) RegisterMapping(prefix, remote string, direction config.SyncDirection) error {
+	return m.RegisterMappingWithOptions(prefix, remote, MappingOptions{Direction: direction})
+}
+
+// MappingOptions bundles the optional knobs accepted by
+// RegisterMappingWithOptions. Embedding all of them in a struct keeps
+// the call site readable when more options accrete in the future.
+type MappingOptions struct {
+	// Direction is the sync direction. Empty value normalizes to
+	// SyncBidirectional.
+	Direction config.SyncDirection
+	// LFS, when true, routes binary assets through git-lfs in the
+	// shadow clone. Requires git-lfs on the host.
+	LFS bool
+	// LFSPatterns is the list of .gitattributes patterns to track
+	// via LFS. Nil + LFS=true uses config.DefaultLFSPatterns. Empty
+	// (non-nil) slice is "track nothing" — usable only as a stub
+	// for later configuration.
+	LFSPatterns []string
+}
+
+// RegisterMappingWithOptions is the full form of RegisterMapping that
+// accepts the LFS knobs. The original RegisterMapping calls into this
+// with no LFS to preserve back-compat with callers that only care
+// about direction.
+func (m *Manager) RegisterMappingWithOptions(prefix, remote string, opts MappingOptions) error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
-	m.cfg.Sync.AddMapping(prefix, remote, direction)
+	m.cfg.Sync.AddMappingWithLFS(prefix, remote, opts.Direction, opts.LFS, opts.LFSPatterns)
 	if err := config.Save(m.cfgPath, m.cfg); err != nil {
 		return fmt.Errorf("save config: %w", err)
 	}
@@ -169,11 +200,25 @@ func (m *Manager) RegisterMapping(prefix, remote string, direction config.SyncDi
 	slog.Info("sync mapping registered",
 		slog.String("prefix", prefix),
 		slog.String("remote", remote),
-		slog.String("direction", string(direction.Normalize())),
+		slog.String("direction", string(opts.Direction.Normalize())),
+		slog.Bool("lfs", opts.LFS),
 	)
 	return nil
 }
 
+// RegisterMappingWithLFS is a flat-argument variant of
+// RegisterMappingWithOptions that satisfies the mcp package's
+// SyncRegistrarWithLFS interface. Keeping the argument shape flat
+// (rather than passing a struct) lets the mcp package depend only on
+// stdlib types — no cross-package struct sharing.
+func (m *Manager) RegisterMappingWithLFS(prefix, remote string, direction config.SyncDirection, lfs bool, lfsPatterns []string) error {
+	return m.RegisterMappingWithOptions(prefix, remote, MappingOptions{
+		Direction:   direction,
+		LFS:         lfs,
+		LFSPatterns: lfsPatterns,
+	})
+}
+
 // HasMapping returns true if the given page path has a sync mapping
 // (either explicit or default).
 func (m *Manager) HasMapping(pagePath string) bool {
@@ -212,20 +257,23 @@ func (m *Manager) rebuildTargets() {
 
 // rebuildTargetsLocked rebuilds targets. Caller must hold m.mu.
 func (m *Manager) rebuildTargetsLocked() {
-	// Build remote -> (prefixes, direction) map. Default field is treated
-	// as a bidirectional mapping at the empty prefix.
+	// Build remote -> (prefixes, direction, lfs) map. Default field is
+	// treated as a bidirectional mapping at the empty prefix with LFS
+	// disabled (the default that works on every git provider).
 	type remoteInfo struct {
-		prefixes  []string
-		direction config.SyncDirection
+		prefixes    []string
+		direction   config.SyncDirection
+		lfs         bool
+		lfsPatterns []string
 	}
 	remotes := make(map[string]*remoteInfo)
-	add := func(remote, prefix string, dir config.SyncDirection) {
+	add := func(remote, prefix string, dir config.SyncDirection, lfs bool, patterns []string) {
 		if remote == "" {
 			return
 		}
 		ri, ok := remotes[remote]
 		if !ok {
-			ri = &remoteInfo{direction: dir}
+			ri = &remoteInfo{direction: dir, lfs: lfs, lfsPatterns: patterns}
 			remotes[remote] = ri
 		}
 		ri.prefixes = append(ri.prefixes, prefix)
@@ -238,12 +286,25 @@ func (m *Manager) rebuildTargetsLocked() {
 				slog.String("kept", string(ri.direction)),
 				slog.String("ignored", string(dir)))
 		}
+		// LFS is a per-remote property in git terms (the .gitattributes
+		// file lives at the root of the clone). If any mapping for a
+		// remote enables LFS we honor it, but we warn if mappings
+		// disagree about patterns — the operator should reconcile.
+		if lfs && !ri.lfs {
+			ri.lfs = true
+			ri.lfsPatterns = patterns
+		} else if lfs && len(patterns) > 0 && !sameStringSlice(ri.lfsPatterns, patterns) {
+			slog.Warn("conflicting LFS patterns for remote, using first",
+				slog.String("remote", remote),
+				slog.Any("kept", ri.lfsPatterns),
+				slog.Any("ignored", patterns))
+		}
 	}
 	if m.cfg.Sync.Default != "" {
-		add(m.cfg.Sync.Default, "", config.SyncBidirectional)
+		add(m.cfg.Sync.Default, "", config.SyncBidirectional, false, nil)
 	}
 	for _, mapping := range m.cfg.Sync.Mappings {
-		add(mapping.Remote, mapping.Prefix, mapping.Direction.Normalize())
+		add(mapping.Remote, mapping.Prefix, mapping.Direction.Normalize(), mapping.LFS, mapping.LFSPatterns)
 	}
 
 	// Create or update targets
@@ -251,13 +312,17 @@ func (m *Manager) rebuildTargetsLocked() {
 		if t, exists := m.targets[remote]; exists {
 			t.prefixes = ri.prefixes
 			t.direction = ri.direction
+			t.lfs = ri.lfs
+			t.lfsPatterns = ri.lfsPatterns
 		} else {
 			dirName := sanitizeDirName(remote)
 			m.targets[remote] = &syncTarget{
-				remote:    remote,
-				cloneDir:  filepath.Join(m.syncDir, dirName),
-				prefixes:  ri.prefixes,
-				direction: ri.direction,
+				remote:      remote,
+				cloneDir:    filepath.Join(m.syncDir, dirName),
+				prefixes:    ri.prefixes,
+				direction:   ri.direction,
+				lfs:         ri.lfs,
+				lfsPatterns: ri.lfsPatterns,
 			}
 		}
 	}
@@ -270,6 +335,20 @@ func (m *Manager) rebuildTargetsLocked() {
 	}
 }
 
+// sameStringSlice reports whether two []string contain the same
+// elements in the same order. Used by the LFS pattern conflict check.
+func sameStringSlice(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+	return true
+}
+
 // syncAll syncs all targets.
 func (m *Manager) syncAll(ctx context.Context) {
 	m.mu.Lock()
@@ -328,6 +407,18 @@ func (m *Manager) syncTarget(ctx context.Context, t *syncTarget) {
 		return
 	}
 
+	// LFS bootstrap (no-op when t.lfs is false). Runs on every cycle
+	// so a re-registration that flipped LFS on takes effect on the
+	// next tick without a manual restart. Failures here are surfaced
+	// as setError + return — pushing un-tracked binaries through
+	// git-lfs would just rewrite history later anyway.
+	if t.lfs {
+		if err := ensureLFSConfig(ctx, t); err != nil {
+			t.setError(fmt.Sprintf("lfs setup: %v", err))
+			return
+		}
+	}
+
 	// Phase 1: stage local wiki state in the clone and commit it before
 	// pulling. This is what prevents local writes from being clobbered by
 	// the merge in phase 2.
@@ -442,6 +533,12 @@ func (m *Manager) ensureClone(ctx context.Context, t *syncTarget) error {
 // with prefix "projects/alpha" maps the root of the shadow clone into
 // wikiRoot/projects/alpha. An empty prefix mirrors the whole clone
 // to the wiki root. This matches copyFromWiki (the reverse direction).
+//
+// Files carried: markdown pages (*.md) and the contents of *.assets/
+// sidecar directories. Anything else is treated as not-our-concern
+// and skipped — keeps random scratch files in the wiki tree from
+// leaking to the remote, while still ferrying the asset bytes the
+// image-support feature needs.
 func (m *Manager) copyToWiki(t *syncTarget) {
 	for _, prefix := range t.prefixes {
 		dstRoot := filepath.Join(m.wikiRoot, prefix)
@@ -458,10 +555,13 @@ func (m *Manager) copyToWiki(t *syncTarget) {
 				}
 				return nil
 			}
-			if d.IsDir() || !strings.HasSuffix(name, ".md") {
+			if d.IsDir() {
 				return nil
 			}
 			rel, _ := filepath.Rel(t.cloneDir, path)
+			if !syncableRel(rel) {
+				return nil
+			}
 			dst := filepath.Join(dstRoot, rel)
 			data, err := os.ReadFile(path)
 			if err != nil {
@@ -482,6 +582,10 @@ func (m *Manager) copyToWiki(t *syncTarget) {
 // Skips writes for identical files so git doesn't observe spurious
 // "modified" entries on otherwise-clean trees, and removes clone-side
 // files that no longer exist in the wiki so deletions propagate.
+//
+// Carries the same file set as copyToWiki: *.md pages plus the contents
+// of *.assets/ sidecar directories. Other files in the wiki tree are
+// ignored.
 func (m *Manager) copyFromWiki(t *syncTarget) {
 	for _, prefix := range t.prefixes {
 		srcRoot := filepath.Join(m.wikiRoot, prefix)
@@ -500,10 +604,13 @@ func (m *Manager) copyFromWiki(t *syncTarget) {
 				}
 				return nil
 			}
-			if d.IsDir() || !strings.HasSuffix(name, ".md") {
+			if d.IsDir() {
 				return nil
 			}
 			rel, _ := filepath.Rel(srcRoot, path)
+			if !syncableRel(rel) {
+				return nil
+			}
 			dst := filepath.Join(t.cloneDir, rel)
 			data, err := os.ReadFile(path)
 			if err != nil {
@@ -517,8 +624,11 @@ func (m *Manager) copyFromWiki(t *syncTarget) {
 			return nil
 		})
 
-		// Mirror deletes: any .md in the clone that no longer exists in
-		// the wiki must be removed so `git add -A` notices the deletion.
+		// Mirror deletes: any syncable file in the clone that no longer
+		// exists in the wiki must be removed so `git add -A` notices the
+		// deletion. Same predicate as the copy pass to keep the two
+		// directions symmetric — we'd never delete a file we wouldn't
+		// have copied in the first place.
 		filepath.WalkDir(t.cloneDir, func(path string, d os.DirEntry, err error) error {
 			if err != nil {
 				return err
@@ -530,10 +640,13 @@ func (m *Manager) copyFromWiki(t *syncTarget) {
 				}
 				return nil
 			}
-			if d.IsDir() || !strings.HasSuffix(name, ".md") {
+			if d.IsDir() {
 				return nil
 			}
 			rel, _ := filepath.Rel(t.cloneDir, path)
+			if !syncableRel(rel) {
+				return nil
+			}
 			src := filepath.Join(srcRoot, rel)
 			if _, err := os.Stat(src); os.IsNotExist(err) {
 				os.Remove(path)
@@ -543,6 +656,34 @@ func (m *Manager) copyFromWiki(t *syncTarget) {
 	}
 }
 
+// syncableRel reports whether a wiki-relative path participates in
+// sync. Currently:
+//
+//   - markdown pages (*.md)
+//   - files inside per-page sidecar directories (any *.assets/ segment)
+//
+// New file kinds get added here as the wiki grows. Keep this in sync
+// with the wiki package's storage layout — anything stored on disk
+// that should travel with the wiki to a remote needs a clause here.
+func syncableRel(rel string) bool {
+	if rel == "" {
+		return false
+	}
+	if strings.HasSuffix(rel, ".md") {
+		return true
+	}
+	// "<page>.assets/<file>" anywhere in the path. We split on slash
+	// rather than checking strings.Contains so we don't accidentally
+	// accept a filename that happens to embed ".assets/" as a
+	// substring.
+	for _, seg := range strings.Split(filepath.ToSlash(rel), "/") {
+		if strings.HasSuffix(seg, ".assets") {
+			return true
+		}
+	}
+	return false
+}
+
 // --- helpers ---
 
 func (t *syncTarget) setError(msg string) {
@@ -588,6 +729,55 @@ func ensureGitignore(dir string) {
 	os.WriteFile(path, []byte(".mind-map.db\n.mind-map.db-wal\n.mind-map.db-shm\n"), 0o644)
 }
 
+// ensureLFSConfig initializes git-lfs in the shadow clone and writes a
+// .gitattributes file routing the target's LFS patterns through LFS.
+// Idempotent: re-running on a clone where LFS is already configured
+// only refreshes .gitattributes if its content changed.
+//
+// Failure modes:
+//   - git-lfs not installed → "git lfs install" fails with a clear
+//     error; we surface it so the operator can install the binary
+//     before retrying. The mapping itself stays registered.
+//   - remote rejects LFS pointers on push (e.g. GitHub wikis) →
+//     reported during the push phase, not here. We can't detect
+//     this in advance without a probe push.
+func ensureLFSConfig(ctx context.Context, t *syncTarget) error {
+	patterns := t.lfsPatterns
+	if len(patterns) == 0 {
+		// Safety: if someone sets lfs=true with no patterns, fall back
+		// to the default browser-image set so we at least track the
+		// formats the image-support feature produces.
+		patterns = config.DefaultLFSPatterns()
+	}
+
+	if err := gitCmd(ctx, t.cloneDir, "lfs", "install", "--local"); err != nil {
+		return fmt.Errorf("git lfs install: %w (is git-lfs installed?)", err)
+	}
+
+	var b strings.Builder
+	b.WriteString("# Managed by mind-map sync (LFS=true). Do not edit by hand;\n")
+	b.WriteString("# changes will be overwritten on the next sync tick.\n")
+	for _, p := range patterns {
+		fmt.Fprintf(&b, "%s filter=lfs diff=lfs merge=lfs -text\n", p)
+	}
+	want := b.String()
+
+	attrPath := filepath.Join(t.cloneDir, ".gitattributes")
+	if existing, err := os.ReadFile(attrPath); err == nil && string(existing) == want {
+		return nil
+	}
+	if err := os.WriteFile(attrPath, []byte(want), 0o644); err != nil {
+		return fmt.Errorf("write .gitattributes: %w", err)
+	}
+	// Stage immediately so the next commit picks it up. The
+	// "commit if there are staged changes" gate in syncTarget will
+	// produce the actual commit.
+	if err := gitCmd(ctx, t.cloneDir, "add", ".gitattributes"); err != nil {
+		return fmt.Errorf("git add .gitattributes: %w", err)
+	}
+	return nil
+}
+
 // sanitizeDirName converts a remote URL to a safe directory name.
 func sanitizeDirName(remote string) string {
 	// "https://github.com/user/repo.wiki.git" -> "github.com_user_repo.wiki"
diff --git a/internal/wiki/assets.go b/internal/wiki/assets.go
new file mode 100644
index 0000000..c9bb698
--- /dev/null
+++ b/internal/wiki/assets.go
@@ -0,0 +1,633 @@
+package wiki
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+)
+
+// Asset support.
+//
+// Images and other binary references embedded in markdown live on disk
+// in a per-page "sidecar" directory: a page at `foo/bar` keeps its
+// assets in `foo/bar.assets/`. The asset path stored in markdown
+// (`![](foo/bar.assets/diagram.png)`) is the same string used as the
+// link table's `target` for kind='image' rows, which lets every
+// lifecycle question be answered by a plain index query.
+//
+// This file holds the wiki-internal asset CRUD. The MCP and HTTP
+// layers wrap these methods; they don't reach into the filesystem
+// directly.
+
+const (
+	// assetsSuffix is the dirname suffix appended to a page path to
+	// form its sidecar asset directory. The "." prefix matches how
+	// agents and humans naturally read the references — "this page's
+	// assets" — and keeps the directory next to the page on disk.
+	assetsSuffix = ".assets"
+
+	// defaultMaxAssetBytes is the per-upload size cap used when the
+	// wiki hasn't been configured otherwise. 10 MB matches the design
+	// doc default. Operators can raise this via Wiki.MaxAssetBytes if
+	// they're hosting larger illustrations.
+	defaultMaxAssetBytes int64 = 10 * 1024 * 1024
+)
+
+// ErrAssetTooLarge is returned by UploadAsset when content exceeds
+// the configured size cap.
+var ErrAssetTooLarge = errors.New("asset exceeds size cap")
+
+// ErrUnsupportedAssetType is returned by UploadAsset when the content's
+// detected MIME type isn't one of the browser-renderable image formats.
+var ErrUnsupportedAssetType = errors.New("unsupported asset type")
+
+// ErrAssetNotFound is returned by ReadAsset and StatAsset when the
+// requested asset doesn't exist on disk.
+var ErrAssetNotFound = errors.New("asset not found")
+
+// AssetInfo describes an asset without including its body. Returned by
+// StatAsset and used to populate the metadata-only mode of the page
+// read tools.
+type AssetInfo struct {
+	// Path is the asset's wiki-relative path as it appears in markdown
+	// references and in the links table (kind='image' target).
+	Path string `json:"path"`
+	// SizeBytes is the on-disk size of the asset file.
+	SizeBytes int64 `json:"size_bytes"`
+	// MIME is the detected content type. Always populated when the
+	// file exists and can be sniffed.
+	MIME string `json:"mime"`
+}
+
+// UploadAsset writes binary content into the sidecar directory of the
+// given page, returning the asset's wiki-relative path on success. The
+// returned path is what the caller should embed in markdown:
+//
+//	uploaded, _ := w.UploadAsset(ctx, "projects/mind-map", "diagram.png", bytes)
+//	// uploaded == "projects/mind-map.assets/diagram.png"
+//	body := "![diagram](" + uploaded + ")"
+//
+// Behavior:
+//
+//   - The sidecar directory is created if it doesn't exist.
+//   - If a file with the same name already exists, UploadAsset auto-
+//     suffixes the basename ("diagram.png" → "diagram-1.png") and keeps
+//     trying until it finds a free slot. Agents don't have to probe.
+//   - Content is sniffed via http.DetectContentType plus an SVG check;
+//     anything outside the browser-renderable image set is rejected
+//     with ErrUnsupportedAssetType.
+//   - Size is bounded by Wiki.MaxAssetBytes (default 10 MB), rejecting
+//     oversize uploads with ErrAssetTooLarge.
+//
+// UploadAsset does NOT touch the markdown of any page. It writes the
+// file and returns the path; the caller updates the page via
+// update_page / edit_page so the reference is captured by the index
+// on the next indexPage call.
+func (w *Wiki) UploadAsset(ctx context.Context, page, name string, content []byte) (string, error) {
+	if err := ctx.Err(); err != nil {
+		return "", err
+	}
+
+	page, err := normalizePagePath(page)
+	if err != nil {
+		return "", fmt.Errorf("page: %w", err)
+	}
+
+	cleanName, err := sanitizeAssetFilename(name)
+	if err != nil {
+		return "", err
+	}
+
+	maxBytes := w.MaxAssetBytes
+	if maxBytes <= 0 {
+		maxBytes = defaultMaxAssetBytes
+	}
+	if int64(len(content)) > maxBytes {
+		return "", fmt.Errorf("%w: %d bytes > %d", ErrAssetTooLarge, len(content), maxBytes)
+	}
+
+	mime, ok := detectImageMIME(content)
+	if !ok {
+		return "", fmt.Errorf("%w: detected %q", ErrUnsupportedAssetType, mime)
+	}
+
+	sidecarRel := page + assetsSuffix
+	sidecarAbs := filepath.Join(w.root, sidecarRel)
+	if err := os.MkdirAll(sidecarAbs, 0o755); err != nil {
+		return "", fmt.Errorf("create sidecar: %w", err)
+	}
+
+	finalName, err := resolveAssetCollision(sidecarAbs, cleanName)
+	if err != nil {
+		return "", err
+	}
+
+	absPath := filepath.Join(sidecarAbs, finalName)
+	if err := os.WriteFile(absPath, content, 0o644); err != nil {
+		return "", fmt.Errorf("write asset: %w", err)
+	}
+
+	relPath := path.Join(sidecarRel, finalName)
+	slog.Info("asset uploaded",
+		slog.String("page", page),
+		slog.String("path", relPath),
+		slog.Int("bytes", len(content)),
+		slog.String("mime", mime),
+	)
+	return relPath, nil
+}
+
+// ReadAsset returns the bytes and detected MIME type for an asset path.
+// The path must be wiki-relative (as stored in markdown references); it
+// is validated against the wiki root to prevent traversal.
+func (w *Wiki) ReadAsset(ctx context.Context, assetPath string) ([]byte, string, error) {
+	if err := ctx.Err(); err != nil {
+		return nil, "", err
+	}
+
+	abs, err := w.resolveAssetPath(assetPath)
+	if err != nil {
+		return nil, "", err
+	}
+
+	data, err := os.ReadFile(abs)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, "", fmt.Errorf("%w: %s", ErrAssetNotFound, assetPath)
+		}
+		return nil, "", err
+	}
+
+	mime, _ := detectImageMIME(data)
+	if mime == "" {
+		// Fall back to a generic detect so we still serve something
+		// useful for assets that pre-date the sniff list (e.g. a
+		// human-uploaded format we haven't enumerated). The static
+		// handler can still return the bytes; only uploads are gated.
+		mime = http.DetectContentType(data)
+	}
+	return data, mime, nil
+}
+
+// StatAsset returns metadata for an asset without reading its full body.
+// Used by the metadata-only mode of the page read tools and by future
+// listing/GC operations.
+func (w *Wiki) StatAsset(ctx context.Context, assetPath string) (*AssetInfo, error) {
+	if err := ctx.Err(); err != nil {
+		return nil, err
+	}
+
+	abs, err := w.resolveAssetPath(assetPath)
+	if err != nil {
+		return nil, err
+	}
+
+	info, err := os.Stat(abs)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, fmt.Errorf("%w: %s", ErrAssetNotFound, assetPath)
+		}
+		return nil, err
+	}
+
+	// We need the head of the file to sniff a MIME, but full read just
+	// for stats would be wasteful for large illustrations. 512 bytes is
+	// the limit http.DetectContentType actually inspects.
+	head := make([]byte, 512)
+	f, err := os.Open(abs)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	n, _ := f.Read(head)
+	mime, _ := detectImageMIME(head[:n])
+	if mime == "" {
+		mime = http.DetectContentType(head[:n])
+	}
+
+	return &AssetInfo{
+		Path:      filepath.ToSlash(assetPath),
+		SizeBytes: info.Size(),
+		MIME:      mime,
+	}, nil
+}
+
+// DeleteAsset removes an asset file from disk. Best for callers (the
+// screenshot harness, an explicit MCP "remove this image" tool) that
+// have an asset path and want it gone regardless of whether any page
+// still references it. The caller is responsible for the page-body
+// cleanup; this method only touches the file and the index.
+//
+// Behavior:
+//
+//   - Validates the path against the wiki root (same traversal guard
+//     as ReadAsset/StatAsset).
+//   - Removes the file. Missing file maps to ErrAssetNotFound so a
+//     caller doing a double-delete sees an unambiguous signal.
+//   - Removes any kind='image' rows in the link index where target
+//     matches. Pages that still reference the deleted asset will have
+//     a dangling markdown link until they're next reindexed — that's
+//     by design, since editing every page that links to the asset is
+//     out of scope for an asset-delete call.
+//   - Removes the parent sidecar directory if it's empty afterward,
+//     keeping the wiki tree tidy.
+func (w *Wiki) DeleteAsset(ctx context.Context, assetPath string) error {
+	if err := ctx.Err(); err != nil {
+		return err
+	}
+
+	abs, err := w.resolveAssetPath(assetPath)
+	if err != nil {
+		return err
+	}
+
+	if _, err := os.Stat(abs); err != nil {
+		if os.IsNotExist(err) {
+			return fmt.Errorf("%w: %s", ErrAssetNotFound, assetPath)
+		}
+		return err
+	}
+
+	if err := os.Remove(abs); err != nil {
+		return fmt.Errorf("remove asset: %w", err)
+	}
+
+	// Clean the asset's index rows. Normalize to forward slashes
+	// because that's how the indexer stores image targets (matches
+	// what extractImages writes).
+	rel := filepath.ToSlash(strings.TrimPrefix(abs, w.root+string(filepath.Separator)))
+	if _, err := w.db.ExecContext(ctx,
+		"DELETE FROM links WHERE target = ? AND kind = 'image'",
+		rel,
+	); err != nil {
+		slog.Warn("delete asset: link index cleanup failed",
+			slog.String("asset", rel), slog.Any("error", err))
+	}
+
+	// If the sidecar directory is now empty, drop it. os.Remove fails
+	// on non-empty dirs, which is exactly the "still has other files"
+	// case we want to leave alone.
+	sidecar := filepath.Dir(abs)
+	if err := os.Remove(sidecar); err != nil && !os.IsNotExist(err) {
+		// Non-empty or permission error — not fatal, just log at debug
+		// since "non-empty" is the common, expected case when other
+		// assets live in the same sidecar.
+		slog.Debug("delete asset: sidecar dir not removed (likely non-empty)",
+			slog.String("dir", filepath.ToSlash(strings.TrimPrefix(sidecar, w.root+string(filepath.Separator)))),
+			slog.Any("error", err),
+		)
+	}
+
+	slog.Info("asset deleted", slog.String("path", rel))
+	return nil
+}
+
+// resolveAssetPath validates a wiki-relative asset path and returns its
+// absolute filesystem path. Rejects traversal attempts (..) and any
+// path that doesn't resolve under the wiki root.
+//
+// Unlike normalizePagePath, asset paths keep their extension and don't
+// have a trailing-slash normalization to do — they're filesystem paths,
+// not page paths.
+func (w *Wiki) resolveAssetPath(assetPath string) (string, error) {
+	if assetPath == "" {
+		return "", fmt.Errorf("asset path is empty")
+	}
+	// Normalize separators and reject leading slashes; asset paths are
+	// always wiki-root-relative.
+	p := strings.ReplaceAll(assetPath, `\`, "/")
+	p = strings.TrimPrefix(p, "/")
+	cleaned := path.Clean(p)
+	if cleaned == "." || cleaned == "" {
+		return "", fmt.Errorf("invalid asset path: %q", assetPath)
+	}
+	if cleaned == ".." || strings.HasPrefix(cleaned, "../") {
+		return "", fmt.Errorf("asset path escapes wiki root: %q", assetPath)
+	}
+
+	abs := filepath.Join(w.root, filepath.FromSlash(cleaned))
+	// Final guard: filepath.Join can't undo a cleaned ".." check above,
+	// but defense in depth: resolve symlinks and verify containment.
+	absClean, err := filepath.Abs(abs)
+	if err != nil {
+		return "", err
+	}
+	if !strings.HasPrefix(absClean+string(filepath.Separator), w.root+string(filepath.Separator)) && absClean != w.root {
+		return "", fmt.Errorf("asset path escapes wiki root: %q", assetPath)
+	}
+	return absClean, nil
+}
+
+// sanitizeAssetFilename strips path components and forbidden characters
+// from a user-supplied filename. Only the basename survives — agents
+// can't smuggle "../" or nested directory paths in via the name field.
+func sanitizeAssetFilename(name string) (string, error) {
+	if name == "" {
+		return "", fmt.Errorf("asset name is empty")
+	}
+	// Collapse any path-y syntax to just the final component.
+	name = strings.ReplaceAll(name, `\`, "/")
+	name = path.Base(name)
+	if name == "" || name == "." || name == ".." || name == "/" {
+		return "", fmt.Errorf("invalid asset name: %q", name)
+	}
+	// SQLite stores the asset path as part of the links table primary
+	// key tuple; null bytes would torch sqlite tooling. Reject them.
+	if strings.ContainsRune(name, 0) {
+		return "", fmt.Errorf("asset name contains NUL")
+	}
+	return name, nil
+}
+
+// resolveAssetCollision returns a free filename inside dir, starting
+// from desired and auto-suffixing on collision: "a.png" → "a-1.png" →
+// "a-2.png" ... Comparisons are case-insensitive so we don't end up
+// with "Diagram.png" and "diagram.png" coexisting on case-sensitive
+// filesystems and confusing sync to a case-insensitive remote.
+func resolveAssetCollision(dir, desired string) (string, error) {
+	existing, err := caseInsensitiveDirSet(dir)
+	if err != nil {
+		return "", err
+	}
+	lower := strings.ToLower(desired)
+	if _, taken := existing[lower]; !taken {
+		return desired, nil
+	}
+
+	ext := filepath.Ext(desired)
+	stem := strings.TrimSuffix(desired, ext)
+	for i := 1; i < 10_000; i++ {
+		candidate := fmt.Sprintf("%s-%d%s", stem, i, ext)
+		if _, taken := existing[strings.ToLower(candidate)]; !taken {
+			return candidate, nil
+		}
+	}
+	return "", fmt.Errorf("could not find a free filename after 10000 attempts: %s", desired)
+}
+
+// caseInsensitiveDirSet returns the lowercased names of files in dir.
+// Missing dirs return an empty set without an error — that's the
+// "no collisions, first upload" case.
+func caseInsensitiveDirSet(dir string) (map[string]struct{}, error) {
+	entries, err := os.ReadDir(dir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return map[string]struct{}{}, nil
+		}
+		return nil, err
+	}
+	set := make(map[string]struct{}, len(entries))
+	for _, e := range entries {
+		set[strings.ToLower(e.Name())] = struct{}{}
+	}
+	return set, nil
+}
+
+// detectImageMIME inspects the leading bytes of a file and returns the
+// MIME type if it's a browser-renderable image format, or ("", false)
+// otherwise. SVG gets special-cased because http.DetectContentType
+// reports it as a generic XML type; we look for the <svg root element.
+//
+// Supported set tracks what browsers render natively, not a hand-picked
+// subset: PNG, JPEG, GIF, WebP, AVIF, SVG, BMP, ICO. New formats can
+// be added by extending the switch below.
+func detectImageMIME(content []byte) (string, bool) {
+	if len(content) == 0 {
+		return "", false
+	}
+
+	detected := http.DetectContentType(content)
+	switch {
+	case strings.HasPrefix(detected, "image/png"):
+		return "image/png", true
+	case strings.HasPrefix(detected, "image/jpeg"):
+		return "image/jpeg", true
+	case strings.HasPrefix(detected, "image/gif"):
+		return "image/gif", true
+	case strings.HasPrefix(detected, "image/webp"):
+		return "image/webp", true
+	case strings.HasPrefix(detected, "image/bmp"):
+		return "image/bmp", true
+	case strings.HasPrefix(detected, "image/vnd.microsoft.icon"),
+		strings.HasPrefix(detected, "image/x-icon"):
+		return "image/x-icon", true
+	}
+
+	// AVIF / HEIF: http.DetectContentType returns
+	// "application/octet-stream" for these. Sniff the ISO BMFF box
+	// header: bytes [4:8] are "ftyp", [8:12] is the brand. AVIF
+	// brands include "avif", "avis", "mif1" (HEIF parent), "msf1".
+	if len(content) >= 12 && bytes.Equal(content[4:8], []byte("ftyp")) {
+		brand := string(content[8:12])
+		switch brand {
+		case "avif", "avis":
+			return "image/avif", true
+		}
+	}
+
+	// SVG sniff: skip leading whitespace and optional XML decl/DOCTYPE,
+	// then look for the <svg element. We deliberately don't fully
+	// parse XML — that's the renderer's job. We just need to be
+	// confident this is SVG before accepting it.
+	if looksLikeSVG(content) {
+		return "image/svg+xml", true
+	}
+
+	return detected, false
+}
+
+// looksLikeSVG checks whether content starts with markup that opens an
+// <svg ...> element, allowing leading whitespace, XML declaration, and
+// DOCTYPE/comments. It does NOT validate the XML; that's left to the
+// downstream renderer.
+func looksLikeSVG(content []byte) bool {
+	s := bytes.TrimLeft(content, " \t\r\n\xef\xbb\xbf")
+	// Strip leading <?xml ...?> declaration if present.
+	if bytes.HasPrefix(s, []byte("<?xml")) {
+		end := bytes.Index(s, []byte("?>"))
+		if end < 0 {
+			return false
+		}
+		s = bytes.TrimLeft(s[end+2:], " \t\r\n")
+	}
+	// Strip leading comments and DOCTYPE/whitespace until we hit a
+	// real element open. Bounded loop so a pathological input can't
+	// spin us.
+	for i := 0; i < 8; i++ {
+		s = bytes.TrimLeft(s, " \t\r\n")
+		switch {
+		case bytes.HasPrefix(s, []byte("<!--")):
+			end := bytes.Index(s, []byte("-->"))
+			if end < 0 {
+				return false
+			}
+			s = s[end+3:]
+		case bytes.HasPrefix(s, []byte("<!DOCTYPE")):
+			end := bytes.IndexByte(s, '>')
+			if end < 0 {
+				return false
+			}
+			s = s[end+1:]
+		default:
+			i = 8 // break the for
+		}
+	}
+	s = bytes.TrimLeft(s, " \t\r\n")
+	if !bytes.HasPrefix(s, []byte("<svg")) {
+		return false
+	}
+	// Require the next byte to be whitespace or `>` so we don't
+	// accept `<svgfoo>` or `<svg-name>` as SVG.
+	if len(s) <= 4 {
+		return false
+	}
+	next := s[4]
+	return next == ' ' || next == '\t' || next == '\r' || next == '\n' || next == '>' || next == '/'
+}
+
+// gcSidecarAssets removes files under <page>.assets/ that have no
+// row in the link index. Called from DeletePage (after the page's
+// own rows are deleted from `links`) and from MovePage (to clean up
+// any orphans the move left behind). The sidecar dir itself is
+// removed if empty after the sweep so the wiki tree stays tidy.
+//
+// Files referenced by OTHER pages (kind='image' rows with a different
+// source) are kept in place — the design intentionally has no shared
+// asset pool, so the file lives in its original sidecar even when
+// shared. The markdown path in the referencing page still resolves.
+func (w *Wiki) gcSidecarAssets(ctx context.Context, page string) error {
+	sidecarRel := page + assetsSuffix
+	sidecarAbs := filepath.Join(w.root, sidecarRel)
+
+	entries, err := os.ReadDir(sidecarAbs)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
+	for _, entry := range entries {
+		if entry.IsDir() {
+			// We don't support nested sidecars; skip any
+			// subdirectory rather than recursing or deleting it.
+			continue
+		}
+		assetRel := path.Join(sidecarRel, entry.Name())
+		var n int
+		if err := w.db.QueryRowContext(ctx,
+			"SELECT COUNT(*) FROM links WHERE target = ? AND kind = 'image'",
+			assetRel,
+		).Scan(&n); err != nil {
+			return fmt.Errorf("query asset refs %q: %w", assetRel, err)
+		}
+		if n > 0 {
+			continue
+		}
+		assetAbs := filepath.Join(sidecarAbs, entry.Name())
+		if err := os.Remove(assetAbs); err != nil && !os.IsNotExist(err) {
+			slog.Warn("sidecar asset remove failed",
+				slog.String("asset", assetRel),
+				slog.Any("error", err),
+			)
+		}
+	}
+
+	// If the sidecar is now empty, drop the directory. os.Remove
+	// fails on non-empty dirs, which is exactly the "still has shared
+	// or human-added files" case we want to leave alone.
+	if err := os.Remove(sidecarAbs); err != nil && !os.IsNotExist(err) {
+		// Non-empty or permission error — not fatal, just log.
+		slog.Debug("sidecar dir not removed (likely non-empty)",
+			slog.String("dir", sidecarRel),
+			slog.Any("error", err),
+		)
+	}
+	return nil
+}
+
+// splitSidecarOnMove rewrites the image references inside a page's
+// markdown when the page is moved from→to, and decides which sidecar
+// files travel with the page vs. stay behind for other referencers.
+//
+// Returns the rewritten body. The caller is responsible for writing
+// the file at its new path and re-indexing.
+//
+// Design (option (a) from the image-support discussion): use the link
+// index to find which assets are exclusive to the moving page. Move
+// those into the new sidecar (rewriting in-body paths to match);
+// leave shared assets in the old sidecar (keeping their original path
+// in the in-body markdown, since other pages still reference them at
+// that path). After the move, gcSidecarAssets on the old sidecar
+// cleans up: the dir is gone if everything moved, or it survives
+// holding only the shared files.
+//
+// `oldImages` is the set of image targets the page referenced before
+// the move (queried before we delete the source page's link rows).
+// We need it as input because by the time we rewrite the body those
+// rows may already be gone, and rebuilding it from the new markdown
+// is the wrong direction — we need pre-move state.
+func (w *Wiki) splitSidecarOnMove(ctx context.Context, from, to string, body []byte, oldImages []string) ([]byte, error) {
+	if len(oldImages) == 0 {
+		return body, nil
+	}
+
+	oldSidecarPrefix := from + assetsSuffix + "/"
+	newSidecarRel := to + assetsSuffix
+	newSidecarAbs := filepath.Join(w.root, newSidecarRel)
+
+	rewritten := body
+	for _, target := range oldImages {
+		// Only touch assets that lived in the page's own sidecar.
+		// Images referencing some OTHER page's sidecar (cross-
+		// referenced images) keep their path either way: the file
+		// stays where it was and the path is still valid post-move.
+		if !strings.HasPrefix(target, oldSidecarPrefix) {
+			continue
+		}
+
+		// Is anyone else (besides `from`) referencing this asset?
+		var n int
+		if err := w.db.QueryRowContext(ctx,
+			"SELECT COUNT(*) FROM links WHERE target = ? AND kind = 'image' AND source != ?",
+			target, from,
+		).Scan(&n); err != nil {
+			return nil, fmt.Errorf("query shared %q: %w", target, err)
+		}
+		if n > 0 {
+			// Shared: leave the file in place, leave the
+			// markdown path alone. Other pages still resolve.
+			continue
+		}
+
+		// Exclusive: move the file to the new sidecar and rewrite
+		// the in-body reference.
+		basename := path.Base(target)
+		oldAbs := filepath.Join(w.root, filepath.FromSlash(target))
+		newRel := path.Join(newSidecarRel, basename)
+		newAbs := filepath.Join(newSidecarAbs, basename)
+
+		if err := os.MkdirAll(newSidecarAbs, 0o755); err != nil {
+			return nil, fmt.Errorf("create new sidecar: %w", err)
+		}
+		// Best-effort rename; if the source vanished (e.g. someone
+		// hand-deleted it while the page still referenced it) we
+		// still want the body rewrite to happen so the index is
+		// consistent. The next reindex/Stat will surface the
+		// missing-file condition if needed.
+		if err := os.Rename(oldAbs, newAbs); err != nil && !os.IsNotExist(err) {
+			return nil, fmt.Errorf("move asset %q: %w", target, err)
+		}
+
+		rewritten = bytes.ReplaceAll(rewritten, []byte(target), []byte(newRel))
+	}
+
+	return rewritten, nil
+}
diff --git a/internal/wiki/assets_test.go b/internal/wiki/assets_test.go
new file mode 100644
index 0000000..2ef1c63
--- /dev/null
+++ b/internal/wiki/assets_test.go
@@ -0,0 +1,393 @@
+package wiki
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+// --- test fixtures ---
+
+// onePixelPNG is the smallest possible valid PNG: 1x1 transparent.
+// Generated once by hand; the magic bytes and IDAT are what http.DetectContentType
+// inspects, so any browser-renderable PNG works in tests.
+var onePixelPNG = []byte{
+	0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a, // signature
+	0x00, 0x00, 0x00, 0x0d, // IHDR length
+	0x49, 0x48, 0x44, 0x52, // "IHDR"
+	0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, // 1x1
+	0x08, 0x06, 0x00, 0x00, 0x00, // bit depth + color
+	0x1f, 0x15, 0xc4, 0x89, // CRC
+	0x00, 0x00, 0x00, 0x0d, // IDAT length
+	0x49, 0x44, 0x41, 0x54, // "IDAT"
+	0x78, 0x9c, 0x62, 0x00, 0x01, 0x00, 0x00, 0x05,
+	0x00, 0x01, 0x0d, 0x0a, 0x2d, 0xb4, // data + CRC
+	0x00, 0x00, 0x00, 0x00, // IEND length
+	0x49, 0x45, 0x4e, 0x44, // "IEND"
+	0xae, 0x42, 0x60, 0x82, // CRC
+}
+
+const tinySVG = `<svg xmlns="http://www.w3.org/2000/svg" width="1" height="1"><rect/></svg>`
+
+// --- UploadAsset ---
+
+func TestUploadAssetCreatesSidecar(t *testing.T) {
+	w, dir := testWiki(t)
+	ctx := context.Background()
+
+	got, err := w.UploadAsset(ctx, "projects/mind-map", "diagram.png", onePixelPNG)
+	if err != nil {
+		t.Fatalf("UploadAsset: %v", err)
+	}
+	want := "projects/mind-map.assets/diagram.png"
+	if got != want {
+		t.Errorf("returned path = %q, want %q", got, want)
+	}
+	abs := filepath.Join(dir, filepath.FromSlash(got))
+	if _, err := os.Stat(abs); err != nil {
+		t.Errorf("asset file missing on disk: %v", err)
+	}
+}
+
+func TestUploadAssetCollisionSuffix(t *testing.T) {
+	w, _ := testWiki(t)
+	ctx := context.Background()
+
+	first, err := w.UploadAsset(ctx, "projects/mind-map", "shot.png", onePixelPNG)
+	if err != nil {
+		t.Fatalf("first upload: %v", err)
+	}
+	second, err := w.UploadAsset(ctx, "projects/mind-map", "shot.png", onePixelPNG)
+	if err != nil {
+		t.Fatalf("second upload: %v", err)
+	}
+	if first == second {
+		t.Fatalf("expected collision suffix, both uploads returned %q", first)
+	}
+	if !strings.HasSuffix(second, "shot-1.png") {
+		t.Errorf("second upload path %q does not end with shot-1.png", second)
+	}
+
+	// Case-insensitive collision: SHOT.PNG should also bump.
+	third, err := w.UploadAsset(ctx, "projects/mind-map", "SHOT.PNG", onePixelPNG)
+	if err != nil {
+		t.Fatalf("third upload: %v", err)
+	}
+	if strings.EqualFold(filepath.Base(third), "shot.png") || strings.EqualFold(filepath.Base(third), "shot-1.png") {
+		t.Errorf("third upload %q collided case-insensitively", third)
+	}
+}
+
+func TestUploadAssetRejectsNonImage(t *testing.T) {
+	w, _ := testWiki(t)
+	ctx := context.Background()
+
+	_, err := w.UploadAsset(ctx, "projects/mind-map", "evil.exe",
+		[]byte("MZ\x00\x00not actually a PE but http.DetectContentType picks it up"))
+	if err == nil {
+		t.Fatal("UploadAsset accepted non-image content")
+	}
+	if !errors.Is(err, ErrUnsupportedAssetType) {
+		t.Errorf("err = %v, want ErrUnsupportedAssetType", err)
+	}
+}
+
+func TestUploadAssetAcceptsSVG(t *testing.T) {
+	w, _ := testWiki(t)
+	ctx := context.Background()
+
+	got, err := w.UploadAsset(ctx, "projects/mind-map", "vector.svg", []byte(tinySVG))
+	if err != nil {
+		t.Fatalf("UploadAsset svg: %v", err)
+	}
+	if !strings.HasSuffix(got, ".svg") {
+		t.Errorf("returned path = %q, want .svg suffix", got)
+	}
+}
+
+func TestUploadAssetSizeCap(t *testing.T) {
+	w, _ := testWiki(t)
+	w.MaxAssetBytes = 64 // tiny cap for the test
+	ctx := context.Background()
+
+	big := bytes.Repeat([]byte{0}, 256) // not even an image, but we want size to fail first
+	_, err := w.UploadAsset(ctx, "projects/mind-map", "big.png", big)
+	if err == nil || !errors.Is(err, ErrAssetTooLarge) {
+		t.Errorf("err = %v, want ErrAssetTooLarge", err)
+	}
+}
+
+func TestUploadAssetSanitizesFilename(t *testing.T) {
+	w, _ := testWiki(t)
+	ctx := context.Background()
+
+	got, err := w.UploadAsset(ctx, "projects/mind-map", "../../evil.png", onePixelPNG)
+	if err != nil {
+		t.Fatalf("UploadAsset: %v", err)
+	}
+	if strings.Contains(got, "..") {
+		t.Errorf("returned path contains traversal: %q", got)
+	}
+	if filepath.Base(got) != "evil.png" {
+		t.Errorf("expected basename evil.png, got %q", got)
+	}
+}
+
+// --- ReadAsset / StatAsset ---
+
+func TestReadAssetRoundTrip(t *testing.T) {
+	w, _ := testWiki(t)
+	ctx := context.Background()
+
+	upPath, err := w.UploadAsset(ctx, "projects/mind-map", "d.png", onePixelPNG)
+	if err != nil {
+		t.Fatal(err)
+	}
+	bs, mime, err := w.ReadAsset(ctx, upPath)
+	if err != nil {
+		t.Fatalf("ReadAsset: %v", err)
+	}
+	if !bytes.Equal(bs, onePixelPNG) {
+		t.Error("bytes differ from uploaded content")
+	}
+	if mime != "image/png" {
+		t.Errorf("mime = %q, want image/png", mime)
+	}
+}
+
+func TestReadAssetRejectsTraversal(t *testing.T) {
+	w, _ := testWiki(t)
+	ctx := context.Background()
+
+	_, _, err := w.ReadAsset(ctx, "../../../etc/passwd")
+	if err == nil {
+		t.Fatal("ReadAsset accepted traversal path")
+	}
+}
+
+func TestStatAsset(t *testing.T) {
+	w, _ := testWiki(t)
+	ctx := context.Background()
+
+	upPath, _ := w.UploadAsset(ctx, "projects/mind-map", "d.png", onePixelPNG)
+	info, err := w.StatAsset(ctx, upPath)
+	if err != nil {
+		t.Fatalf("StatAsset: %v", err)
+	}
+	if info.SizeBytes != int64(len(onePixelPNG)) {
+		t.Errorf("SizeBytes = %d, want %d", info.SizeBytes, len(onePixelPNG))
+	}
+	if info.MIME != "image/png" {
+		t.Errorf("MIME = %q, want image/png", info.MIME)
+	}
+	if info.Path != upPath {
+		t.Errorf("Path = %q, want %q", info.Path, upPath)
+	}
+}
+
+// --- DeletePage cascade ---
+
+func TestDeletePageCascadesUnreferencedAssets(t *testing.T) {
+	w, dir := testWiki(t)
+	ctx := context.Background()
+
+	uploaded, err := w.UploadAsset(ctx, "projects/mind-map", "d.png", onePixelPNG)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// Update the page so the index knows it references the asset.
+	if err := w.UpdatePage(ctx, "projects/mind-map", "# mm\n\n![d]("+uploaded+")\n"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := w.DeletePage(ctx, "projects/mind-map"); err != nil {
+		t.Fatalf("DeletePage: %v", err)
+	}
+
+	// Asset should be gone.
+	abs := filepath.Join(dir, filepath.FromSlash(uploaded))
+	if _, err := os.Stat(abs); !os.IsNotExist(err) {
+		t.Errorf("asset still exists after delete: %v", err)
+	}
+	// Sidecar dir should be gone too.
+	sidecar := filepath.Join(dir, "projects/mind-map.assets")
+	if _, err := os.Stat(sidecar); !os.IsNotExist(err) {
+		t.Errorf("sidecar dir still exists after delete: %v", err)
+	}
+}
+
+func TestDeletePageKeepsSharedAssets(t *testing.T) {
+	w, dir := testWiki(t)
+	ctx := context.Background()
+
+	uploaded, err := w.UploadAsset(ctx, "projects/mind-map", "d.png", onePixelPNG)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := w.UpdatePage(ctx, "projects/mind-map", "# mm\n\n![d]("+uploaded+")\n"); err != nil {
+		t.Fatal(err)
+	}
+	// people/alice also references the same asset.
+	if err := w.UpdatePage(ctx, "people/alice", "# Alice\n\n![d]("+uploaded+")\n"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := w.DeletePage(ctx, "projects/mind-map"); err != nil {
+		t.Fatalf("DeletePage: %v", err)
+	}
+
+	abs := filepath.Join(dir, filepath.FromSlash(uploaded))
+	if _, err := os.Stat(abs); err != nil {
+		t.Errorf("shared asset removed despite external referencer: %v", err)
+	}
+}
+
+// --- MovePage with sidecar ---
+
+func TestMovePageRelocatesExclusiveAssets(t *testing.T) {
+	w, dir := testWiki(t)
+	ctx := context.Background()
+
+	uploaded, _ := w.UploadAsset(ctx, "projects/mind-map", "d.png", onePixelPNG)
+	if err := w.UpdatePage(ctx, "projects/mind-map", "# mm\n\n![d]("+uploaded+")\n"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := w.MovePage(ctx, "projects/mind-map", "projects/mm2", MoveOptions{}); err != nil {
+		t.Fatalf("MovePage: %v", err)
+	}
+
+	// Old asset should be gone, new one in place at the new sidecar.
+	if _, err := os.Stat(filepath.Join(dir, "projects/mind-map.assets/d.png")); !os.IsNotExist(err) {
+		t.Errorf("old asset file still present: %v", err)
+	}
+	if _, err := os.Stat(filepath.Join(dir, "projects/mm2.assets/d.png")); err != nil {
+		t.Errorf("new asset file missing: %v", err)
+	}
+
+	// Page body should have the rewritten reference.
+	p, err := w.GetPage(ctx, "projects/mm2")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !strings.Contains(p.Body, "projects/mm2.assets/d.png") {
+		t.Errorf("body not rewritten: %q", p.Body)
+	}
+	if strings.Contains(p.Body, "projects/mind-map.assets/") {
+		t.Errorf("old sidecar path still in body: %q", p.Body)
+	}
+}
+
+func TestMovePageLeavesSharedAssetsBehind(t *testing.T) {
+	w, dir := testWiki(t)
+	ctx := context.Background()
+
+	uploaded, _ := w.UploadAsset(ctx, "projects/mind-map", "shared.png", onePixelPNG)
+	// Both pages reference the asset that lives in projects/mind-map.assets/.
+	if err := w.UpdatePage(ctx, "projects/mind-map", "# mm\n\n![s]("+uploaded+")\n"); err != nil {
+		t.Fatal(err)
+	}
+	if err := w.UpdatePage(ctx, "people/alice", "# Alice\n\n![s]("+uploaded+")\n"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := w.MovePage(ctx, "projects/mind-map", "projects/mm2", MoveOptions{}); err != nil {
+		t.Fatalf("MovePage: %v", err)
+	}
+
+	// The shared file must stay in its original sidecar.
+	if _, err := os.Stat(filepath.Join(dir, "projects/mind-map.assets/shared.png")); err != nil {
+		t.Errorf("shared asset removed from original sidecar: %v", err)
+	}
+
+	// The moved page's body should keep referencing the old sidecar
+	// path, because the file still lives there.
+	p, err := w.GetPage(ctx, "projects/mm2")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !strings.Contains(p.Body, "projects/mind-map.assets/shared.png") {
+		t.Errorf("moved page body lost reference to shared asset: %q", p.Body)
+	}
+
+	// And alice still resolves.
+	a, _ := w.GetPage(ctx, "people/alice")
+	if !strings.Contains(a.Body, "projects/mind-map.assets/shared.png") {
+		t.Errorf("alice lost her reference: %q", a.Body)
+	}
+}
+
+// --- DeleteAsset ---
+
+func TestDeleteAssetRemovesFileAndIndexRows(t *testing.T) {
+	w, dir := testWiki(t)
+	ctx := context.Background()
+
+	uploaded, err := w.UploadAsset(ctx, "projects/mind-map", "doomed.png", onePixelPNG)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := w.UpdatePage(ctx, "projects/mind-map",
+		"# mm\n\n![d]("+uploaded+")\n"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := w.DeleteAsset(ctx, uploaded); err != nil {
+		t.Fatalf("DeleteAsset: %v", err)
+	}
+
+	abs := filepath.Join(dir, filepath.FromSlash(uploaded))
+	if _, err := os.Stat(abs); !os.IsNotExist(err) {
+		t.Errorf("asset still on disk: %v", err)
+	}
+
+	var n int
+	if err := w.db.QueryRow(
+		"SELECT COUNT(*) FROM links WHERE target = ? AND kind = 'image'",
+		uploaded,
+	).Scan(&n); err != nil {
+		t.Fatal(err)
+	}
+	if n != 0 {
+		t.Errorf("link rows still present after delete: %d", n)
+	}
+}
+
+func TestDeleteAssetMissingReturnsNotFound(t *testing.T) {
+	w, _ := testWiki(t)
+	err := w.DeleteAsset(context.Background(),
+		"projects/mind-map.assets/never-existed.png")
+	if !errors.Is(err, ErrAssetNotFound) {
+		t.Errorf("err = %v, want ErrAssetNotFound", err)
+	}
+}
+
+func TestDeleteAssetRejectsTraversal(t *testing.T) {
+	w, _ := testWiki(t)
+	err := w.DeleteAsset(context.Background(), "../../../etc/passwd")
+	if err == nil {
+		t.Fatal("DeleteAsset accepted traversal path")
+	}
+	if errors.Is(err, ErrAssetNotFound) {
+		t.Errorf("traversal rejected as not-found; should be a path-validation error: %v", err)
+	}
+}
+
+func TestDeleteAssetSweepsEmptySidecar(t *testing.T) {
+	w, dir := testWiki(t)
+	ctx := context.Background()
+
+	uploaded, _ := w.UploadAsset(ctx, "projects/mind-map", "only.png", onePixelPNG)
+	if err := w.DeleteAsset(ctx, uploaded); err != nil {
+		t.Fatal(err)
+	}
+
+	sidecar := filepath.Join(dir, "projects/mind-map.assets")
+	if _, err := os.Stat(sidecar); !os.IsNotExist(err) {
+		t.Errorf("empty sidecar dir not swept: %v", err)
+	}
+}
diff --git a/internal/wiki/images_test.go b/internal/wiki/images_test.go
new file mode 100644
index 0000000..dd6c151
--- /dev/null
+++ b/internal/wiki/images_test.go
@@ -0,0 +1,284 @@
+package wiki
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"strconv"
+	"testing"
+)
+
+// TestImageRefsIndexed verifies that markdown image references are recorded
+// in the links table with kind='image' and don't leak into the wikilink
+// query surface (GetBacklinks, AllLinks, GetPage.Links).
+func TestImageRefsIndexed(t *testing.T) {
+	dir := t.TempDir()
+	writeFile(t, dir, "guide.md", `# Guide
+
+Here's a diagram:
+
+![architecture](guide.assets/architecture.png)
+
+And a wikilink to [[index]]. Also an external image
+![external](https://example.com/foo.png) that should NOT be indexed.
+`)
+	writeFile(t, dir, "index.md", `# Index
+
+See [[guide]].
+`)
+
+	w, err := Open(dir)
+	if err != nil {
+		t.Fatalf("Open: %v", err)
+	}
+	t.Cleanup(func() { w.Close() })
+
+	ctx := context.Background()
+
+	// 1. Image row must exist in `links` with kind='image'.
+	rows, err := w.db.QueryContext(ctx, "SELECT source, target, kind FROM links WHERE kind = 'image'")
+	if err != nil {
+		t.Fatalf("query: %v", err)
+	}
+	type rec struct {
+		source, target, kind string
+	}
+	var imgs []rec
+	for rows.Next() {
+		var r rec
+		if err := rows.Scan(&r.source, &r.target, &r.kind); err != nil {
+			t.Fatal(err)
+		}
+		imgs = append(imgs, r)
+	}
+	rows.Close()
+	if len(imgs) != 1 {
+		t.Fatalf("got %d image rows, want 1: %+v", len(imgs), imgs)
+	}
+	if got := imgs[0]; got.source != "guide" || got.target != "guide.assets/architecture.png" || got.kind != "image" {
+		t.Errorf("image row = %+v, want {guide, guide.assets/architecture.png, image}", got)
+	}
+
+	// 2. Wikilink query path must not include the image target.
+	links, err := w.getLinks(ctx, "guide")
+	if err != nil {
+		t.Fatalf("getLinks: %v", err)
+	}
+	if len(links) != 1 || links[0] != "index" {
+		t.Errorf("getLinks(guide) = %v, want [index]", links)
+	}
+
+	// 3. Backlinks for the image asset (via the kind='image' query)
+	// should surface the embedding page.
+	imgBacklinks := queryBacklinks(t, w, "guide.assets/architecture.png", "image")
+	if len(imgBacklinks) != 1 || imgBacklinks[0] != "guide" {
+		t.Errorf("image backlinks = %v, want [guide]", imgBacklinks)
+	}
+
+	// 4. Backlinks for the page must not include the image target as a source.
+	pageBacklinks, err := w.GetBacklinks(ctx, "guide")
+	if err != nil {
+		t.Fatalf("GetBacklinks: %v", err)
+	}
+	if len(pageBacklinks) != 1 || pageBacklinks[0] != "index" {
+		t.Errorf("GetBacklinks(guide) = %v, want [index]", pageBacklinks)
+	}
+
+	// 5. AllLinks excludes image edges.
+	all, err := w.AllLinks(ctx)
+	if err != nil {
+		t.Fatalf("AllLinks: %v", err)
+	}
+	for _, l := range all {
+		if l.Target == "guide.assets/architecture.png" {
+			t.Errorf("AllLinks leaked image edge: %+v", l)
+		}
+	}
+}
+
+// TestImageRefDeduplication ensures the same image referenced multiple
+// times from one page produces a single row, not duplicates.
+func TestImageRefDeduplication(t *testing.T) {
+	dir := t.TempDir()
+	writeFile(t, dir, "page.md", `# Page
+
+![one](page.assets/a.png)
+![two](page.assets/a.png)
+![three](page.assets/a.png)
+`)
+	w, err := Open(dir)
+	if err != nil {
+		t.Fatalf("Open: %v", err)
+	}
+	t.Cleanup(func() { w.Close() })
+
+	var n int
+	if err := w.db.QueryRow("SELECT COUNT(*) FROM links WHERE source='page' AND kind='image'").Scan(&n); err != nil {
+		t.Fatal(err)
+	}
+	if n != 1 {
+		t.Errorf("image row count = %d, want 1", n)
+	}
+}
+
+// TestImageRefReindexCleansStale verifies that removing an image reference
+// from a page and re-indexing drops the link row.
+func TestImageRefReindexCleansStale(t *testing.T) {
+	dir := t.TempDir()
+	abs := filepath.Join(dir, "page.md")
+	if err := os.WriteFile(abs, []byte(`# Page
+
+![v1](page.assets/v1.png)
+`), 0o644); err != nil {
+		t.Fatal(err)
+	}
+	w, err := Open(dir)
+	if err != nil {
+		t.Fatalf("Open: %v", err)
+	}
+	t.Cleanup(func() { w.Close() })
+
+	if err := w.UpdatePage(context.Background(), "page", `# Page
+
+![v2](page.assets/v2.png)
+`); err != nil {
+		t.Fatalf("UpdatePage: %v", err)
+	}
+
+	var n int
+	if err := w.db.QueryRow(
+		"SELECT COUNT(*) FROM links WHERE source='page' AND kind='image' AND target=?",
+		"page.assets/v1.png").Scan(&n); err != nil {
+		t.Fatal(err)
+	}
+	if n != 0 {
+		t.Errorf("stale v1 image ref still present (%d rows)", n)
+	}
+
+	if err := w.db.QueryRow(
+		"SELECT COUNT(*) FROM links WHERE source='page' AND kind='image' AND target=?",
+		"page.assets/v2.png").Scan(&n); err != nil {
+		t.Fatal(err)
+	}
+	if n != 1 {
+		t.Errorf("v2 image ref not indexed (%d rows)", n)
+	}
+}
+
+// TestMigrationIdempotent runs Open twice on the same directory to confirm
+// the migration runner doesn't trip on its second pass.
+func TestMigrationIdempotent(t *testing.T) {
+	dir := t.TempDir()
+	writeFile(t, dir, "p.md", "# P\n")
+
+	w1, err := Open(dir)
+	if err != nil {
+		t.Fatalf("Open #1: %v", err)
+	}
+	v1 := schemaVersion(t, w1)
+	w1.Close()
+
+	w2, err := Open(dir)
+	if err != nil {
+		t.Fatalf("Open #2: %v", err)
+	}
+	t.Cleanup(func() { w2.Close() })
+	v2 := schemaVersion(t, w2)
+
+	if v1 != v2 {
+		t.Errorf("schema_version changed across reopens: %d -> %d", v1, v2)
+	}
+	if v1 == 0 {
+		t.Errorf("schema_version still 0 after migrate; expected latest > 0")
+	}
+}
+
+// TestMigrationFromLegacySchema simulates a database that pre-dates the
+// kind column by manually creating the old links schema, then verifies
+// that Open transparently upgrades it.
+func TestMigrationFromLegacySchema(t *testing.T) {
+	dir := t.TempDir()
+
+	// Build a "legacy" database by opening, then dropping kind, then
+	// resetting schema_version. This is the simplest portable way to
+	// fake a pre-migration state without checking in a binary fixture.
+	w, err := Open(dir)
+	if err != nil {
+		t.Fatalf("Open seed: %v", err)
+	}
+	// SQLite can't DROP COLUMN before 3.35; emulate by rebuilding.
+	if _, err := w.db.Exec(`
+		DROP TABLE links;
+		CREATE TABLE links (
+			source TEXT NOT NULL,
+			target TEXT NOT NULL,
+			PRIMARY KEY (source, target)
+		);
+		CREATE INDEX idx_links_target ON links(target);
+		DELETE FROM wiki_state WHERE key = 'schema_version';
+	`); err != nil {
+		t.Fatalf("legacy reset: %v", err)
+	}
+	// Pre-seed a wikilink row in the old shape.
+	if _, err := w.db.Exec(`INSERT INTO links (source, target) VALUES ('a', 'b')`); err != nil {
+		t.Fatalf("seed legacy row: %v", err)
+	}
+	w.Close()
+
+	w2, err := Open(dir)
+	if err != nil {
+		t.Fatalf("Open post-legacy: %v", err)
+	}
+	t.Cleanup(func() { w2.Close() })
+
+	// kind column must exist now.
+	has, err := columnExists(w2, "links", "kind")
+	if err != nil {
+		t.Fatalf("columnExists: %v", err)
+	}
+	if !has {
+		t.Fatal("kind column not added by migration")
+	}
+
+	// The legacy row must have been backfilled with kind='link'.
+	var kind string
+	if err := w2.db.QueryRow(`SELECT kind FROM links WHERE source='a' AND target='b'`).Scan(&kind); err != nil {
+		t.Fatalf("query legacy row: %v", err)
+	}
+	if kind != "link" {
+		t.Errorf("legacy row backfill kind = %q, want %q", kind, "link")
+	}
+}
+
+// --- helpers ---
+
+func queryBacklinks(t *testing.T, w *Wiki, target, kind string) []string {
+	t.Helper()
+	rows, err := w.db.Query("SELECT source FROM links WHERE target = ? AND kind = ?", target, kind)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer rows.Close()
+	var out []string
+	for rows.Next() {
+		var s string
+		if err := rows.Scan(&s); err != nil {
+			t.Fatal(err)
+		}
+		out = append(out, s)
+	}
+	return out
+}
+
+func schemaVersion(t *testing.T, w *Wiki) int {
+	t.Helper()
+	raw, ok := w.readStateKey(context.Background(), stateKeySchemaVersion)
+	if !ok {
+		return 0
+	}
+	v, err := strconv.Atoi(raw)
+	if err != nil {
+		t.Fatalf("parse schema_version %q: %v", raw, err)
+	}
+	return v
+}
diff --git a/internal/wiki/index.go b/internal/wiki/index.go
index 0379dc6..a7c8f48 100644
--- a/internal/wiki/index.go
+++ b/internal/wiki/index.go
@@ -132,7 +132,13 @@ func (w *Wiki) Reindex(ctx context.Context) (ReindexStats, error) {
 			return ReindexStats{}, err
 		}
 		for _, target := range parsed.links {
-			if _, err := tx.ExecContext(ctx, "INSERT OR IGNORE INTO links (source, target) VALUES (?, ?)", pagePath, target); err != nil {
+			if _, err := tx.ExecContext(ctx, "INSERT OR IGNORE INTO links (source, target, kind) VALUES (?, ?, 'link')", pagePath, target); err != nil {
+				tx.Rollback()
+				return ReindexStats{}, err
+			}
+		}
+		for _, target := range parsed.images {
+			if _, err := tx.ExecContext(ctx, "INSERT OR IGNORE INTO links (source, target, kind) VALUES (?, ?, 'image')", pagePath, target); err != nil {
 				tx.Rollback()
 				return ReindexStats{}, err
 			}
@@ -232,7 +238,12 @@ func (w *Wiki) indexPage(ctx context.Context, pagePath string) error {
 		return err
 	}
 	for _, target := range parsed.links {
-		if _, err := tx.ExecContext(ctx, "INSERT OR IGNORE INTO links (source, target) VALUES (?, ?)", pagePath, target); err != nil {
+		if _, err := tx.ExecContext(ctx, "INSERT OR IGNORE INTO links (source, target, kind) VALUES (?, ?, 'link')", pagePath, target); err != nil {
+			return err
+		}
+	}
+	for _, target := range parsed.images {
+		if _, err := tx.ExecContext(ctx, "INSERT OR IGNORE INTO links (source, target, kind) VALUES (?, ?, 'image')", pagePath, target); err != nil {
 			return err
 		}
 	}
diff --git a/internal/wiki/migrate.go b/internal/wiki/migrate.go
new file mode 100644
index 0000000..0678f1b
--- /dev/null
+++ b/internal/wiki/migrate.go
@@ -0,0 +1,154 @@
+package wiki
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"strconv"
+)
+
+// Schema migrations.
+//
+// The base schema in initSchema() uses CREATE ... IF NOT EXISTS and is safe
+// to run against any database. For *changes* to existing tables (ADD COLUMN,
+// new indexes, etc.) we need an ordered, idempotent migration runner.
+//
+// State is tracked under wiki_state["schema_version"] as a decimal integer
+// string. A fresh database starts implicitly at version 0; each migration
+// bumps to its declared `to` value inside a single transaction so a partial
+// run never leaves the schema in a hybrid state.
+//
+// Append-only: never edit a migration after it has shipped. Add a new one.
+
+// stateKeySchemaVersion is the wiki_state key holding the current
+// migration version as a decimal string.
+const stateKeySchemaVersion = "schema_version"
+
+// migration describes one schema bump. `to` is the version this migration
+// produces; the runner applies migrations in ascending `to` order whose
+// `to` value is strictly greater than the current schema version.
+type migration struct {
+	to    int
+	name  string
+	apply func(*Wiki) error
+}
+
+// migrations is the canonical ordered list. Add new entries to the end.
+var migrations = []migration{
+	{
+		to:   1,
+		name: "links.kind column for image refs",
+		apply: func(w *Wiki) error {
+			// SQLite has no `ADD COLUMN IF NOT EXISTS`. We probe the
+			// schema via PRAGMA table_info and only ALTER when the
+			// column is missing — that way a database that was
+			// hand-patched, or one that survived a partial earlier
+			// run, doesn't error out.
+			has, err := columnExists(w, "links", "kind")
+			if err != nil {
+				return fmt.Errorf("probe links.kind: %w", err)
+			}
+			if has {
+				return nil
+			}
+			_, err = w.db.Exec(`ALTER TABLE links ADD COLUMN kind TEXT NOT NULL DEFAULT 'link'`)
+			return err
+		},
+	},
+}
+
+// migrate brings the database up to the latest schema version. Idempotent —
+// re-runs are no-ops once everything is applied. Each migration is bounded
+// by writeStateKey on success, so a crash mid-pass leaves the version at
+// the prior step and the next start picks up where we left off.
+//
+// On a fresh database (initSchema just ran with the current CREATE TABLE
+// definitions), the migrations are all no-ops in practice — they probe for
+// schema state before mutating. We still record the latest version so future
+// migrations have an unambiguous "you started fresh at version N" baseline.
+func (w *Wiki) migrate() error {
+	current, err := w.currentSchemaVersion()
+	if err != nil {
+		return err
+	}
+
+	latest := 0
+	if n := len(migrations); n > 0 {
+		latest = migrations[n-1].to
+	}
+
+	for _, m := range migrations {
+		if m.to <= current {
+			continue
+		}
+
+		slog.Info("applying migration",
+			slog.Int("from", current),
+			slog.Int("to", m.to),
+			slog.String("name", m.name),
+		)
+
+		if err := m.apply(w); err != nil {
+			return fmt.Errorf("migration %d (%s): %w", m.to, m.name, err)
+		}
+		if err := w.writeStateKey(context.Background(), stateKeySchemaVersion,
+			strconv.Itoa(m.to)); err != nil {
+			return fmt.Errorf("record schema_version=%d: %w", m.to, err)
+		}
+		current = m.to
+	}
+
+	// Belt-and-suspenders: ensure the recorded version matches latest
+	// even when no migrations ran (e.g. fresh DB whose CREATE TABLE
+	// already includes everything). This gives future migrations a
+	// clean "I know exactly where you are" starting point.
+	if current < latest {
+		if err := w.writeStateKey(context.Background(), stateKeySchemaVersion,
+			strconv.Itoa(latest)); err != nil {
+			return fmt.Errorf("record schema_version=%d: %w", latest, err)
+		}
+	}
+
+	return nil
+}
+
+// currentSchemaVersion reads the persisted version, defaulting to 0 for
+// fresh databases.
+func (w *Wiki) currentSchemaVersion() (int, error) {
+	raw, ok := w.readStateKey(context.Background(), stateKeySchemaVersion)
+	if !ok {
+		return 0, nil
+	}
+	v, err := strconv.Atoi(raw)
+	if err != nil {
+		return 0, fmt.Errorf("parse schema_version %q: %w", raw, err)
+	}
+	return v, nil
+}
+
+// columnExists reports whether the named column is present on the given
+// table. Uses PRAGMA table_info, which lists one row per column.
+func columnExists(w *Wiki, table, column string) (bool, error) {
+	rows, err := w.db.Query("PRAGMA table_info(" + table + ")")
+	if err != nil {
+		return false, err
+	}
+	defer rows.Close()
+	for rows.Next() {
+		var (
+			cid       int
+			name      string
+			ctype     string
+			notnull   int
+			dfltValue any
+			pk        int
+		)
+		if err := rows.Scan(&cid, &name, &ctype, &notnull, &dfltValue, &pk); err != nil {
+			return false, err
+		}
+		if name == column {
+			return true, nil
+		}
+	}
+	return false, rows.Err()
+}
diff --git a/internal/wiki/pages.go b/internal/wiki/pages.go
index d030cbd..6622b9e 100644
--- a/internal/wiki/pages.go
+++ b/internal/wiki/pages.go
@@ -194,7 +194,13 @@ func (w *Wiki) UpdatePage(ctx context.Context, pagePath string, content string)
 	return nil
 }
 
-// DeletePage removes a page from the filesystem and index.
+// DeletePage removes a page from the filesystem and index. Sidecar
+// assets under <page>.assets/ are GC'd against the link index: any file
+// that no longer has a row in `links` (after the page's own rows are
+// removed) is deleted. Cross-referenced assets — those another page
+// still embeds — are kept; the design intentionally has no shared-pool
+// concept, so the file lives where it was originally uploaded even when
+// referenced from elsewhere.
 func (w *Wiki) DeletePage(ctx context.Context, pagePath string) error {
 	if err := ctx.Err(); err != nil {
 		return err
@@ -223,6 +229,21 @@ func (w *Wiki) DeletePage(ctx context.Context, pagePath string) error {
 	// The page is gone; leaving it in recents would point the agent
 	// at a 404. Drop the entry rather than promote it.
 	w.recents.remove(pagePath)
+
+	// Sweep the sidecar after dropping this page's link rows. Any
+	// asset still referenced by another page (kind='image' row with
+	// a different source) is kept; everything else is removed. The
+	// sidecar dir itself is removed if it ends up empty.
+	if err := w.gcSidecarAssets(ctx, pagePath); err != nil {
+		// Non-fatal: the page itself is gone and the index is
+		// consistent. A future gc_assets pass (Slice 2 follow-up)
+		// can mop up.
+		slog.Warn("sidecar gc failed",
+			slog.String("page", pagePath),
+			slog.Any("error", err),
+		)
+	}
+
 	return nil
 }
 
@@ -317,8 +338,37 @@ func (w *Wiki) MovePage(ctx context.Context, fromPath, toPath string, opts MoveO
 		return fmt.Errorf("create destination directory: %w", err)
 	}
 
-	if err := os.Rename(fromAbs, toAbs); err != nil {
-		return fmt.Errorf("rename page file: %w", err)
+	// Sidecar handling: before we destroy the source page's link rows,
+	// snapshot its image references so splitSidecarOnMove can decide
+	// which assets travel with the page and which stay behind for
+	// other referencers. We read the body once here and pass it
+	// through to be rewritten in place — that way the file ends up at
+	// the new location with image paths already pointing at the new
+	// sidecar (for exclusive assets) and unchanged for shared ones.
+	oldImages, err := w.imageRefsFor(ctx, from)
+	if err != nil {
+		return fmt.Errorf("snapshot image refs: %w", err)
+	}
+	body, err := os.ReadFile(fromAbs)
+	if err != nil {
+		return fmt.Errorf("read source body: %w", err)
+	}
+	rewritten, err := w.splitSidecarOnMove(ctx, from, to, body, oldImages)
+	if err != nil {
+		return fmt.Errorf("split sidecar on move: %w", err)
+	}
+
+	if err := os.WriteFile(toAbs, rewritten, 0o644); err != nil {
+		return fmt.Errorf("write destination: %w", err)
+	}
+	if err := os.Remove(fromAbs); err != nil && !os.IsNotExist(err) {
+		// Best-effort: the destination is already in place and the
+		// indexer will reconcile. Leaving the source on disk would
+		// confuse the next reindex into thinking we have a
+		// duplicate, but a follow-up Reindex picks the newer mtime.
+		slog.Warn("move: remove source after copy failed",
+			slog.String("from", from), slog.Any("error", err),
+		)
 	}
 
 	if err := w.removePageIndex(ctx, from); err != nil {
@@ -329,6 +379,15 @@ func (w *Wiki) MovePage(ctx context.Context, fromPath, toPath string, opts MoveO
 		return fmt.Errorf("index new page: %w", err)
 	}
 
+	// GC any remaining files in the old sidecar. If everything moved,
+	// the dir is gone; if shared assets remained, the dir survives
+	// with just them.
+	if err := w.gcSidecarAssets(ctx, from); err != nil {
+		slog.Warn("move: sidecar gc failed",
+			slog.String("from", from), slog.Any("error", err),
+		)
+	}
+
 	// Treat a move as one continuous "active use" rather than dropping
 	// the old name and freshly inserting the new one. See recentsLRU.rename.
 	w.recents.rename(from, to)
@@ -398,14 +457,16 @@ type Link struct {
 	Target string `json:"target"`
 }
 
-// AllLinks returns every wikilink edge in the index. Used by the graph
-// view to render reference edges without a per-page round-trip.
+// AllLinks returns every wikilink edge in the index. Image references
+// (kind='image') are excluded — those have a separate query path for the
+// asset lifecycle code. Used by the graph view to render reference edges
+// without a per-page round-trip.
 func (w *Wiki) AllLinks(ctx context.Context) ([]Link, error) {
 	if err := ctx.Err(); err != nil {
 		return nil, err
 	}
 
-	rows, err := w.db.QueryContext(ctx, "SELECT source, target FROM links")
+	rows, err := w.db.QueryContext(ctx, "SELECT source, target FROM links WHERE kind = 'link'")
 	if err != nil {
 		return nil, err
 	}
@@ -521,7 +582,7 @@ func (w *Wiki) releaseLock(pagePath string) {
 // --- internal helpers ---
 
 func (w *Wiki) getLinks(ctx context.Context, pagePath string) ([]string, error) {
-	rows, err := w.db.QueryContext(ctx, "SELECT target FROM links WHERE source = ?", pagePath)
+	rows, err := w.db.QueryContext(ctx, "SELECT target FROM links WHERE source = ? AND kind = 'link'", pagePath)
 	if err != nil {
 		return nil, err
 	}
@@ -538,7 +599,7 @@ func (w *Wiki) getLinks(ctx context.Context, pagePath string) ([]string, error)
 }
 
 func (w *Wiki) getBacklinks(ctx context.Context, pagePath string) ([]string, error) {
-	rows, err := w.db.QueryContext(ctx, "SELECT source FROM links WHERE target = ?", pagePath)
+	rows, err := w.db.QueryContext(ctx, "SELECT source FROM links WHERE target = ? AND kind = 'link'", pagePath)
 	if err != nil {
 		return nil, err
 	}
@@ -554,6 +615,48 @@ func (w *Wiki) getBacklinks(ctx context.Context, pagePath string) ([]string, err
 	return backlinks, nil
 }
 
+// imageRefsFor returns the asset paths a page currently references in
+// the index (kind='image' rows where source = pagePath). Order is
+// unspecified; callers that care should sort. Used by MovePage to
+// snapshot pre-move state before the source's link rows are deleted.
+func (w *Wiki) imageRefsFor(ctx context.Context, pagePath string) ([]string, error) {
+	rows, err := w.db.QueryContext(ctx,
+		"SELECT target FROM links WHERE source = ? AND kind = 'image'",
+		pagePath,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var images []string
+	for rows.Next() {
+		var t string
+		if err := rows.Scan(&t); err == nil {
+			images = append(images, t)
+		}
+	}
+	return images, nil
+}
+
+// ImageRefsForPage is the exported variant of imageRefsFor used by
+// MCP / HTTP handlers that need to enumerate a page's image
+// references. The page path is normalized first (same rules as
+// GetPage); an empty result is returned for an unknown page rather
+// than an error, since "no images referenced" and "page doesn't
+// exist" are both legitimate empty cases the caller will usually
+// treat the same way.
+func (w *Wiki) ImageRefsForPage(ctx context.Context, pagePath string) ([]string, error) {
+	if err := ctx.Err(); err != nil {
+		return nil, err
+	}
+	normalized, err := normalizePagePath(pagePath)
+	if err != nil {
+		return nil, err
+	}
+	return w.imageRefsFor(ctx, normalized)
+}
+
 func (w *Wiki) topLevelDirs() []string {
 	entries, err := os.ReadDir(w.root)
 	if err != nil {
diff --git a/internal/wiki/parse.go b/internal/wiki/parse.go
index 9d04399..8973f85 100644
--- a/internal/wiki/parse.go
+++ b/internal/wiki/parse.go
@@ -4,6 +4,7 @@ import (
 	"strings"
 
 	"github.com/yuin/goldmark"
+	"github.com/yuin/goldmark/ast"
 	meta "github.com/yuin/goldmark-meta"
 	"github.com/yuin/goldmark/parser"
 	"github.com/yuin/goldmark/text"
@@ -21,17 +22,24 @@ type parsedPage struct {
 	body        string
 	frontmatter map[string]interface{}
 	links       []string
+	// images holds standard markdown image destinations (`![](path)`)
+	// in document order, deduplicated. These are tracked in the links
+	// table with kind='image' so lifecycle operations (delete/move/GC)
+	// can run as plain index queries.
+	images []string
 }
 
-// parsePage extracts frontmatter, title, body text, and wikilinks from raw markdown.
+// parsePage extracts frontmatter, title, body text, wikilinks, and image
+// references from raw markdown.
 func parsePage(raw []byte) parsedPage {
 	ctx := parser.NewContext()
 	reader := text.NewReader(raw)
 
-	// Parse only to populate the meta context; goldmark-meta stores the
-	// YAML frontmatter map on ctx as a side effect. The AST itself is
-	// unused here — we extract the body via stripFrontmatter below.
-	md.Parser().Parse(reader, parser.WithContext(ctx))
+	// Parse fully now: we use the AST to extract image destinations
+	// (standard markdown ![](path)). Wikilinks are still string-scanned
+	// from the post-frontmatter body since they're a non-standard
+	// extension and goldmark doesn't recognize them.
+	doc := md.Parser().Parse(reader, parser.WithContext(ctx))
 
 	fm := meta.Get(ctx)
 	body := stripFrontmatter(raw)
@@ -41,6 +49,7 @@ func parsePage(raw []byte) parsedPage {
 		body:        string(body),
 		frontmatter: fm,
 		links:       extractWikilinks(body),
+		images:      extractImages(doc, raw),
 	}
 }
 
@@ -116,3 +125,67 @@ func extractWikilinks(body []byte) []string {
 
 	return links
 }
+
+// extractImages walks the markdown AST and returns the destinations of
+// every `![](path)` image in document order, deduplicated. External URLs
+// (anything with a scheme) are skipped — we only track wiki-local
+// references because those are the ones the lifecycle code needs to
+// reason about. Anchor-only refs (`#foo`) and empty destinations are
+// also skipped.
+//
+// The `raw` parameter is the full file bytes (including frontmatter);
+// goldmark uses byte offsets into this when reporting node positions,
+// but ast.Image carries its destination directly so we don't need to
+// re-slice the source.
+func extractImages(doc ast.Node, _ []byte) []string {
+	seen := make(map[string]bool)
+	var images []string
+
+	_ = ast.Walk(doc, func(n ast.Node, entering bool) (ast.WalkStatus, error) {
+		if !entering {
+			return ast.WalkContinue, nil
+		}
+		img, ok := n.(*ast.Image)
+		if !ok {
+			return ast.WalkContinue, nil
+		}
+		dest := string(img.Destination)
+		if !isWikiLocalRef(dest) {
+			return ast.WalkContinue, nil
+		}
+		if !seen[dest] {
+			seen[dest] = true
+			images = append(images, dest)
+		}
+		return ast.WalkContinue, nil
+	})
+
+	return images
+}
+
+// isWikiLocalRef reports whether a markdown image destination points at a
+// wiki-local asset rather than an external resource. External resources
+// (http://, https://, data:, mailto:, etc.) are intentionally ignored —
+// the lifecycle code only manages files inside the wiki tree.
+func isWikiLocalRef(dest string) bool {
+	if dest == "" {
+		return false
+	}
+	if strings.HasPrefix(dest, "#") {
+		return false
+	}
+	// Reject anything with a URL scheme (RFC 3986 scheme is
+	// ALPHA *( ALPHA / DIGIT / "+" / "-" / "." ) followed by ":").
+	// A bare check for "://" misses `data:` and `mailto:`, hence the
+	// stricter scan: first colon before any slash means scheme.
+	for i := 0; i < len(dest); i++ {
+		c := dest[i]
+		if c == ':' {
+			return false
+		}
+		if c == '/' || c == '?' || c == '#' {
+			break
+		}
+	}
+	return true
+}
diff --git a/internal/wiki/wiki.go b/internal/wiki/wiki.go
index 2c668ac..a8f9956 100644
--- a/internal/wiki/wiki.go
+++ b/internal/wiki/wiki.go
@@ -139,6 +139,10 @@ type Wiki struct {
 	// against an already-closed DB and logs a spurious warning.
 	closeOnce sync.Once
 	closeErr  error
+	// MaxAssetBytes caps individual asset uploads via UploadAsset.
+	// Zero (the default) means "use defaultMaxAssetBytes" (10 MB).
+	// Set this from the CLI / config layer to override per deployment.
+	MaxAssetBytes int64
 }
 
 // Open opens (or creates) a wiki rooted at the given directory.
@@ -260,9 +264,15 @@ func (w *Wiki) initSchema() error {
 		modified  TEXT NOT NULL DEFAULT ''
 	);
 
+	-- The PRIMARY KEY is (source, target) for back-compat with databases
+	-- migrated from before the kind column existed (see migrate.go). In
+	-- practice (source, target) is unique even across kinds because
+	-- wikilink targets are page paths (no extension) while image targets
+	-- are filesystem paths with extensions — they don't collide.
 	CREATE TABLE IF NOT EXISTS links (
 		source TEXT NOT NULL,
 		target TEXT NOT NULL,
+		kind   TEXT NOT NULL DEFAULT 'link',
 		PRIMARY KEY (source, target)
 	);
 
@@ -306,6 +316,10 @@ func (w *Wiki) initSchema() error {
 		return fmt.Errorf("wiki_state schema: %w", err)
 	}
 
+	if err := w.migrate(); err != nil {
+		return fmt.Errorf("migrate: %w", err)
+	}
+
 	// Clean up stale locks (older than 5 minutes) from crashed processes
 	_, err := w.db.Exec("DELETE FROM page_locks WHERE acquired < ?",
 		time.Now().Add(-5*time.Minute).UTC().Format(time.RFC3339))
diff --git a/tools/screenshot/.gitignore b/tools/screenshot/.gitignore
new file mode 100644
index 0000000..208db9d
--- /dev/null
+++ b/tools/screenshot/.gitignore
@@ -0,0 +1,6 @@
+# Build / runtime artifacts from running capture.mjs.
+# node_modules/ holds Playwright; captured/ holds the screenshot PNGs.
+# Both are reproducible: `npm install && npm run capture` regenerates them.
+node_modules/
+captured/
+package-lock.json
diff --git a/tools/screenshot/README.md b/tools/screenshot/README.md
new file mode 100644
index 0000000..f44bee1
--- /dev/null
+++ b/tools/screenshot/README.md
@@ -0,0 +1,72 @@
+# tools/screenshot
+
+End-to-end visual test for mind-map's image-support feature. Drives a
+real Chromium via Playwright against a running mind-map server,
+captures screenshots of representative views, uploads them through
+`POST /api/assets`, embeds the references into wiki pages, and verifies
+the rendered SPA actually fetches and displays them.
+
+This is the integration counterpart to the unit tests under
+`internal/wiki`, `internal/mcp`, and `internal/httpapi`. The unit tests
+prove each layer in isolation; this harness proves the whole pipeline
+(upload → indexer → static handler → marked → `<img>` → static handler
+again) works for real.
+
+## Setup
+
+Inside the devcontainer, Playwright and its browsers are installed by the
+[`ghcr.io/schlich/devcontainer-features/playwright`](https://github.com/schlich/devcontainer-features/tree/main/src/playwright)
+feature declared in `.devcontainer/devcontainer.json`. The browser binary and
+all its Linux runtime libs land in `~/.cache/ms-playwright/` automatically
+during container build — no manual `npx playwright install` step required.
+
+The local `node_modules/` for this harness is still managed by npm because
+`capture.mjs` imports `playwright` as a dependency. One `npm install` here
+once after a fresh clone:
+
+```sh
+cd tools/screenshot
+npm install
+```
+
+`node_modules/`, `package-lock.json`, and `captured/` are gitignored.
+
+## Run
+
+A mind-map server must be running first. Most local workflow:
+
+```sh
+# in one terminal
+go build -o /tmp/mind-map ./cmd/mind-map
+/tmp/mind-map serve --addr 127.0.0.1:4242 --dir /path/to/wiki
+
+# in another
+cd tools/screenshot
+npm run capture          # take + upload + embed all CAPTURES
+node verify.mjs          # verify one page renders its embed correctly
+```
+
+Override the target server with `MINDMAP_URL=http://host:port npm run
+capture`. `verify.mjs` accepts `MINDMAP_TARGET=path/to/page` to point
+at any page that has an embedded image.
+
+## Caveat: sync
+
+The harness writes via the wiki's normal `PUT /api/pages/*` path, so
+in `direction: pull` configurations the next sync tick will overwrite
+local edits with the upstream content. Disable sync (set
+`sync.enabled: false` in `~/.mind-map/config.json`) before running the
+harness if you want the edits to persist locally. Bidirectional sync
+preserves local edits across ticks (commit-then-merge) but pushes them
+upstream — only flip that on once you're happy with the result.
+
+## What gets captured
+
+`CAPTURES` in `capture.mjs` is the source of truth. Currently five
+views — home/graph, page detail, search results, MCP server page,
+settings modal — each embedded into a different `architecture/*` page
+under a managed sentinel block (`<!-- mind-map screenshots ... -->`)
+so re-runs replace the prior block instead of appending.
+
+Screenshots also land in `./captured/` so a human can eyeball them
+without firing up the SPA.
diff --git a/tools/screenshot/capture.mjs b/tools/screenshot/capture.mjs
new file mode 100644
index 0000000..f3453a0
--- /dev/null
+++ b/tools/screenshot/capture.mjs
@@ -0,0 +1,380 @@
+#!/usr/bin/env node
+// End-to-end demo + visual test for mind-map's image-support feature.
+//
+// Composition model: each capture entry has an async `compose(page)`
+// function that puts the SPA into the desired state — navigate,
+// click controls, fill inputs, set localStorage for theme/sort, etc.
+// The capture runs after compose returns, so this script can be
+// extended with new shots by appending entries; the rest of the
+// machinery doesn't change.
+//
+// Lifecycle of each capture:
+//   1. DELETE /api/assets/<page>.assets/<name> — drop any prior
+//      version so re-runs produce a single canonical file (no -1/-2
+//      suffix accumulation).
+//   2. compose(page) sets up the SPA state.
+//   3. Screenshot the viewport, save to ./captured/<name>.
+//   4. Upload via POST /api/assets, then GET /assets/<path> to
+//      byte-verify the static handler.
+//   5. After all captures, PUT each touched page once with the
+//      managed sentinel block replaced.
+//
+// Sync: this harness mutates pages and assets via the wiki API. If
+// sync is enabled with direction:pull, the next sync tick will wipe
+// the edits. Either disable sync or set direction:push before
+// running.
+
+import { chromium } from 'playwright';
+import { mkdir, writeFile, readFile } from 'node:fs/promises';
+import { resolve, dirname, basename } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { Buffer } from 'node:buffer';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const CAPTURED_DIR = resolve(__dirname, 'captured');
+
+const SERVER = process.env.MINDMAP_URL || 'http://localhost:51888';
+
+// Compose helpers used across captures. Kept here rather than inside
+// the entries so the entries stay readable.
+
+async function setTheme(page, theme) {
+    // Theme is persisted in localStorage and applied as a `.dark`
+    // class on <html>. Setting both before navigation ensures the
+    // first paint matches; flushing again post-navigation guards
+    // against the app's own initialization overwriting our value
+    // from prefers-color-scheme.
+    await page.addInitScript((t) => {
+        localStorage.setItem('mm-theme', t);
+    }, theme);
+}
+
+async function setSortMode(page, mode) {
+    await page.addInitScript((m) => {
+        localStorage.setItem('mm-sort-mode', m);
+    }, mode);
+}
+
+async function waitForMarkdown(page) {
+    try {
+        await page.waitForSelector('.markdown', { timeout: 5000 });
+    } catch (_) {
+        // Best-effort; capture whatever rendered.
+    }
+}
+
+async function waitForGraph(page) {
+    // The graph canvas takes a moment to lay out (force simulation).
+    // Wait for the fit-all button to be reachable as a proxy for
+    // "graph is up", then a beat for the animation to settle.
+    try {
+        await page.waitForSelector('button.graph-fit', { timeout: 5000 });
+    } catch (_) { }
+    await page.waitForTimeout(800);
+}
+
+async function fitGraph(page) {
+    const btn = page.locator('button.graph-fit').first();
+    if (await btn.isVisible().catch(() => false)) {
+        await btn.click();
+        await page.waitForTimeout(600); // fit animation
+    }
+}
+
+async function fillSearch(page, q) {
+    const input = page.locator('input[placeholder="search..."]').first();
+    await input.fill(q);
+    await input.press('Enter');
+    await page.waitForTimeout(700);
+}
+
+// CAPTURES is the source of truth for what gets shot, where it lands,
+// and how the SPA gets put into the right state.
+const CAPTURES = [
+    {
+        name: 'home-graph-fit.png',
+        embedPage: 'architecture/index',
+        caption: 'Home: graph view fitted to the viewport',
+        compose: async (page) => {
+            await setSortMode(page, 'title');
+            await setTheme(page, 'light');
+            await page.goto(SERVER + '/#/', { waitUntil: 'networkidle' });
+            await waitForGraph(page);
+            await fitGraph(page);
+        },
+    },
+    {
+        name: 'home-graph-dark.png',
+        embedPage: 'architecture/index',
+        caption: 'Home: graph view in dark mode (same data, theme toggle demo)',
+        compose: async (page) => {
+            await setSortMode(page, 'title');
+            await setTheme(page, 'dark');
+            await page.goto(SERVER + '/#/', { waitUntil: 'networkidle' });
+            await waitForGraph(page);
+            await fitGraph(page);
+        },
+    },
+    {
+        name: 'page-detail.png',
+        embedPage: 'architecture/wiki-engine',
+        caption: 'Page detail: rendered markdown, wikilinks, and embedded mermaid diagrams',
+        compose: async (page) => {
+            await setTheme(page, 'light');
+            await page.goto(SERVER + '/#/architecture/wiki-engine', { waitUntil: 'networkidle' });
+            await waitForMarkdown(page);
+            await page.waitForTimeout(800); // let mermaid finish
+        },
+    },
+    {
+        name: 'sort-recent.png',
+        embedPage: 'architecture/web-ui',
+        caption: 'Sidebar: recent-first sort (mtime-ordered list)',
+        compose: async (page) => {
+            await setSortMode(page, 'recent');
+            await setTheme(page, 'light');
+            await page.goto(SERVER + '/#/', { waitUntil: 'networkidle' });
+            await waitForGraph(page);
+            await fitGraph(page);
+        },
+    },
+    {
+        name: 'sort-path.png',
+        embedPage: 'architecture/web-ui',
+        caption: 'Sidebar: path-tree sort (hierarchical view)',
+        compose: async (page) => {
+            await setSortMode(page, 'path');
+            await setTheme(page, 'light');
+            await page.goto(SERVER + '/#/', { waitUntil: 'networkidle' });
+            await waitForGraph(page);
+            await fitGraph(page);
+        },
+    },
+    {
+        name: 'sort-title.png',
+        embedPage: 'architecture/web-ui',
+        caption: 'Sidebar: title-alphabetical sort',
+        compose: async (page) => {
+            await setSortMode(page, 'title');
+            await setTheme(page, 'light');
+            await page.goto(SERVER + '/#/', { waitUntil: 'networkidle' });
+            await waitForGraph(page);
+            await fitGraph(page);
+        },
+    },
+    {
+        name: 'search-sidebar.png',
+        embedPage: 'architecture/mcp-server',
+        caption: 'Sidebar search: results filtered + highlighted as you type',
+        compose: async (page) => {
+            await setSortMode(page, 'title');
+            await setTheme(page, 'light');
+            await page.goto(SERVER + '/#/', { waitUntil: 'networkidle' });
+            await waitForGraph(page);
+            await fillSearch(page, 'wiki');
+        },
+    },
+    {
+        name: 'search-in-page.png',
+        embedPage: 'architecture/mcp-server',
+        caption: 'In-page search: match-highlighting in the rendered body',
+        compose: async (page) => {
+            await setSortMode(page, 'title');
+            await setTheme(page, 'light');
+            // Navigate without query first, then set the query via the
+            // sidebar search — initial-load hash parsing doesn't pick
+            // up ?q= on first paint in all cases, but a real user-
+            // initiated search always works.
+            await page.goto(SERVER + '/#/architecture/wiki-engine', { waitUntil: 'networkidle' });
+            await waitForMarkdown(page);
+            await fillSearch(page, 'index');
+            await page.waitForTimeout(400);
+        },
+    },
+    {
+        name: 'settings.png',
+        embedPage: 'architecture/http-api',
+        caption: 'Settings: sync configuration and direction toggle',
+        compose: async (page) => {
+            await setTheme(page, 'light');
+            await page.goto(SERVER + '/#/', { waitUntil: 'networkidle' });
+            await waitForGraph(page);
+            const btn = page.locator('button.settings-toggle').first();
+            await btn.click();
+            await page.waitForSelector('.settings-title', { timeout: 5000 });
+            await page.waitForTimeout(300);
+        },
+    },
+];
+
+// --- API helpers ---
+
+async function waitForServer(attempts = 30) {
+    for (let i = 0; i < attempts; i++) {
+        try {
+            const res = await fetch(SERVER + '/api/version');
+            if (res.ok) return await res.json();
+        } catch (_) { }
+        await new Promise((r) => setTimeout(r, 500));
+    }
+    throw new Error(`server at ${SERVER} did not respond after ${attempts} attempts`);
+}
+
+async function deleteAssetIfExists(page, name) {
+    // Best-effort: it's fine for the DELETE to 404 on the first run
+    // when the file doesn't exist yet. We only want to clean up
+    // prior versions to keep filenames canonical (home.png stays
+    // home.png across runs, no -1/-2 suffix accumulation).
+    const path = `${page}.assets/${name}`;
+    const res = await fetch(SERVER + '/api/assets/' + path, { method: 'DELETE' });
+    if (res.ok || res.status === 404) return;
+    console.warn(`  warning: DELETE /api/assets/${path} returned ${res.status}`);
+}
+
+async function uploadAsset(page, name, bytes) {
+    const res = await fetch(SERVER + '/api/assets', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            page,
+            name,
+            content_base64: bytes.toString('base64'),
+        }),
+    });
+    if (!res.ok) {
+        throw new Error(`upload failed ${res.status}: ${await res.text()}`);
+    }
+    return await res.json();
+}
+
+async function getPageBody(path) {
+    const res = await fetch(SERVER + '/api/pages/' + path);
+    if (!res.ok) throw new Error(`get page ${path} failed ${res.status}`);
+    return await res.json();
+}
+
+async function putPage(path, content) {
+    const res = await fetch(SERVER + '/api/pages/' + path, {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ content }),
+    });
+    if (!res.ok) {
+        throw new Error(`put page ${path} failed ${res.status}: ${await res.text()}`);
+    }
+    return await res.json();
+}
+
+async function verifyServed(assetPath, expected) {
+    const res = await fetch(SERVER + '/assets/' + assetPath);
+    if (!res.ok) throw new Error(`serve ${assetPath} failed ${res.status}`);
+    const got = Buffer.from(await res.arrayBuffer());
+    if (got.length !== expected.length) {
+        throw new Error(`served length mismatch ${got.length} vs ${expected.length}`);
+    }
+    for (let i = 0; i < got.length; i++) {
+        if (got[i] !== expected[i]) {
+            throw new Error(`served bytes differ at offset ${i}`);
+        }
+    }
+}
+
+// rebuildBody overwrites the managed sentinel block on a page with a
+// fresh gallery. Idempotent: re-running replaces the prior block
+// rather than appending. Content outside the sentinel block is
+// untouched.
+function rebuildBody(originalBody, embeds) {
+    const sentinelStart = '<!-- mind-map screenshots: managed; do not edit by hand -->';
+    const sentinelEnd = '<!-- /mind-map screenshots -->';
+
+    const startIdx = originalBody.indexOf(sentinelStart);
+    let base = originalBody;
+    if (startIdx >= 0) {
+        const endIdx = originalBody.indexOf(sentinelEnd, startIdx);
+        if (endIdx >= 0) {
+            base = originalBody.slice(0, startIdx).trimEnd() +
+                '\n' + originalBody.slice(endIdx + sentinelEnd.length);
+        }
+    }
+
+    let block = '\n\n' + sentinelStart + '\n\n## Screenshots\n\n';
+    for (const e of embeds) {
+        block += `![${e.caption}](${e.path})\n\n*${e.caption}*\n\n`;
+    }
+    block += sentinelEnd + '\n';
+    return base.trimEnd() + block;
+}
+
+async function main() {
+    console.log('mind-map demo capture against', SERVER);
+
+    const version = await waitForServer();
+    console.log('server version:', version);
+
+    await mkdir(CAPTURED_DIR, { recursive: true });
+
+    const browser = await chromium.launch({
+        args: ['--no-sandbox'],
+    });
+
+    // Group captures by embedPage so each page gets ONE PUT with all
+    // its embeds in order. Pages can host multiple screenshots.
+    const perPage = new Map();
+
+    try {
+        for (const cap of CAPTURES) {
+            console.log('  capture', cap.name, '->', cap.embedPage);
+
+            // Drop any prior version so the filename stays canonical.
+            await deleteAssetIfExists(cap.embedPage, cap.name);
+
+            // Fresh context per capture so localStorage / addInitScript
+            // calls don't bleed across shots (e.g. theme changes).
+            const context = await browser.newContext({
+                viewport: { width: 1440, height: 900 },
+                deviceScaleFactor: 2,
+            });
+            const page = await context.newPage();
+            try {
+                await cap.compose(page);
+                const buf = await page.screenshot({
+                    fullPage: false,
+                    type: 'png',
+                });
+
+                const localPath = resolve(CAPTURED_DIR, cap.name);
+                await writeFile(localPath, buf);
+
+                const upload = await uploadAsset(cap.embedPage, cap.name, buf);
+                console.log('    uploaded', upload.path, `(${buf.length} bytes)`);
+
+                await verifyServed(upload.path, buf);
+
+                if (!perPage.has(cap.embedPage)) perPage.set(cap.embedPage, []);
+                perPage.get(cap.embedPage).push({
+                    path: upload.path,
+                    caption: cap.caption,
+                });
+            } finally {
+                await page.close();
+                await context.close();
+            }
+        }
+    } finally {
+        await browser.close();
+    }
+
+    for (const [pagePath, embeds] of perPage) {
+        const current = await getPageBody(pagePath);
+        const newBody = rebuildBody(current.body || '', embeds);
+        await putPage(pagePath, newBody);
+        console.log('  updated', pagePath, 'with', embeds.length, 'embed(s)');
+    }
+
+    console.log('done. captured screenshots in', CAPTURED_DIR);
+}
+
+main().catch((err) => {
+    console.error('FAIL:', err.stack || err);
+    process.exit(1);
+});
diff --git a/tools/screenshot/package.json b/tools/screenshot/package.json
new file mode 100644
index 0000000..d5871f0
--- /dev/null
+++ b/tools/screenshot/package.json
@@ -0,0 +1,12 @@
+{
+  "name": "mind-map-screenshot",
+  "version": "0.0.1",
+  "private": true,
+  "description": "End-to-end visual test harness for mind-map. Launches a real Chromium against a running mind-map server, captures screenshots of representative views, uploads them via POST /api/assets, and embeds the references into the appropriate architecture pages. Used to verify the image-support pipeline (upload \u2192 reference \u2192 static handler \u2192 marked rendering) works for real, not just in unit tests.",
+  "scripts": {
+    "capture": "node capture.mjs"
+  },
+  "dependencies": {
+    "playwright": "^1.49.0"
+  }
+}
diff --git a/tools/screenshot/verify.mjs b/tools/screenshot/verify.mjs
new file mode 100644
index 0000000..686b2f5
--- /dev/null
+++ b/tools/screenshot/verify.mjs
@@ -0,0 +1,93 @@
+#!/usr/bin/env node
+// Round-trip verification: open one of the pages we just modified and
+// confirm the embedded screenshot actually renders (i.e. the SPA
+// rewrote the markdown reference to /assets/, marked produced an
+// <img>, the browser fetched the bytes from the static handler, and
+// the image is visible in the rendered output).
+//
+// Fails loudly if anything in the pipeline broke.
+
+import { chromium } from 'playwright';
+
+const SERVER = process.env.MINDMAP_URL || 'http://localhost:4242';
+const TARGET_PAGE = process.env.MINDMAP_TARGET || 'architecture/wiki-engine';
+
+async function main() {
+    const browser = await chromium.launch({ args: ['--no-sandbox'] });
+    const ctx = await browser.newContext({
+        viewport: { width: 1280, height: 800 },
+        deviceScaleFactor: 2,
+    });
+    const page = await ctx.newPage();
+
+    // Capture network requests so we can confirm the SPA actually
+    // hit /assets/<path>.
+    const assetRequests = [];
+    page.on('response', (r) => {
+        const u = new URL(r.url());
+        if (u.pathname.startsWith('/assets/')) {
+            assetRequests.push({
+                path: u.pathname,
+                status: r.status(),
+                ct: r.headers()['content-type'] || '',
+            });
+        }
+    });
+
+    await page.goto(SERVER + '/#/' + TARGET_PAGE, { waitUntil: 'networkidle' });
+    await page.waitForSelector('.markdown', { timeout: 5000 });
+    // Give the asset request time to land.
+    await page.waitForTimeout(1000);
+
+    // The rendered HTML should now contain an <img> whose src starts
+    // with /assets/. Inspect the DOM directly.
+    const imgInfo = await page.evaluate(() => {
+        const imgs = Array.from(document.querySelectorAll('.markdown img'));
+        return imgs.map((i) => ({
+            src: i.getAttribute('src'),
+            naturalWidth: i.naturalWidth,
+            naturalHeight: i.naturalHeight,
+            complete: i.complete,
+        }));
+    });
+
+    console.log('rendered images in .markdown:');
+    for (const i of imgInfo) console.log(' ', i);
+
+    console.log('asset HTTP responses:');
+    for (const r of assetRequests) console.log(' ', r);
+
+    if (imgInfo.length === 0) {
+        throw new Error('no <img> rendered in .markdown — image rewrite or marked parsing failed');
+    }
+    const broken = imgInfo.filter((i) => !i.complete || i.naturalWidth === 0);
+    if (broken.length > 0) {
+        throw new Error('some images failed to load: ' + JSON.stringify(broken));
+    }
+    const failedRequests = assetRequests.filter((r) => r.status !== 200);
+    if (failedRequests.length > 0) {
+        throw new Error('asset handler returned non-200: ' + JSON.stringify(failedRequests));
+    }
+    if (assetRequests.length === 0) {
+        throw new Error('no /assets/ requests observed — rewrite may have failed');
+    }
+
+    // Final visual confirmation: scroll the embedded image into view
+    // and screenshot it so a human review can see the actual rendered
+    // result. The DOM checks above are the authoritative pass/fail;
+    // this is for the eyeball test.
+    await page.evaluate(() => {
+        const img = document.querySelector('.markdown img');
+        if (img) img.scrollIntoView({ block: 'center' });
+    });
+    await page.waitForTimeout(300);
+    await page.screenshot({ path: '/tmp/rendered-with-image.png', type: 'png' });
+    console.log('OK: all images rendered. screenshot at /tmp/rendered-with-image.png');
+
+    await browser.close();
+}
+
+main().catch((err) => {
+    console.error('FAIL:', err.stack || err);
+    process.exit(1);
+});
diff --git a/webui/src/App.tsx b/webui/src/App.tsx
index e293d34..a45dca2 100644
--- a/webui/src/App.tsx
+++ b/webui/src/App.tsx
@@ -376,10 +376,30 @@ export function App() {
             return `[${label}](#/${target})`;
         });
 
+        // Rewrite wiki-local image references to point at the asset
+        // handler. Goldmark image syntax `![alt](path)` lands here
+        // pre-render so marked still parses normally and gets a
+        // well-formed `<img>` tag with the corrected `src`. We touch
+        // only paths the asset handler can serve: external URLs
+        // (http/https/data/mailto/…), in-page anchors (#foo) and
+        // empty destinations are left alone.
+        const withAssets = withLinks.replace(
+            /!\[([^\]]*)\]\(([^)\s]+)(\s+"[^"]*")?\)/g,
+            (match, alt: string, dest: string, title: string | undefined) => {
+                if (!isWikiLocalImageRef(dest)) return match;
+                // Strip any leading "./" so we don't end up with
+                // "/assets/./..." which most servers normalize but
+                // looks ugly in DOM inspections.
+                const cleaned = dest.replace(/^\.\//, '');
+                const url = '/assets/' + cleaned.replace(/^\/+/, '');
+                return `![${alt}](${url}${title ?? ''})`;
+            }
+        );
+
         // Extract mermaid blocks before marked processing to prevent HTML escaping
         const mermaidBlocks: Record<string, string> = {};
         let localCounter = 0;
-        const withPlaceholders = withLinks.replace(/```mermaid\s*\n([\s\S]*?)```/g, (_, code) => {
+        const withPlaceholders = withAssets.replace(/```mermaid\s*\n([\s\S]*?)```/g, (_, code) => {
             const id = `mermaid-${++localCounter}`;
             mermaidBlocks[id] = code.trim();
             return `<div class="mermaid" id="${id}">MERMAID_PLACEHOLDER_${id}</div>`;
@@ -395,6 +415,23 @@ export function App() {
         return html;
     };
 
+    // isWikiLocalImageRef mirrors the Go-side isWikiLocalRef used by
+    // the indexer (internal/wiki/parse.go): rejects external URLs,
+    // anchor-only refs, and empty destinations. Anything else is a
+    // path the static asset handler can serve.
+    function isWikiLocalImageRef(dest: string): boolean {
+        if (!dest) return false;
+        if (dest.startsWith('#')) return false;
+        // RFC 3986 scheme detection: a ':' before any '/', '?', or
+        // '#' means an absolute URL.
+        for (let i = 0; i < dest.length; i++) {
+            const c = dest[i];
+            if (c === ':') return false;
+            if (c === '/' || c === '?' || c === '#') break;
+        }
+        return true;
+    }
+
     // Wrap each occurrence of any search token in <mark>. Works on parsed
     // DOM (not via regex on raw HTML) so tags and attributes are never
     // touched. Skips <script>/<style>/<mark> to avoid breaking embedded
diff --git a/webui/src/styles.css b/webui/src/styles.css
index a9abb7e..32ada0d 100644
--- a/webui/src/styles.css
+++ b/webui/src/styles.css
@@ -371,6 +371,20 @@ html, body, #root {
 .markdown li { font-size: 15px; line-height: 1.7; }
 .markdown a { color: var(--link); text-decoration: none; }
 .markdown a:hover { text-decoration: underline; }
+
+/* Images rendered from markdown ![](path) references.
+ * max-width keeps oversized illustrations from stretching the column;
+ * border + padding give them a Metro-feel frame distinct from the
+ * surrounding text. Click-to-zoom and modal previews are future work.
+ */
+.markdown img {
+    max-width: 100%;
+    height: auto;
+    display: block;
+    margin: 16px 0;
+    background: var(--code-bg);
+    padding: 4px;
+}
 .markdown code {
     font-family: var(--font-mono);
     font-size: 13px;