diff --git a/CHANGELOG.md b/CHANGELOG.md
index b3118d2..23998d1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,13 @@ All notable changes to git-cms are documented in this file.
 
 ### Added
 
+- **Version History Browser (CE3):** Browse prior versions of an article, preview old content, and restore a selected version as a new draft commit
+  - `CmsService.getArticleHistory()` — walk parent chain to list version summaries (SHA, title, status, author, date)
+  - `CmsService.readVersion()` — read full content of a specific commit by SHA
+  - `CmsService.restoreVersion()` — restore historical content as a new draft with ancestry validation and provenance trailers (`restoredFromSha`, `restoredAt`)
+  - `GET /api/cms/history`, `GET /api/cms/show-version`, `POST /api/cms/restore` server endpoints
+  - Admin UI: collapsible history panel with lazy-fetch, version preview, and restore button
+
 - **Content Identity Policy (M1.1):** Canonical slug validation with NFKC normalization, reserved word rejection, and `CmsValidationError` contract (`ContentIdentityPolicy.js`)
 - **State Machine (M1.2):** Explicit draft/published/unpublished/reverted states with enforced transition rules (`ContentStatePolicy.js`)
 - **Admin UI overhaul:** Split/edit/preview markdown editor (via `marked`), autosave, toast notifications, skeleton loading, drag-and-drop file uploads, metadata trailer editor, keyboard shortcuts (`Cmd+S`, `Esc`), dark mode token system
@@ -40,6 +47,9 @@ All notable changes to git-cms are documented in this file.
 - **(P2) SRI hashes:** Add `integrity` + `crossorigin` to marked and DOMPurify CDN script tags
 - **(P2) Null guards:** `revertArticle` and `unpublishArticle` throw `no_draft` when draft ref is missing; `_resolveArticleState` throws `article_not_found` when both draft and published refs are missing
 - **(P2) uploadAsset DI guard:** Throw `unsupported_in_di_mode` when `cas`/`vault` are null
+- **(P1) Path traversal in upload handler:** Sanitize user-controlled `filename` to `path.basename()` preventing writes outside tmpDir
+- **(P1) readVersion lineage scoping:** `readVersion` now validates SHA ancestry (prevents cross-article content leakage)
+- **(P1) readVersion published fallback:** `readVersion` checks both draft and published refs (consistent with `getArticleHistory`)
 - **(P2) Trailer key casing:** Use camelCase `updatedAt` in `unpublishArticle` and `revertArticle` (was lowercase `updatedat` which broke `renderBadges` lookups); destructure out decoded lowercase key before spreading to avoid `TrailerInvalidError`
 - **(P2) XSS in `escAttr`:** Escape single quotes (`'` → `'`) to prevent injection into single-quoted attributes
 - **(P2) Supply-chain hardening:** Vendor Open Props CSS files locally (`public/css/`) instead of `@import` from unpkg, eliminating CDN dependency and SRI gap
@@ -53,5 +63,14 @@ All notable changes to git-cms are documented in this file.
 - DI-mode `_updateRef` now performs manual CAS check against `oldSha`
 - Server tests assert setup call status codes to surface silent failures
 - Vitest exclude glob `test/git-e2e*` → `test/git-e2e**` to cover future subdirectories
+- Admin UI: reset history panel state (versions list, preview, selection) when creating a new article to prevent stale data
+- Defensive `|| {}` guard on `decoded.trailers` destructuring in `unpublishArticle` and `revertArticle` (prevents TypeError if trailers is undefined)
+- `readVersion` now returns `trailers: decoded.trailers || {}` ensuring callers always receive an object
+- Upload handler: moved tmpDir cleanup to `finally` block preventing temp directory leaks on failure
+- **(P1) sendError info leak:** 500 responses now return generic 'Internal server error' instead of raw `err.message` (prevents leaking file paths, git subprocess details, or internal state)
+- **(P2) readBody O(n²):** `readBody` now accumulates chunks in an array and uses `Buffer.concat` instead of repeated string concatenation
+- Admin UI: `loadArticle` unconditionally resets `historyVersions` and `selectedVersion` to prevent stale history state when switching articles with the panel closed
+- Admin UI: `selectVersion` guards against out-of-order async responses (prevents stale preview flash from rapid clicks)
+- **(P2) walkLimit divergence:** Extracted `HISTORY_WALK_LIMIT` as a shared exported constant used by both `_validateAncestry` and the server's history limit clamp
 
 [Unreleased]: https://github.com/flyingrobots/git-cms/compare/main...git-stunts
diff --git a/package.json b/package.json
index e3d02f5..c65371d 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "git-cms",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "A serverless, database-free CMS built on Git plumbing.",
   "type": "module",
   "bin": {
diff --git a/public/index.html b/public/index.html
index 6cd5884..b4371da 100644
--- a/public/index.html
+++ b/public/index.html
@@ -359,6 +359,50 @@
       margin-top: var(--size-2);
     }
 
+    /* ── History Section ── */
+    #historySection .history-list {
+      max-height: 240px;
+      overflow-y: auto;
+      margin-top: var(--size-2);
+      display: flex;
+      flex-direction: column;
+      gap: 2px;
+    }
+    .history-item {
+      display: flex;
+      align-items: center;
+      gap: var(--size-3);
+      padding: var(--size-2) var(--size-3);
+      border-radius: var(--radius-2);
+      cursor: pointer;
+      transition: background 0.15s;
+      font-size: var(--font-size-0);
+    }
+    .history-item:hover { background: var(--surface-3); }
+    .history-item.active { background: var(--brand); color: white; }
+    .history-item .hist-sha { font-family: var(--font-mono); font-size: var(--font-size-00); opacity: 0.7; }
+    .history-item .hist-title { flex: 1; font-weight: 500; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
+    .history-item .hist-date { font-size: var(--font-size-00); opacity: 0.7; white-space: nowrap; }
+    .history-item .hist-status { font-size: var(--font-size-00); opacity: 0.7; }
+
+    #historyPreview {
+      margin-top: var(--size-3);
+      border: 1px solid var(--surface-3);
+      border-radius: var(--radius-2);
+      padding: var(--size-3);
+      display: none;
+    }
+    #historyPreview .preview-content {
+      max-height: 300px;
+      overflow-y: auto;
+      line-height: 1.7;
+    }
+    #historyPreview .preview-actions {
+      margin-top: var(--size-3);
+      display: flex;
+      gap: var(--size-2);
+    }
+
     /* ── Status Bar ── */
     .status-bar {
       font-size: var(--font-size-0);
@@ -457,6 +501,17 @@ <h1>Git CMS</h1>
       <button class="btn add-trailer-btn" onclick="UI.addTrailerRow()">+ Add Field</button>
     </details>
 
+    <details id="historySection">
+      <summary>Version History</summary>
+      <div id="historyList" class="history-list"></div>
+      <div id="historyPreview">
+        <div id="historyPreviewContent" class="preview-content"></div>
+        <div class="preview-actions">
+          <button class="btn btn-primary" id="restoreBtn" onclick="UI.restoreVersion()" disabled>Restore This Version</button>
+        </div>
+      </div>
+    </details>
+
     <div class="asset-section" id="dropZone">
       Drop files here or
       <label class="btn" style="margin-left:var(--size-2)">
@@ -490,6 +545,8 @@ <h1>Git CMS</h1>
       autosaveTimer: null,
       editorMode: 'split',
       trailers: {},
+      historyVersions: [],
+      selectedVersion: null,
     };
 
     /* ── API Layer ── */
@@ -537,6 +594,30 @@ <h1>Git CMS</h1>
         if (!res.ok) throw new Error(`Upload failed: ${res.status}`);
         return res.json();
       },
+
+      async history(slug, limit = 50) {
+        const res = await fetch(`${API_BASE}/history?slug=${encodeURIComponent(slug)}&limit=${limit}`);
+        if (!res.ok) throw new Error(`History failed: ${res.status}`);
+        return res.json();
+      },
+
+      async showVersion(slug, sha) {
+        const res = await fetch(`${API_BASE}/show-version?slug=${encodeURIComponent(slug)}&sha=${encodeURIComponent(sha)}`);
+        if (!res.ok) throw new Error(`Show version failed: ${res.status}`);
+        return res.json();
+      },
+
+      async restore({ slug, sha }) {
+        const res = await fetch(`${API_BASE}/restore`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ slug, sha }),
+        });
+        let data;
+        try { data = await res.json(); } catch { data = {}; }
+        if (!res.ok) throw Object.assign(new Error(data.error || `Restore failed: ${res.status}`), { code: data.code });
+        return data;
+      },
     };
 
     /* ── Toast ── */
@@ -638,6 +719,17 @@ <h1>Git CMS</h1>
           updatePreview();
           this.highlightActive(slug);
 
+          // Reset history state and DOM to prevent stale data from previous article
+          state.historyVersions = [];
+          state.selectedVersion = null;
+          document.getElementById('historyList').innerHTML = '';
+          document.getElementById('historyPreview').style.display = 'none';
+
+          // Refresh history if panel is already open
+          if (document.getElementById('historySection').open) {
+            this.fetchHistory();
+          }
+
           statusEl.textContent = `Loaded ${slug} (${data.sha.slice(0, 7)})`;
         } catch (err) {
           toast(`Failed to load ${slug}`, 'error');
@@ -656,6 +748,13 @@ <h1>Git CMS</h1>
         state.dirty = false;
         state.trailers = {};
 
+        // Reset history panel to prevent stale data
+        document.getElementById('historySection').open = false;
+        document.getElementById('historyList').innerHTML = '';
+        document.getElementById('historyPreview').style.display = 'none';
+        state.historyVersions = [];
+        state.selectedVersion = null;
+
         document.getElementById('slugInput').value = '';
         document.getElementById('slugInput').disabled = false;
         document.getElementById('titleInput').value = '';
@@ -903,6 +1002,101 @@ <h1>Git CMS</h1>
         this.hideEditor();
       },
 
+      /* Version History */
+      async fetchHistory() {
+        if (!state.currentSlug) return;
+        const listEl = document.getElementById('historyList');
+        listEl.innerHTML = '<div class="skeleton" style="height:1.8em"></div>';
+        document.getElementById('historyPreview').style.display = 'none';
+        state.selectedVersion = null;
+
+        try {
+          const versions = await api.history(state.currentSlug);
+          state.historyVersions = versions;
+          listEl.innerHTML = '';
+
+          versions.forEach((v, idx) => {
+            const div = document.createElement('div');
+            div.className = 'history-item';
+            div.dataset.idx = idx;
+
+            const shaSpan = document.createElement('span');
+            shaSpan.className = 'hist-sha';
+            shaSpan.textContent = v.sha.slice(0, 7);
+
+            const titleSpan = document.createElement('span');
+            titleSpan.className = 'hist-title';
+            titleSpan.textContent = v.title;
+
+            const statusSpan = document.createElement('span');
+            statusSpan.className = 'hist-status';
+            statusSpan.textContent = v.status;
+
+            const dateSpan = document.createElement('span');
+            dateSpan.className = 'hist-date';
+            dateSpan.textContent = relTime(v.date);
+
+            div.append(shaSpan, titleSpan, statusSpan, dateSpan);
+            div.onclick = () => this.selectVersion(v.sha, idx);
+            listEl.appendChild(div);
+          });
+        } catch (err) {
+          toast('Failed to load history', 'error');
+          listEl.innerHTML = '';
+        }
+      },
+
+      async selectVersion(sha, idx) {
+        state.selectedVersion = { sha, idx };
+        document.querySelectorAll('.history-item').forEach((el, i) => {
+          el.classList.toggle('active', i === idx);
+        });
+
+        const previewEl = document.getElementById('historyPreview');
+        const contentEl = document.getElementById('historyPreviewContent');
+        const restoreBtn = document.getElementById('restoreBtn');
+
+        previewEl.style.display = 'block';
+        contentEl.innerHTML = '<div class="skeleton" style="height:4em"></div>';
+
+        try {
+          const data = await api.showVersion(state.currentSlug, sha);
+          if (state.selectedVersion?.sha !== sha) return;
+          contentEl.innerHTML = DOMPurify.sanitize(marked.parse(data.body || ''));
+          // Disable restore for current version (idx 0)
+          restoreBtn.disabled = idx === 0;
+        } catch (err) {
+          if (state.selectedVersion?.sha !== sha) return;
+          contentEl.textContent = 'Failed to load version content';
+          restoreBtn.disabled = true;
+        }
+      },
+
+      async restoreVersion() {
+        if (!state.selectedVersion || !state.currentSlug || state.saving) return;
+        const { sha } = state.selectedVersion;
+        if (!confirm(`Restore version ${sha.slice(0, 7)}? This creates a new draft with the old content.`)) return;
+
+        // Prevent autosave from racing the restore and suppress
+        // the redundant "unsaved changes" prompt in loadArticle.
+        this.clearAutosave();
+        state.dirty = false;
+
+        try {
+          await api.restore({ slug: state.currentSlug, sha });
+          toast('Version restored', 'success');
+          // Close history section and reload article
+          document.getElementById('historySection').open = false;
+          await this.loadArticle(state.currentSlug);
+        } catch (err) {
+          if (err.code === 'invalid_state_transition') {
+            toast('Cannot restore: unpublish the article first', 'error');
+          } else {
+            toast('Restore failed: ' + err.message, 'error');
+          }
+        }
+      },
+
       escAttr(s) {
         return String(s).replace(/&/g, '&amp;').replace(/"/g, '&quot;').replace(/</g, '&lt;').replace(/'/g, '&#39;');
       },
@@ -967,6 +1161,11 @@ <h1>Git CMS</h1>
       this.value = '';
     });
 
+    // History section toggle — lazy-fetch on expand
+    document.getElementById('historySection').addEventListener('toggle', (e) => {
+      if (e.target.open) UI.fetchHistory();
+    });
+
     /* ── Init ── */
     UI.fetchList();
   </script>
diff --git a/src/lib/CmsService.js b/src/lib/CmsService.js
index c275c62..26d1c38 100644
--- a/src/lib/CmsService.js
+++ b/src/lib/CmsService.js
@@ -23,6 +23,9 @@ import {
  * @property {import('@git-stunts/git-warp').GraphPersistencePort} [graph] - Optional injected graph adapter (skips git subprocess setup).
  */
 
+/** Maximum depth for ancestry walks (history listing, validation). */
+export const HISTORY_WALK_LIMIT = 200;
+
 /**
  * CmsService is the core domain orchestrator for Git CMS.
  */
@@ -250,7 +253,7 @@ export default class CmsService {
     // Read current draft content and re-commit with status: unpublished
     const message = await this.graph.showNode(draftSha);
     const decoded = this.codec.decode(message);
-    const { updatedat: _, ...restTrailers } = decoded.trailers;
+    const { updatedat: _, ...restTrailers } = decoded.trailers || {};
     const newMessage = this.codec.encode({
       title: decoded.title,
       body: decoded.body,
@@ -299,7 +302,7 @@ export default class CmsService {
     const parentCommitSha = info.parents[0];
     const parentMessage = await this.graph.showNode(parentCommitSha);
     const parentDecoded = this.codec.decode(parentMessage);
-    const { updatedat: _u, ...restParentTrailers } = parentDecoded.trailers;
+    const { updatedat: _u, ...restParentTrailers } = parentDecoded.trailers || {};
 
     const newMessage = this.codec.encode({
       title: parentDecoded.title,
@@ -317,6 +320,154 @@ export default class CmsService {
     return { ref: draftRef, sha: newSha, prev: draftSha };
   }
 
+  /**
+   * Validates that a target SHA exists in an article's ancestry chain.
+   * @private
+   */
+  async _validateAncestry(tipSha, targetSha, slug) {
+    let walk = tipSha;
+    let steps = 0;
+    const walkLimit = HISTORY_WALK_LIMIT;
+    while (walk && steps < walkLimit) {
+      if (walk === targetSha) return;
+      const info = await this.graph.getNodeInfo(walk);
+      walk = info.parents?.[0] || null;
+      steps++;
+    }
+    if (steps >= walkLimit) {
+      throw new CmsValidationError(
+        `History walk limit (${walkLimit}) exceeded for article "${slug}"; SHA "${targetSha}" may exist beyond the search window`,
+        { code: 'history_walk_limit_exceeded', field: 'sha' }
+      );
+    }
+    throw new CmsValidationError(
+      `SHA "${targetSha}" is not in the history of article "${slug}"`,
+      { code: 'invalid_version_for_article', field: 'sha' }
+    );
+  }
+
+  /**
+   * Returns version history for an article by walking the parent chain.
+   * @param {{ slug: string, limit?: number }} options
+   * @returns {Promise<Array<{ sha: string, title: string, status: string, author: string, date: string }>>}
+   */
+  async getArticleHistory({ slug, limit = 50 }) {
+    const effectiveLimit = Math.max(1, Math.min(limit, HISTORY_WALK_LIMIT));
+    const canonicalSlug = canonicalizeSlug(slug);
+    const draftRef = this._refFor(canonicalSlug, 'articles');
+    const pubRef = this._refFor(canonicalSlug, 'published');
+    const sha = await this.graph.readRef(draftRef) || await this.graph.readRef(pubRef);
+
+    if (!sha) {
+      throw new CmsValidationError(
+        `Article not found: "${canonicalSlug}"`,
+        { code: 'article_not_found', field: 'slug' }
+      );
+    }
+
+    const versions = [];
+    let current = sha;
+
+    while (current && versions.length < effectiveLimit) {
+      const [info, message] = await Promise.all([
+        this.graph.getNodeInfo(current),
+        this.graph.showNode(current),
+      ]);
+      const decoded = this.codec.decode(message);
+
+      versions.push({
+        sha: current,
+        title: decoded.title,
+        status: decoded.trailers?.status || 'draft',
+        author: info.author,
+        date: info.date,
+      });
+
+      current = info.parents?.[0] || null;
+    }
+
+    return versions;
+  }
+
+  /**
+   * Reads full content of a specific commit by SHA.
+   * @param {{ slug: string, sha: string }} options
+   * @returns {Promise<{ sha: string, title: string, body: string, trailers: object }>}
+   */
+  async readVersion({ slug, sha }) {
+    const canonicalSlug = canonicalizeSlug(slug);
+    const draftRef = this._refFor(canonicalSlug, 'articles');
+    const pubRef = this._refFor(canonicalSlug, 'published');
+    const tipSha = await this.graph.readRef(draftRef) || await this.graph.readRef(pubRef);
+
+    if (!tipSha) {
+      throw new CmsValidationError(
+        `Article not found: "${canonicalSlug}"`,
+        { code: 'article_not_found', field: 'slug' }
+      );
+    }
+
+    // Ancestry validation: verify SHA belongs to this article's lineage
+    await this._validateAncestry(tipSha, sha, canonicalSlug);
+
+    const message = await this.graph.showNode(sha);
+    const decoded = this.codec.decode(message);
+    return { sha, title: decoded.title, body: decoded.body, trailers: decoded.trailers || {} };
+  }
+
+  /**
+   * Restores content from a historical SHA as a new draft commit.
+   * @param {{ slug: string, sha: string }} options
+   * @returns {Promise<{ ref: string, sha: string, prev: string }>}
+   */
+  async restoreVersion({ slug, sha }) {
+    const canonicalSlug = canonicalizeSlug(slug);
+    const draftRef = this._refFor(canonicalSlug, 'articles');
+
+    const { effectiveState, draftSha } = await this._resolveArticleState(canonicalSlug);
+    validateTransition(effectiveState, STATES.DRAFT);
+
+    if (!draftSha) {
+      throw new CmsValidationError(
+        `Cannot restore "${canonicalSlug}": no draft ref exists`,
+        { code: 'no_draft', field: 'slug' }
+      );
+    }
+
+    // Ancestry validation: walk parent chain to verify target SHA belongs to this article
+    await this._validateAncestry(draftSha, sha, canonicalSlug);
+
+    // Read target SHA content
+    const targetMessage = await this.graph.showNode(sha);
+    const decoded = this.codec.decode(targetMessage);
+    // trailer-codec normalizes keys to lowercase on decode; destructure the
+    // lowercase forms so the subsequent camelCase writes create fresh keys.
+    const trailers = decoded.trailers || {};
+    const { updatedat: _, restoredfromsha: _r, restoredat: _ra, ...restTrailers } = trailers;
+
+    const now = new Date().toISOString();
+    const newMessage = this.codec.encode({
+      title: decoded.title,
+      body: decoded.body,
+      trailers: {
+        ...restTrailers,
+        status: STATES.DRAFT,
+        updatedAt: now,
+        restoredFromSha: sha,
+        restoredAt: now,
+      },
+    });
+
+    const newSha = await this.graph.commitNode({
+      message: newMessage,
+      parents: [draftSha],
+      sign: process.env.CMS_SIGN === '1',
+    });
+
+    await this._updateRef({ ref: draftRef, newSha, oldSha: draftSha });
+    return { ref: draftRef, sha: newSha, prev: draftSha };
+  }
+
   /**
    * Uploads an asset and returns its manifest and CAS info.
    */
diff --git a/src/server/index.js b/src/server/index.js
index 5c70c44..b2378f4 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -3,7 +3,7 @@ import url from 'node:url';
 import fs from 'node:fs';
 import path from 'node:path';
 import os from 'node:os';
-import CmsService from '../lib/CmsService.js';
+import CmsService, { HISTORY_WALK_LIMIT } from '../lib/CmsService.js';
 import {
   CmsValidationError,
   canonicalizeKind,
@@ -84,7 +84,28 @@ function sendError(res, err) {
       field: err.field,
     });
   }
-  return send(res, 500, { error: err.message });
+  return send(res, 500, { error: 'Internal server error' });
+}
+
+const MAX_BODY_BYTES = 1_048_576; // 1 MB
+const SHA_RE = /^[0-9a-f]{40}$/;
+
+function readBody(req, limit = MAX_BODY_BYTES) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let bytes = 0;
+    req.on('data', (chunk) => {
+      bytes += chunk.length;
+      if (bytes > limit) {
+        req.destroy();
+        reject(new CmsValidationError('Request body too large', { code: 'body_too_large' }));
+        return;
+      }
+      chunks.push(chunk);
+    });
+    req.on('end', () => resolve(Buffer.concat(chunks).toString('utf8')));
+    req.on('error', reject);
+  });
 }
 
 function logError(err) {
@@ -127,109 +148,148 @@ async function handler(req, res) {
 
       // POST /api/cms/snapshot
       if (req.method === 'POST' && pathname === '/api/cms/snapshot') {
-        let body = '';
-        req.on('data', (c) => (body += c));
-        req.on('end', async () => {
-          try {
-            const { slug: rawSlug, title, body: content, trailers } = JSON.parse(body || '{}');
-            if (!rawSlug || !title) return send(res, 400, { error: 'slug and title required' });
-            const slug = canonicalizeSlug(rawSlug);
-            const result = await cms.saveSnapshot({ slug, title, body: content, trailers });
-            return send(res, 200, result);
-          } catch (err) {
-            logError(err);
-            return sendError(res, err);
-          }
-        });
-        return;
+        try {
+          const body = await readBody(req);
+          const { slug: rawSlug, title, body: content, trailers } = JSON.parse(body || '{}');
+          if (!rawSlug || !title) return send(res, 400, { error: 'slug and title required' });
+          const slug = canonicalizeSlug(rawSlug);
+          const result = await cms.saveSnapshot({ slug, title, body: content, trailers });
+          return send(res, 200, result);
+        } catch (err) {
+          logError(err);
+          return sendError(res, err);
+        }
       }
 
       // POST /api/cms/publish
       if (req.method === 'POST' && pathname === '/api/cms/publish') {
-        let body = '';
-        req.on('data', (c) => (body += c));
-        req.on('end', async () => {
-          try {
-            const { slug: rawSlug, sha } = JSON.parse(body || '{}');
-            if (!rawSlug) return send(res, 400, { error: 'slug required' });
-            const slug = canonicalizeSlug(rawSlug);
-            const result = await cms.publishArticle({ slug, sha });
-            return send(res, 200, result);
-          } catch (err) {
-            logError(err);
-            return sendError(res, err);
-          }
-        });
-        return;
+        try {
+          const body = await readBody(req);
+          const { slug: rawSlug, sha } = JSON.parse(body || '{}');
+          if (!rawSlug) return send(res, 400, { error: 'slug required' });
+          const slug = canonicalizeSlug(rawSlug);
+          const result = await cms.publishArticle({ slug, sha });
+          return send(res, 200, result);
+        } catch (err) {
+          logError(err);
+          return sendError(res, err);
+        }
       }
 
       // POST /api/cms/unpublish
       if (req.method === 'POST' && pathname === '/api/cms/unpublish') {
-        let body = '';
-        req.on('data', (c) => (body += c));
-        req.on('end', async () => {
-          try {
-            const { slug: rawSlug } = JSON.parse(body || '{}');
-            if (!rawSlug) return send(res, 400, { error: 'slug required' });
-            const slug = canonicalizeSlug(rawSlug);
-            const result = await cms.unpublishArticle({ slug });
-            return send(res, 200, result);
-          } catch (err) {
-            logError(err);
-            return sendError(res, err);
-          }
-        });
-        return;
+        try {
+          const body = await readBody(req);
+          const { slug: rawSlug } = JSON.parse(body || '{}');
+          if (!rawSlug) return send(res, 400, { error: 'slug required' });
+          const slug = canonicalizeSlug(rawSlug);
+          const result = await cms.unpublishArticle({ slug });
+          return send(res, 200, result);
+        } catch (err) {
+          logError(err);
+          return sendError(res, err);
+        }
       }
 
       // POST /api/cms/revert
       if (req.method === 'POST' && pathname === '/api/cms/revert') {
-        let body = '';
-        req.on('data', (c) => (body += c));
-        req.on('end', async () => {
-          try {
-            const { slug: rawSlug } = JSON.parse(body || '{}');
-            if (!rawSlug) return send(res, 400, { error: 'slug required' });
-            const slug = canonicalizeSlug(rawSlug);
-            const result = await cms.revertArticle({ slug });
-            return send(res, 200, result);
-          } catch (err) {
-            logError(err);
-            return sendError(res, err);
+        try {
+          const body = await readBody(req);
+          const { slug: rawSlug } = JSON.parse(body || '{}');
+          if (!rawSlug) return send(res, 400, { error: 'slug required' });
+          const slug = canonicalizeSlug(rawSlug);
+          const result = await cms.revertArticle({ slug });
+          return send(res, 200, result);
+        } catch (err) {
+          logError(err);
+          return sendError(res, err);
+        }
+      }
+
+      // GET /api/cms/history?slug=xxx&limit=50
+      if (req.method === 'GET' && pathname === '/api/cms/history') {
+        try {
+          const { slug: rawSlug, limit: rawLimit } = query;
+          if (!rawSlug) return send(res, 400, { error: 'slug required' });
+          const slug = canonicalizeSlug(rawSlug);
+          const parsed = parseInt(rawLimit, 10);
+          const limit = Math.max(1, Math.min(HISTORY_WALK_LIMIT, Number.isNaN(parsed) ? 50 : parsed));
+          return send(res, 200, await cms.getArticleHistory({ slug, limit }));
+        } catch (err) {
+          logError(err);
+          return sendError(res, err);
+        }
+      }
+
+      // GET /api/cms/show-version?slug=xxx&sha=yyy
+      if (req.method === 'GET' && pathname === '/api/cms/show-version') {
+        try {
+          const { slug: rawSlug, sha } = query;
+          if (!rawSlug || !sha) return send(res, 400, { error: 'slug and sha required' });
+          if (!SHA_RE.test(sha)) return send(res, 400, { error: 'sha must be a 40-character hex string' });
+          const slug = canonicalizeSlug(rawSlug);
+          const result = await cms.readVersion({ slug, sha });
+          // Cap response body at 1MB (byte-accurate truncation)
+          if (result.body && Buffer.byteLength(result.body, 'utf8') > MAX_BODY_BYTES) {
+            result.body = Buffer.from(result.body, 'utf8').subarray(0, MAX_BODY_BYTES).toString('utf8');
+            result.trailers = { ...result.trailers, truncated: 'true' };
           }
-        });
-        return;
+          return send(res, 200, result);
+        } catch (err) {
+          logError(err);
+          return sendError(res, err);
+        }
+      }
+
+      // POST /api/cms/restore
+      if (req.method === 'POST' && pathname === '/api/cms/restore') {
+        try {
+          const body = await readBody(req);
+          const { slug: rawSlug, sha } = JSON.parse(body || '{}');
+          if (!rawSlug || !sha) return send(res, 400, { error: 'slug and sha required' });
+          if (!SHA_RE.test(sha)) return send(res, 400, { error: 'sha must be a 40-character hex string' });
+          const slug = canonicalizeSlug(rawSlug);
+          const result = await cms.restoreVersion({ slug, sha });
+          return send(res, 200, result);
+        } catch (err) {
+          logError(err);
+          return sendError(res, err);
+        }
       }
 
       // POST /api/cms/upload
       if (req.method === 'POST' && pathname === '/api/cms/upload') {
-        let body = '';
-        req.on('data', (c) => (body += c));
-        req.on('end', async () => {
-          try {
-            const { slug: rawSlug, filename, data } = JSON.parse(body || '{}');
-            if (!rawSlug || !filename || !data) return send(res, 400, { error: 'slug, filename, data required' });
-            const slug = canonicalizeSlug(rawSlug);
-            
-            const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cms-upload-'));
-            const filePath = path.join(tmpDir, filename);
-            fs.writeFileSync(filePath, Buffer.from(data, 'base64'));
-            
-            const result = await cms.uploadAsset({ slug, filePath, filename });
-            const firstChunk = result.manifest?.chunks?.[0];
-            if (!firstChunk?.digest) {
-              throw new Error('Upload manifest contains no chunks');
-            }
-            const assetUrl = `/blog/${ENV}/assets/${slug}/${firstChunk.digest}`;
-            
-            fs.rmSync(tmpDir, { recursive: true, force: true });
-            return send(res, 200, { ...result, assetUrl });
-          } catch (err) {
-            logError(err);
-            return sendError(res, err);
+        let tmpDir;
+        try {
+          const body = await readBody(req, 10 * MAX_BODY_BYTES); // 10 MB for uploads
+          const { slug: rawSlug, filename, data } = JSON.parse(body || '{}');
+          if (!rawSlug || !filename || !data) return send(res, 400, { error: 'slug, filename, data required' });
+          const slug = canonicalizeSlug(rawSlug);
+          const safeFilename = path.basename(filename);
+          if (!safeFilename || safeFilename === '.' || safeFilename === '..') {
+            return send(res, 400, { error: 'Invalid filename' });
           }
-        });
-        return;
+
+          tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cms-upload-'));
+          const filePath = path.join(tmpDir, safeFilename);
+          fs.writeFileSync(filePath, Buffer.from(data, 'base64'));
+
+          const result = await cms.uploadAsset({ slug, filePath, filename });
+          const firstChunk = result.manifest?.chunks?.[0];
+          if (!firstChunk?.digest) {
+            throw new Error('Upload manifest contains no chunks');
+          }
+          const assetUrl = `/blog/${ENV}/assets/${slug}/${firstChunk.digest}`;
+
+          return send(res, 200, { ...result, assetUrl });
+        } catch (err) {
+          logError(err);
+          return sendError(res, err);
+        } finally {
+          if (tmpDir) {
+            try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+          }
+        }
       }
 
       return send(res, 404, { error: 'API endpoint not found' });
diff --git a/test/git.test.js b/test/git.test.js
index 6924e64..bf59b54 100644
--- a/test/git.test.js
+++ b/test/git.test.js
@@ -274,3 +274,169 @@ describe('State Machine', () => {
     );
   });
 });
+
+describe('Version History', () => {
+  let cms;
+
+  beforeEach(() => {
+    cms = createTestCms();
+  });
+
+  it('getArticleHistory returns versions newest-first', async () => {
+    await cms.saveSnapshot({ slug: 'hist-order', title: 'v1', body: 'b1' });
+    await cms.saveSnapshot({ slug: 'hist-order', title: 'v2', body: 'b2' });
+    await cms.saveSnapshot({ slug: 'hist-order', title: 'v3', body: 'b3' });
+
+    const history = await cms.getArticleHistory({ slug: 'hist-order' });
+    expect(history).toHaveLength(3);
+    expect(history[0].title).toBe('v3');
+    expect(history[1].title).toBe('v2');
+    expect(history[2].title).toBe('v1');
+  });
+
+  it('getArticleHistory includes correct status per version', async () => {
+    await cms.saveSnapshot({ slug: 'hist-status', title: 'v1', body: 'b1' });
+    await cms.saveSnapshot({ slug: 'hist-status', title: 'v2', body: 'b2' });
+    await cms.revertArticle({ slug: 'hist-status' });
+
+    const history = await cms.getArticleHistory({ slug: 'hist-status' });
+    expect(history[0].status).toBe('reverted');
+    expect(history[1].status).toBe('draft');
+    expect(history[2].status).toBe('draft');
+  });
+
+  it('getArticleHistory respects limit', async () => {
+    await cms.saveSnapshot({ slug: 'hist-limit', title: 'v1', body: 'b1' });
+    await cms.saveSnapshot({ slug: 'hist-limit', title: 'v2', body: 'b2' });
+    await cms.saveSnapshot({ slug: 'hist-limit', title: 'v3', body: 'b3' });
+
+    const history = await cms.getArticleHistory({ slug: 'hist-limit', limit: 2 });
+    expect(history).toHaveLength(2);
+    expect(history[0].title).toBe('v3');
+    expect(history[1].title).toBe('v2');
+  });
+
+  it('getArticleHistory throws for nonexistent article', async () => {
+    await expect(cms.getArticleHistory({ slug: 'no-such-article' })).rejects.toMatchObject({
+      name: 'CmsValidationError',
+      code: 'article_not_found',
+    });
+  });
+
+  it('getArticleHistory returns single entry for 1-version article', async () => {
+    await cms.saveSnapshot({ slug: 'hist-single', title: 'only', body: 'one' });
+
+    const history = await cms.getArticleHistory({ slug: 'hist-single' });
+    expect(history).toHaveLength(1);
+    expect(history[0].title).toBe('only');
+  });
+
+  it('readVersion returns full content for a specific SHA', async () => {
+    const v1 = await cms.saveSnapshot({ slug: 'rv-test', title: 'First', body: 'first body' });
+    await cms.saveSnapshot({ slug: 'rv-test', title: 'Second', body: 'second body' });
+
+    const version = await cms.readVersion({ slug: 'rv-test', sha: v1.sha });
+    expect(version.sha).toBe(v1.sha);
+    expect(version.title).toBe('First');
+    expect(version.body).toContain('first body');
+  });
+
+  it('readVersion throws for nonexistent article', async () => {
+    await expect(cms.readVersion({ slug: 'no-such-slug', sha: 'a'.repeat(40) })).rejects.toMatchObject({
+      name: 'CmsValidationError',
+      code: 'article_not_found',
+    });
+  });
+
+  it('readVersion throws for SHA outside article lineage', async () => {
+    await cms.saveSnapshot({ slug: 'rv-lineage-a', title: 'A', body: 'a' });
+    const other = await cms.saveSnapshot({ slug: 'rv-lineage-b', title: 'B', body: 'b' });
+
+    await expect(cms.readVersion({ slug: 'rv-lineage-a', sha: other.sha })).rejects.toMatchObject({
+      name: 'CmsValidationError',
+      code: 'invalid_version_for_article',
+    });
+  });
+
+  it('restoreVersion creates new commit with old content', async () => {
+    const v1 = await cms.saveSnapshot({ slug: 'restore-test', title: 'Original', body: 'original body' });
+    await cms.saveSnapshot({ slug: 'restore-test', title: 'Edited', body: 'edited body' });
+
+    const result = await cms.restoreVersion({ slug: 'restore-test', sha: v1.sha });
+    expect(result.sha).not.toBe(v1.sha);
+
+    const article = await cms.readArticle({ slug: 'restore-test' });
+    expect(article.title).toBe('Original');
+    expect(article.body).toContain('original body');
+    expect(article.trailers.status).toBe('draft');
+  });
+
+  it('restoreVersion preserves history chain (commit count)', async () => {
+    await cms.saveSnapshot({ slug: 'restore-chain', title: 'v1', body: 'b1' });
+    const v2 = await cms.saveSnapshot({ slug: 'restore-chain', title: 'v2', body: 'b2' });
+    await cms.saveSnapshot({ slug: 'restore-chain', title: 'v3', body: 'b3' });
+
+    await cms.restoreVersion({ slug: 'restore-chain', sha: v2.sha });
+
+    // After 3 saves + 1 restore = 4 versions in history
+    const history = await cms.getArticleHistory({ slug: 'restore-chain' });
+    expect(history).toHaveLength(4);
+  });
+
+  it('restoreVersion blocks on published articles', async () => {
+    const v1 = await cms.saveSnapshot({ slug: 'restore-pub', title: 'v1', body: 'b1' });
+    await cms.saveSnapshot({ slug: 'restore-pub', title: 'v2', body: 'b2' });
+    await cms.publishArticle({ slug: 'restore-pub' });
+
+    await expect(cms.restoreVersion({ slug: 'restore-pub', sha: v1.sha })).rejects.toMatchObject({
+      name: 'CmsValidationError',
+      code: 'invalid_state_transition',
+    });
+  });
+
+  it('restoreVersion works on unpublished articles', async () => {
+    const v1 = await cms.saveSnapshot({ slug: 'restore-unpub', title: 'v1', body: 'b1' });
+    await cms.saveSnapshot({ slug: 'restore-unpub', title: 'v2', body: 'b2' });
+    await cms.publishArticle({ slug: 'restore-unpub' });
+    await cms.unpublishArticle({ slug: 'restore-unpub' });
+
+    const result = await cms.restoreVersion({ slug: 'restore-unpub', sha: v1.sha });
+    expect(result.sha).toBeDefined();
+
+    const article = await cms.readArticle({ slug: 'restore-unpub' });
+    expect(article.title).toBe('v1');
+  });
+
+  it('restoreVersion works on reverted articles', async () => {
+    const v1 = await cms.saveSnapshot({ slug: 'restore-rev', title: 'v1', body: 'b1' });
+    await cms.saveSnapshot({ slug: 'restore-rev', title: 'v2', body: 'b2' });
+    await cms.revertArticle({ slug: 'restore-rev' });
+
+    const result = await cms.restoreVersion({ slug: 'restore-rev', sha: v1.sha });
+    expect(result.sha).toBeDefined();
+
+    const article = await cms.readArticle({ slug: 'restore-rev' });
+    expect(article.title).toBe('v1');
+  });
+
+  it('restoreVersion throws for SHA outside article lineage', async () => {
+    await cms.saveSnapshot({ slug: 'restore-lineage-a', title: 'A', body: 'a' });
+    const other = await cms.saveSnapshot({ slug: 'restore-lineage-b', title: 'B', body: 'b' });
+
+    await expect(cms.restoreVersion({ slug: 'restore-lineage-a', sha: other.sha })).rejects.toMatchObject({
+      name: 'CmsValidationError',
+      code: 'invalid_version_for_article',
+    });
+  });
+
+  it('restoreVersion includes provenance trailers (restoredFromSha, restoredAt)', async () => {
+    const v1 = await cms.saveSnapshot({ slug: 'restore-prov', title: 'v1', body: 'b1' });
+    await cms.saveSnapshot({ slug: 'restore-prov', title: 'v2', body: 'b2' });
+
+    await cms.restoreVersion({ slug: 'restore-prov', sha: v1.sha });
+
+    const article = await cms.readArticle({ slug: 'restore-prov' });
+    expect(article.trailers.restoredfromsha).toBe(v1.sha);
+    expect(article.trailers.restoredat).toBeDefined();
+  });
+});
diff --git a/test/server.test.js b/test/server.test.js
index 88bdf75..c22932e 100644
--- a/test/server.test.js
+++ b/test/server.test.js
@@ -214,6 +214,131 @@ describe('Server API (Integration)', () => {
     expect(data.sha).toBeDefined();
   });
 
+  it('GET /history returns version list', async () => {
+    // Create two versions
+    const snap1 = await fetch(`${baseUrl}/api/cms/snapshot`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ slug: 'srv-hist', title: 'v1', body: 'b1' }),
+    });
+    expect(snap1.status).toBe(200);
+    const snap2 = await fetch(`${baseUrl}/api/cms/snapshot`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ slug: 'srv-hist', title: 'v2', body: 'b2' }),
+    });
+    expect(snap2.status).toBe(200);
+
+    const res = await fetch(`${baseUrl}/api/cms/history?slug=srv-hist`);
+    const data = await res.json();
+    expect(res.status).toBe(200);
+    expect(Array.isArray(data)).toBe(true);
+    expect(data.length).toBe(2);
+    expect(data[0].title).toBe('v2');
+    expect(data[1].title).toBe('v1');
+  });
+
+  it('GET /history returns 400 without slug', async () => {
+    const res = await fetch(`${baseUrl}/api/cms/history`);
+    const data = await res.json();
+    expect(res.status).toBe(400);
+    expect(data.error).toBeDefined();
+  });
+
+  it('GET /show-version returns content for specific SHA', async () => {
+    const snap1 = await fetch(`${baseUrl}/api/cms/snapshot`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ slug: 'srv-showver', title: 'First', body: 'first body' }),
+    });
+    expect(snap1.status).toBe(200);
+    const v1 = await snap1.json();
+    const snap2 = await fetch(`${baseUrl}/api/cms/snapshot`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ slug: 'srv-showver', title: 'Second', body: 'second body' }),
+    });
+    expect(snap2.status).toBe(200);
+
+    const res = await fetch(`${baseUrl}/api/cms/show-version?slug=srv-showver&sha=${v1.sha}`);
+    expect(res.status).toBe(200);
+    const data = await res.json();
+    expect(data.title).toBe('First');
+    expect(data.body).toContain('first body');
+  });
+
+  it('POST /restore restores a version', async () => {
+    const snap1 = await fetch(`${baseUrl}/api/cms/snapshot`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ slug: 'srv-restore', title: 'Original', body: 'original body' }),
+    });
+    expect(snap1.status).toBe(200);
+    const v1 = await snap1.json();
+    const snap2 = await fetch(`${baseUrl}/api/cms/snapshot`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ slug: 'srv-restore', title: 'Edited', body: 'edited body' }),
+    });
+    expect(snap2.status).toBe(200);
+
+    const res = await fetch(`${baseUrl}/api/cms/restore`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ slug: 'srv-restore', sha: v1.sha }),
+    });
+    expect(res.status).toBe(200);
+    const data = await res.json();
+    expect(data.sha).toBeDefined();
+
+    // Verify content was restored
+    const show = await fetch(`${baseUrl}/api/cms/show?slug=srv-restore`);
+    const article = await show.json();
+    expect(article.title).toBe('Original');
+  });
+
+  it('POST /restore returns 400 without required fields', async () => {
+    const res = await fetch(`${baseUrl}/api/cms/restore`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ slug: 'test' }),
+    });
+    const data = await res.json();
+    expect(res.status).toBe(400);
+    expect(data.error).toBeDefined();
+  });
+
+  it('GET /show-version returns 400 for invalid SHA format', async () => {
+    const res = await fetch(`${baseUrl}/api/cms/show-version?slug=test&sha=not-a-valid-sha`);
+    const data = await res.json();
+    expect(res.status).toBe(400);
+    expect(data.error).toMatch(/sha/);
+  });
+
+  it('POST /restore returns 400 for invalid SHA format', async () => {
+    const res = await fetch(`${baseUrl}/api/cms/restore`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ slug: 'test', sha: 'ZZZZ' }),
+    });
+    const data = await res.json();
+    expect(res.status).toBe(400);
+    expect(data.error).toMatch(/sha/);
+  });
+
+  it('500 responses return generic message without internal details', async () => {
+    // GET /api/cms/show with a non-existent slug throws a plain Error (not
+    // CmsValidationError), which routes through sendError as a 500.
+    const res = await fetch(`${baseUrl}/api/cms/show?slug=does-not-exist`);
+    const data = await res.json();
+    expect(res.status).toBe(500);
+    expect(data.error).toBe('Internal server error');
+    // Must NOT contain filesystem paths or internal details
+    expect(data.error).not.toMatch(/\//);
+    expect(data.error).not.toMatch(/node_modules/);
+    expect(data.error).not.toMatch(/\.js/);
+  });
+
   it('returns 400 with invalid_state_transition for bad transitions', async () => {
     // Create a draft, then try to unpublish it (invalid: draft → unpublished)
     const setupRes = await fetch(`${baseUrl}/api/cms/snapshot`, {