- security: reject protocol-relative paths in agledger_api and assert url.origin == apiUrl origin in ApiClient -> a '//evil.com/x' path can no longer send the Bearer API key off-origin (key exfiltration via untrusted tool input)
- SEP-1880: _meta.requiredScopes=[] on offline/unscoped tools; deliberately omitted on the universal agledger_api dispatcher (route-dependent, server-enforced) with documenting comment
- tests: host-pin coverage at client + tool layer