Build errors from nix can be very large (100k+ chars). This truncates
error output to the first 50 and last 50 lines when it exceeds 100
lines, preventing journal and NATS message overflow.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Address medium severity security issues:
- Validate repo names in config only allow alphanumeric, dash, underscore
(prevents NATS subject injection via dots or wildcards)
- Validate repo URLs must start with git+https://, git+ssh://, or git+file://
- Validate ReplyTo field must start with "build.responses." to prevent
publishing responses to arbitrary NATS subjects
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add input validation to address security concerns:
- Validate Target field in BuildRequest against safe character pattern
(must be "all" or match alphanumeric/dash/underscore/dot pattern)
- Filter hostnames discovered from nix flake show output, skipping any
with invalid characters before using them in build commands
This prevents potential command injection via crafted NATS messages or
malicious flake configurations.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add a new "builder" capability to trigger Nix builds on a dedicated
build host via NATS messaging. This allows pre-building NixOS
configurations before deployment.
New components:
- Builder mode: subscribes to build.<repo>.* subjects, executes nix build
- Build CLI command: triggers builds with progress tracking
- MCP build tool: available with --enable-builds flag
- Builder metrics: tracks build success/failure per repo and host
- NixOS module: services.homelab-deploy.builder
The builder uses a YAML config file to define allowed repositories
with their URLs and default branches. Builds can target all hosts
or specific hosts, with real-time progress updates.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
