The revision parameter was interpolated directly into a Nix expression,
allowing potential injection of arbitrary Nix code. An attacker could
craft a revision string like:
"; builtins.readFile /etc/passwd; "
This adds ValidateRevision() which ensures revisions only contain safe
characters (alphanumeric, hyphens, underscores, dots) and are at most
64 characters long.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When indexing a revision that already exists, the indexer now returns
early with information about the existing revision instead of re-indexing.
Use the --force flag to re-index an existing revision.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add options.json parser with mdDoc support
- Add nixpkgs indexer using nix-build
- Implement all MCP tool handlers:
- search_options: Full-text search with filters
- get_option: Option details with children
- get_file: Fetch file contents
- index_revision: Build and index options
- list_revisions: Show indexed versions
- delete_revision: Remove indexed data
- Add parser tests
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
