The previous check only looked for ".." substring, which missed:
- Absolute paths (/etc/passwd)
- URL-encoded traversal patterns
- Paths that clean to traversal (./../../etc)
Now uses filepath.Clean() and filepath.IsAbs() for robust validation:
- Rejects absolute paths
- Cleans paths before checking for traversal
- Uses cleaned path for database lookup
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The revision parameter was interpolated directly into a Nix expression,
allowing potential injection of arbitrary Nix code. An attacker could
craft a revision string like:
"; builtins.readFile /etc/passwd; "
This adds ValidateRevision() which ensures revisions only contain safe
characters (alphanumeric, hyphens, underscores, dots) and are at most
64 characters long.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Go commands should be run via nix develop -c to ensure the proper
build environment with all dependencies (like gcc for cgo).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When indexing a revision that already exists, the indexer now returns
early with information about the existing revision instead of re-indexing.
Use the --force flag to re-index an existing revision.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Provides guidance to AI assistants on how to index the nixpkgs
revision from a project's flake.lock file, ensuring option
documentation matches the project's actual nixpkgs version.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
File indexing only adds ~3 seconds to the indexing process, so enable
it by default to make the get_file tool work out of the box.
- MCP index_revision tool now indexes files automatically
- CLI flag changed from --files to --no-files (opt-out)
- Update README examples
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- BenchmarkIndexRevisionWithFiles now reports separate timing for
options indexing (options_ms) and file indexing (files_ms)
- Add BenchmarkIndexFilesOnly to measure file indexing in isolation
Run with:
go test -bench=BenchmarkIndexFilesOnly -benchtime=1x -timeout=60m ./internal/nixos/...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Module provides:
- services.nixos-options-mcp.enable - Enable the service
- services.nixos-options-mcp.package - Package to use
- services.nixos-options-mcp.database.type - sqlite or postgres
- services.nixos-options-mcp.database.name - SQLite filename
- services.nixos-options-mcp.database.connectionString - PostgreSQL URL
- services.nixos-options-mcp.indexOnStart - Revisions to index on start
- services.nixos-options-mcp.user/group - Service user/group
- services.nixos-options-mcp.dataDir - Data directory
Includes systemd hardening options.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When searching for option paths like "services.nginx", use name-based
LIKE matching instead of full-text search. This ensures the results
are options that start with the query, not random options that mention
the term somewhere in their description.
- Path queries (containing dots): use LIKE for name prefix matching
- Text queries (no dots): use FTS for full-text search on name+description
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Wrap search queries in double quotes for FTS5 literal matching.
This prevents dots, colons, and other special characters from
being interpreted as FTS5 operators.
Fixes: "fts5: syntax error near '.'" when searching for option
paths like "services.nginx".
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Tests searching with dots, colons, hyphens, and parentheses.
Currently fails on SQLite due to FTS5 syntax interpretation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add installation instructions (nix flakes, go install)
- Add MCP server configuration example
- Add CLI examples for all commands
- Document environment variables and database connection strings
- List available MCP tools
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The indexer requires nix-build to evaluate NixOS options.
Use makeWrapper to add nix to the binary's PATH.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- BenchmarkIndexRevision: benchmark full nixpkgs indexing
- BenchmarkIndexRevisionWithFiles: benchmark with file content storage
- TestIndexRevision: integration test for indexer
- Uses nixpkgs revision from flake.lock (e6eae2ee...)
- Skips if nix-build not available or in short mode
Run with: go test -bench=BenchmarkIndexRevision -benchtime=1x -timeout=30m ./internal/nixos/...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Wire up all CLI commands to database operations
- Add 'get' command for single option details
- Add '--files' flag to 'index' for file content indexing
- Support postgres:// and sqlite:// connection strings
- Default to SQLite database file
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add options.json parser with mdDoc support
- Add nixpkgs indexer using nix-build
- Implement all MCP tool handlers:
- search_options: Full-text search with filters
- get_option: Option details with children
- get_file: Fetch file contents
- index_revision: Build and index options
- list_revisions: Show indexed versions
- delete_revision: Remove indexed data
- Add parser tests
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add comprehensive test suite for Store interface
- Test schema initialization, revisions, options, search, declarations, files
- SQLite tests use in-memory database for speed
- PostgreSQL tests require TEST_POSTGRES_CONN environment variable
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CLI entry point with urfave/cli/v2 (serve, index, list, search commands)
- Add database interface and implementations for PostgreSQL and SQLite
- Add schema versioning with automatic recreation on version mismatch
- Add MCP protocol types and server scaffold
- Add NixOS option types
- Configure flake.nix with devShell and buildGoModule package
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
