v0.7.0
Security and robustness hardening across the fetch and introspection surfaces (addresses the multi-agent review, issues #3–#17).
- SSRF guard — every outbound fetch (
fetch_docs,resolve_sourcedocs_url, openapi/graphql) is validated at the single transport choke point: anhttp/httpsscheme allowlist plus a host classifier that rejects loopback / link-local (incl.169.254.169.254metadata) / RFC-1918 / ULA /.internal/.localtargets, with a DNS-resolution check for rebinding and a redirect delegate that re-validates every hop. - Response-size ceiling — bodies are streamed and aborted past a byte limit, bounding the decompressed size so a gzip bomb can't OOM the server. The ETag cache is now LRU-bounded (total-byte budget + entry cap) and refuses to store oversized bodies.
fetch_docscrash fix — a negativemax_bytesno longer trapsprefix(_:); truncation is byte-accurate and fetched content is stripped of control/ANSI/bidi characters before returning.- Hardened process runner — one
ProcessRunnerreplaces three copies: pipes are drained concurrently (no >64 KB deadlock), the watchdog escalates SIGTERM → SIGKILL, a timed-out probe surfaces as an error instead of silent truncation, and executable resolution is PATH-first so pyenv/mise/asdf shims are honored. - Runtime introspection accuracy — version files are refused if they are symlinks (closes a secret-exfil channel) and only version-shaped first lines are accepted; the toolchain probe requires a clean exit and labels the source with the command that actually ran;
parseMiseTomlstrips inline comments / rejects arrays and reads the canonicalmise.toml; uncovered-but-safe languages fall back to the universal pin layer;introspect kind=runtimeaccepts an optional validatedpath. - Single version source —
LiveDocsVersionis the one place the version lives; the MCP server, User-Agent (now pointing atPsychQuant/livedocs), and the mcpb/plugin/marketplace manifests all track it.