fix: search_docs reflects null bytes and ANSI escapes from user input in error messages #153
Description
Severity: High
`search_docs` interpolates raw user query input directly into the error message returned to the caller without sanitization. Null bytes (`\x00`) and ANSI terminal escape codes (`\x1b[31m`) are reflected in the JSON response.
Impact
- Null bytes in JSON responses may trip LLM context parsers in edge cases
- ANSI escape codes in LLM context can be used to create obfuscated or visually misleading content
- Propagates control characters into the calling model's context window
Observed
```json
"No results found for query: "\u0000\u001b[31mRED\u001b[0m""
```
Fix
Sanitize the query before interpolating into user-facing messages:
```typescript
const safeQuery = query
.replace(/[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/g, '') // strip control chars
.replace(/\x1b\[[0-9;]*m/g, ''); // strip ANSI sequences
return `No results found for query: "${safeQuery}"`;
```
The FTS5 query itself is already safely parameterized via `sanitizeFts5Query`. Only the error message interpolation needs fixing.
Files to modify
- `src/tools/search-docs.ts` — sanitize query before error message interpolation
- `tests/tools/search-docs.test.ts` — add test: null byte + ANSI in query produces clean error message