code-context-control 2.32.2__py3-none-any.whl → 2.34.0__py3-none-any.whl

cli/c3.py

@@ -85,7 +85,7 @@ console = Console() if HAS_RICH else None
 # Config
 CONFIG_DIR = ".c3"
 CONFIG_FILE = ".c3/config.json"
-__version__ = "2.32.2"
+__version__ = "2.34.0"
 
 
 def _command_deps() -> CommandDeps:
@@ -4921,8 +4921,14 @@ def cmd_install_mcp(args):
         # Build hook commands using the Python executable that runs c3.
         # On Windows, Claude Code executes hooks via /usr/bin/bash (Git Bash), which cannot
         # parse Windows absolute paths containing parentheses (e.g. "(C3)"). Prefix with
-        # "cmd /c" so cmd.exe handles path resolution instead of bash.
-        _hook_prefix = "cmd /c " if sys.platform == "win32" else ""
+        # cmd.exe so it handles path resolution instead of bash.
+        #
+        # Use "cmd.exe" WITH the extension, not bare "cmd": Git Bash does not resolve bare
+        # "cmd" on PATH, so the old "cmd /c …" prefix silently failed to launch any hook
+        # (verified: under bash, "cmd.exe /c '<py>' '<hook>'" runs and writes the signal
+        # file; "cmd /c …" returns "cmd: command not found"). The single-quoted paths are
+        # correct — bash strips them and re-quotes for cmd.exe, preserving spaces/parens.
+        _hook_prefix = "cmd.exe /c " if sys.platform == "win32" else ""
         hook_filter_cmd    = f"{_hook_prefix}{shlex.quote(sys.executable)} {shlex.quote(str(cli_dir / 'hook_filter.py'))}"
         hook_read_cmd      = f"{_hook_prefix}{shlex.quote(sys.executable)} {shlex.quote(str(cli_dir / 'hook_read.py'))}"
         hook_c3read_cmd    = f"{_hook_prefix}{shlex.quote(sys.executable)} {shlex.quote(str(cli_dir / 'hook_c3read.py'))}"
@@ -4962,13 +4968,24 @@ def cmd_install_mcp(args):
             },
             {
                 "matcher": read_matcher,
-                "hooks": [{"type": "command", "command": hook_read_cmd}]
+                "hooks": [
+                    {"type": "command", "command": hook_read_cmd},
+                    {"type": "command", "command": hook_ghost_files_cmd},
+                ]
             },
             {
                 "matcher": "mcp__c3__c3_read",
                 "hooks": [
                     {"type": "command", "command": hook_c3read_cmd},
                     {"type": "command", "command": hook_c3_signal_cmd},
+                    {"type": "command", "command": hook_ghost_files_cmd},
+                ]
+            },
+            {
+                "matcher": "mcp__c3__c3_shell",
+                "hooks": [
+                    {"type": "command", "command": hook_c3_signal_cmd},
+                    {"type": "command", "command": hook_ghost_files_cmd},
                 ]
             },
             {

cli/hook_ghost_files.py

@@ -212,6 +212,17 @@ def cleanup_ghost_files(ghosts: list[dict]) -> list[str]:
     return deleted
 
 
+# Tools whose output can carry shell-meta text that leaks into 0-byte files:
+# native shells, c3_shell (its `N->Mtok` filter header), and file reads whose
+# content has `-> Type` hints. A downstream shell sees `> word` and creates an
+# empty file named `word`.
+_GHOST_TRIGGER_TOOLS = (
+    "Bash", "run_shell_command",
+    "mcp__c3__c3_shell",
+    "mcp__c3__c3_read", "Read", "read_file",
+)
+
+
 def main():
     try:
         raw = sys.stdin.read()
@@ -221,8 +232,7 @@ def main():
         data = json.loads(raw)
         tool_name = data.get("tool_name", "")
 
-        # Only trigger on Bash (Claude Code) or run_shell_command (Gemini)
-        if tool_name not in ("Bash", "run_shell_command"):
+        if tool_name not in _GHOST_TRIGGER_TOOLS:
             return
 
         is_gemini = isinstance(data.get("tool_response", ""), dict)

cli/hub_server.py

@@ -35,6 +35,26 @@ from services.tool_classifier import CATEGORIES
 
 app = Flask(__name__, static_folder=str(Path(__file__).parent))
 
+# Localhost-only security: Host-header allowlist + Origin/Referer CSRF guard +
+# scoped CORS. The hub manages MANY projects and exposes command-executing
+# endpoints (launch-ide, mcp-server-add, permissions), so cross-origin CSRF /
+# DNS-rebinding protection matters even though it binds loopback by default.
+# Reads bind host + optional allowed_hosts per-request from hub_config.json.
+from core.web_security import (
+    allowed_hostnames as _allowed_hostnames,
+)
+from core.web_security import (
+    install_guard as _install_web_guard,
+)
+
+
+def _hub_allowed_hosts():
+    _c = _read_hub_config()
+    return _allowed_hostnames(_c.get("host"), _c.get("allowed_hosts"))
+
+
+_install_web_guard(app, _hub_allowed_hosts)
+
 # ─── Hub config ───────────────────────────────────────────────────────────────
 
 _GLOBAL_C3_DIR = Path.home() / ".c3"
@@ -160,46 +180,12 @@ def _project_mcp_config_path(project_root: Path, profile) -> Path:
     return (Path.home() / profile.config_path) if profile.config_path_global else (project_root / profile.config_path)
 
 
-def _parse_toml_mcp_servers(content: str) -> dict:
-    servers = {}
-    current_server = None
-
-    for raw in content.splitlines():
-        line = raw.split("#", 1)[0].strip()
-        if not line:
-            continue
-
-        if line.startswith("[") and line.endswith("]"):
-            section = line[1:-1].strip()
-            if section.startswith("mcp_servers."):
-                current_server = section.split(".", 1)[1]
-                servers.setdefault(current_server, {})
-            else:
-                current_server = None
-            continue
-
-        if not current_server or "=" not in line:
-            continue
-
-        key, value = line.split("=", 1)
-        key = key.strip().strip('"')
-        value = value.strip()
-
-        if key == "args":
-            servers[current_server]["args"] = re.findall(r"[\"']([^\"']*)[\"']", value)
-        elif key in ("command", "type"):
-            match = re.match(r"^[\"'](.*)[\"']$", value)
-            servers[current_server][key] = match.group(1) if match else value
-        elif key == "enabled":
-            low = value.lower()
-            if low.startswith("true"):
-                servers[current_server]["enabled"] = True
-            elif low.startswith("false"):
-                servers[current_server]["enabled"] = False
-        else:
-            servers[current_server][key] = value
-
-    return servers
+from core.mcp_toml import (
+    parse_toml_mcp_servers as _parse_toml_mcp_servers,
+)
+from core.mcp_toml import (
+    upsert_toml_section as _upsert_toml_section,
+)
 
 
 def _read_project_mcp_servers_for_profile(profile, mcp_file: Path) -> tuple[dict, dict]:
@@ -218,73 +204,6 @@ def _read_project_mcp_servers_for_profile(profile, mcp_file: Path) -> tuple[dict
     return servers, raw_config
 
 
-def _toml_escape_str(value: str) -> str:
-    return value.replace("\\", "/")
-
-
-def _upsert_toml_section(toml_path: Path, section: str, entries: dict) -> None:
-    content = toml_path.read_text(encoding="utf-8") if toml_path.exists() else ""
-    header = f"[{section}]"
-
-    lines = content.splitlines()
-    new_lines = []
-    skip = False
-    for line in lines:
-        stripped = line.strip()
-        if stripped == header:
-            skip = True
-            continue
-        if skip and stripped.startswith("["):
-            skip = False
-        if not skip:
-            new_lines.append(line)
-
-    content = "\n".join(new_lines).rstrip()
-    section_lines = [f"\n\n{header}"]
-    for key, value in entries.items():
-        if isinstance(value, list):
-            items = ", ".join(f'"{_toml_escape_str(str(item))}"' for item in value)
-            section_lines.append(f'{key} = [{items}]')
-        elif isinstance(value, bool):
-            section_lines.append(f'{key} = {"true" if value else "false"}')
-        else:
-            section_lines.append(f'{key} = "{_toml_escape_str(str(value))}"')
-    section_lines.append("")
-
-    toml_path.parent.mkdir(parents=True, exist_ok=True)
-    toml_path.write_text(content + "\n".join(section_lines), encoding="utf-8")
-
-
-def _remove_toml_section(toml_path: Path, section: str) -> bool:
-    if not toml_path.exists():
-        return False
-    content = toml_path.read_text(encoding="utf-8")
-    header = f"[{section}]"
-
-    lines = content.splitlines()
-    new_lines = []
-    skip = False
-    removed = False
-    for line in lines:
-        stripped = line.strip()
-        if stripped == header:
-            skip = True
-            removed = True
-            continue
-        if skip and stripped.startswith("["):
-            skip = False
-        if not skip:
-            new_lines.append(line)
-
-    if removed:
-        remaining = "\n".join(new_lines).rstrip()
-        if remaining:
-            toml_path.write_text(remaining + "\n", encoding="utf-8")
-        else:
-            toml_path.unlink()
-    return removed
-
-
 def _build_mcp_cli_capabilities() -> dict:
     return {
         "commands": [
@@ -519,6 +438,11 @@ def api_projects_open():
         path = Path(path_str).resolve()
         if not path.exists():
             return jsonify({"error": f"Path does not exist: {path_str}"}), 404
+        # Only ever open directories. Opening a *file* via os.startfile would
+        # invoke its default handler (e.g. run an .exe/.bat/.lnk), so refuse
+        # anything that is not a folder.
+        if not path.is_dir():
+            return jsonify({"error": "Only directories can be opened"}), 400
 
         if sys.platform == "win32":
             os.startfile(str(path))

cli/mcp_server.py

@@ -639,7 +639,9 @@ async def c3_shell(cmd: str, cwd: str = "", timeout: int = 60,
     """EXECUTE shell command — structured returns, auto-filter, ledger-aware.
     Use for tests, git, build, scripts. Returns exit_code/stdout/stderr/duration_ms.
     Auto-filters stdout >30 lines; auto-logs git mutations to the edit ledger.
-    Blocks: rm -rf / or ~, fork bombs. Soft-warns on --force, --no-verify, reset --hard.
+    Best-effort block of catastrophic commands (rm -rf of /, a top-level system dir, or
+    $HOME/~; fork bombs; whole-drive wipes) — a guard, NOT a sandbox. Soft-warns on
+    --force, --no-verify, reset --hard.
     Native Bash remains the fallback for interactive/TTY commands."""
     svc = _svc(ctx)
 

cli/server.py

@@ -10,7 +10,6 @@ import csv
 import json
 import logging
 import os
-import re
 import signal
 import subprocess
 import sys
@@ -167,12 +166,21 @@ atexit.register(_cleanup_runtime)
 
 
 # ─── CORS middleware ──────────────────────────────────────
-@app.after_request
-def add_cors(response):
-    response.headers['Access-Control-Allow-Origin'] = '*'
-    response.headers['Access-Control-Allow-Headers'] = 'Content-Type'
-    response.headers['Access-Control-Allow-Methods'] = 'GET,POST,DELETE,OPTIONS'
-    return response
+# Localhost-only security: Host-header allowlist + Origin/Referer CSRF guard +
+# scoped CORS (no wildcard). This UI server always binds 127.0.0.1, so only
+# loopback origins are accepted. A loopback bind alone does NOT stop a web page
+# in the user's browser from driving these endpoints — see core/web_security.py.
+from core.web_security import (
+    allowed_hostnames as _allowed_hostnames,
+)
+from core.web_security import (
+    guard_summary as _guard_summary,
+)
+from core.web_security import (
+    install_guard as _install_web_guard,
+)
+
+_install_web_guard(app, lambda: _allowed_hostnames(None))
 
 
 # ─── Serve the UI ─────────────────────────────────────────
@@ -283,6 +291,11 @@ def api_projects_open():
         path = Path(path_str).resolve()
         if not path.exists():
             return jsonify({"error": f"Path does not exist: {path_str}"}), 404
+        # Only ever open directories. Opening a *file* via os.startfile would
+        # invoke its default handler (e.g. run an .exe/.bat/.lnk), so refuse
+        # anything that is not a folder.
+        if not path.is_dir():
+            return jsonify({"error": "Only directories can be opened"}), 400
 
         if sys.platform == "win32":
             os.startfile(str(path))
@@ -365,7 +378,8 @@ def api_health():
     except Exception:
         pass
 
-    return jsonify({"service": "c3-ui", "sources": sources, "session": session_info})
+    return jsonify({"service": "c3-ui", "sources": sources, "session": session_info,
+                    "web_guard": _guard_summary()})
 
 
 # ─── API: Session Registry ───────────────────────────────
@@ -2410,47 +2424,15 @@ def api_proxy_tools():
 
 
 # ─── API: MCP Status ─────────────────────────────────────
-def _parse_toml_mcp_servers(content: str) -> dict:
-    """Parse [mcp_servers.<name>] sections from TOML content."""
-    servers = {}
-    current_server = None
-
-    for raw in content.splitlines():
-        line = raw.split("#", 1)[0].strip()
-        if not line:
-            continue
-
-        if line.startswith("[") and line.endswith("]"):
-            section = line[1:-1].strip()
-            if section.startswith("mcp_servers."):
-                current_server = section.split(".", 1)[1]
-                servers.setdefault(current_server, {})
-            else:
-                current_server = None
-            continue
-
-        if not current_server or "=" not in line:
-            continue
-
-        key, value = line.split("=", 1)
-        key = key.strip()
-        value = value.strip()
-
-        if key == "args":
-            servers[current_server]["args"] = re.findall(r"[\"']([^\"']*)[\"']", value)
-        elif key in ("command", "type"):
-            match = re.match(r"^[\"'](.*)[\"']$", value)
-            servers[current_server][key] = match.group(1) if match else value
-        elif key == "enabled":
-            low = value.lower()
-            if low.startswith("true"):
-                servers[current_server]["enabled"] = True
-            elif low.startswith("false"):
-                servers[current_server]["enabled"] = False
-        else:
-            servers[current_server][key] = value
-
-    return servers
+from core.mcp_toml import (
+    parse_toml_mcp_servers as _parse_toml_mcp_servers,
+)
+from core.mcp_toml import (
+    remove_toml_section as _remove_toml_section,
+)
+from core.mcp_toml import (
+    upsert_toml_section as _upsert_toml_section,
+)
 
 
 def _find_server_script(servers: dict) -> bool:
@@ -2463,71 +2445,6 @@ def _find_server_script(servers: dict) -> bool:
     return False
 
 
-def _toml_escape_str(value: str) -> str:
-    return value.replace("\\", "/")
-
-
-def _upsert_toml_section(toml_path: Path, section: str, entries: dict) -> None:
-    """Add or replace a dotted TOML section in-place."""
-    content = toml_path.read_text(encoding="utf-8") if toml_path.exists() else ""
-    header = f"[{section}]"
-
-    lines = content.splitlines()
-    new_lines = []
-    skip = False
-    for line in lines:
-        stripped = line.strip()
-        if stripped == header:
-            skip = True
-            continue
-        if skip and stripped.startswith("["):
-            skip = False
-        if not skip:
-            new_lines.append(line)
-
-    content = "\n".join(new_lines).rstrip()
-    section_lines = [f"\n\n{header}"]
-    for k, v in entries.items():
-        if isinstance(v, list):
-            items = ", ".join(f'"{_toml_escape_str(str(x))}"' for x in v)
-            section_lines.append(f'{k} = [{items}]')
-        elif isinstance(v, bool):
-            section_lines.append(f'{k} = {"true" if v else "false"}')
-        else:
-            section_lines.append(f'{k} = "{_toml_escape_str(str(v))}"')
-    section_lines.append("")
-
-    toml_path.parent.mkdir(parents=True, exist_ok=True)
-    toml_path.write_text(content + "\n".join(section_lines), encoding="utf-8")
-
-
-def _remove_toml_section(toml_path: Path, section: str) -> bool:
-    """Remove a dotted TOML section. Returns True if removed."""
-    if not toml_path.exists():
-        return False
-    content = toml_path.read_text(encoding="utf-8")
-    header = f"[{section}]"
-
-    lines = content.splitlines()
-    new_lines = []
-    skip = False
-    removed = False
-    for line in lines:
-        stripped = line.strip()
-        if stripped == header:
-            skip = True
-            removed = True
-            continue
-        if skip and stripped.startswith("["):
-            skip = False
-        if not skip:
-            new_lines.append(line)
-
-    if removed:
-        toml_path.write_text("\n".join(new_lines).rstrip() + "\n", encoding="utf-8")
-    return removed
-
-
 def _resolve_mcp_profile(ide_name: str | None):
     requested = (ide_name or "").strip().lower()
     if requested and requested != "auto":

cli/tools/filter.py

@@ -64,10 +64,10 @@ def _filter_text(text: str, depth: str, svc, finalize) -> str:
     raw_tokens = res['raw_tokens']
     savings_pct = round((1 - filtered_tokens / raw_tokens) * 100, 1) if raw_tokens > 0 else 0
 
-    header = f"[filter:{method}] {raw_tokens}->{filtered_tokens}tok ({savings_pct}%saved)"
+    header = f"[filter:{method}] {raw_tokens}→{filtered_tokens}tok ({savings_pct}%saved)"
     resp = f"{header}\n{result_text}"
     return finalize("c3_filter", {"depth": depth},
-                    resp, f"{raw_tokens}->{filtered_tokens}tok",
+                    resp, f"{raw_tokens}→{filtered_tokens}tok",
                     response_tokens=filtered_tokens)
 
 

cli/tools/read.py

@@ -25,13 +25,50 @@ def _coerce_list(val: Any) -> list[str] | None:
             except (json.JSONDecodeError, ValueError):
                 pass
         if val:
+            # Comma-separated symbols ("a,b,c") -> multiple targets. Function/class
+            # names never contain commas, and regex anchors (^foo$) have none either.
+            if "," in val:
+                return [s.strip() for s in val.split(",") if s.strip()]
             return [val]
     return None
 
 
+def _coerce_lines(val: Any):
+    """Coerce `lines` from MCP's string serialization into an int or list.
+
+    MCP clients sometimes serialize numbers/lists as strings (the same reason
+    `_coerce_list` exists for `symbols`). Without this, a JSON-string such as
+    "[22, 193]" or "22" falls through handle_read's range logic and the tool
+    silently returns the file *map* instead of the requested source lines.
+    """
+    if val is None or isinstance(val, (int, list, tuple)):
+        return val
+    if isinstance(val, str):
+        val = val.strip()
+        if not val:
+            return None
+        if val.startswith("["):
+            try:
+                parsed = json.loads(val)
+            except (json.JSONDecodeError, ValueError):
+                return None
+            return parsed if isinstance(parsed, list) else None
+        try:
+            return int(val)
+        except ValueError:
+            if "-" in val:  # "start-end" like "22-40"
+                a, _, b = val.partition("-")
+                try:
+                    return [int(a.strip()), int(b.strip())]
+                except ValueError:
+                    return None
+    return None
+
+
 def handle_read(file_path: str, symbols: Any = None, lines: Any = None,
                 include_docstrings: bool = True, svc=None, finalize=None) -> str:
     symbols = _coerce_list(symbols)
+    lines = _coerce_lines(lines)
     # Multi-file dispatch (parallel)
     if "," in file_path:
         paths = [p.strip() for p in file_path.split(",") if p.strip()]

cli/tools/shell.py

@@ -22,9 +22,29 @@ from core import count_tokens
 _GIT_MUTATING = re.compile(
     r"^\s*git\s+(commit|add|mv|rm|merge|rebase|cherry-pick|revert|reset|restore|checkout)\b"
 )
-# Hard deny — fork bombs, rm -rf on root/home. Escape hatch: native Bash.
+# Hard deny — the handful of genuinely catastrophic, irreversible commands.
+# This is a BEST-EFFORT guard, NOT a sandbox: c3_shell runs arbitrary commands
+# by design and a determined caller can trivially reword around these patterns.
+# The escape hatch for an intentional dangerous command is native Bash.
+# Covered: rm -rf of the filesystem root / a top-level system dir / $HOME / ~,
+# the classic fork bomb, and Windows whole-drive-root wipes (del/rd/format C:\).
+# A top-level system dir only matches when it is the *whole* target, so deleting
+# a nested path like /home/me/project/build is intentionally NOT blocked.
 _BLOCKED = re.compile(
-    r"(\brm\s+-rf\s+(/|~|\$HOME)(\s|$)|:\(\)\s*\{\s*:\s*\|\s*:)"
+    r"""
+      (?<!git\ )\brm\b (?:\s+-\S+)* \s+        # rm + any flags, then a target:
+      (?:
+          /(?=\s|$|\*)                          #   filesystem root:  /   /*
+        | ~(?=/|\s|$)                            #   home dir:         ~   ~/
+        | \$HOME\b                               #   $HOME
+        | /(?:etc|usr|bin|sbin|lib|lib64|var|boot|root|home|srv|sys|proc|dev|opt)
+            (?=/?(?:\s|$|\*))                    #   a whole top-level system dir
+      )
+    | :\(\)\s*\{\s*:\s*\|\s*:\s*\}?              # fork bomb        :(){ :|: };:
+    | \b(?:format|rd|rmdir|del)\b [^\n]*?        # windows whole-drive-root wipe
+        \b[a-zA-Z]:\\?(?=\s|\*|$|["'])
+    """,
+    re.IGNORECASE | re.VERBOSE,
 )
 # Soft warn — run but prepend a caveat to the response.
 # `(?<!\w)` / `(?!\w)` anchor against word chars, so `--force` (which starts
@@ -40,7 +60,13 @@ _FILTER_THRESHOLD_LINES = 30
 
 
 def _popen_kwargs() -> dict:
-    kw: dict = {"stdin": subprocess.DEVNULL}
+    # Force UTF-8 in child processes so Unicode output (→, box-drawing, emoji)
+    # doesn't crash on Windows' legacy cp1252 console encoding. setdefault so an
+    # intentional caller-set encoding still wins.
+    env = dict(os.environ)
+    env.setdefault("PYTHONUTF8", "1")
+    env.setdefault("PYTHONIOENCODING", "utf-8")
+    kw: dict = {"stdin": subprocess.DEVNULL, "env": env}
     if sys.platform == "win32":
         kw["creationflags"] = subprocess.CREATE_NO_WINDOW
     return kw
@@ -66,7 +92,7 @@ def _run_sync(cmd: str, cwd: str, timeout: int) -> dict:
     proc = subprocess.Popen(
         cmd, shell=True, cwd=cwd,
         stdout=subprocess.PIPE, stderr=subprocess.PIPE,
-        text=True, errors="replace",
+        text=True, encoding="utf-8", errors="replace",
         **_popen_kwargs(),
     )
     timed_out = False
@@ -113,6 +139,45 @@ def _maybe_refresh_ledger(cmd: str, result: dict, svc) -> list[str]:
         return []
 
 
+# git diagnostics whose output the caller almost always needs verbatim — never
+# auto-filter these, even past the line threshold.
+_GIT_DIAGNOSTIC = re.compile(
+    r"^\s*git\s+(status|diff|log|show|branch|stash\s+list)\b", re.IGNORECASE
+)
+
+
+def _list_root_files(root: Path) -> set[str]:
+    try:
+        return {e.name for e in root.iterdir() if e.is_file()}
+    except OSError:
+        return set()
+
+
+def _sweep_new_ghost_files(root: Path, before: set[str]) -> list[str]:
+    """Delete 0-byte 'ghost' files (shell-redirect / metacharacter artifacts —
+    e.g. a `>Lnnn` marker or `2>$null` leaking a filename) that appeared in
+    *root* during this command. Only files absent from *before* are removed, so
+    pre-existing files are never touched. Detection is reused from
+    hook_ghost_files so the rules live in one place; this makes c3_shell
+    self-clean regardless of whether the external PostToolUse ghost hook is
+    wired for this tool."""
+    try:
+        from cli.hook_ghost_files import scan_ghost_files
+    except Exception:
+        return []
+    swept: list[str] = []
+    for g in scan_ghost_files(root):
+        name = g.get("name", "")
+        if not name or name in before:
+            continue
+        try:
+            Path(g["path"]).unlink()
+            swept.append(name)
+        except OSError:
+            pass
+    return swept
+
+
 async def handle_shell(cmd: str, cwd: str, timeout: int, filter_output: bool,
                        log: bool, svc, finalize) -> str:
     if not cmd or not cmd.strip():
@@ -127,11 +192,17 @@ async def handle_shell(cmd: str, cwd: str, timeout: int, filter_output: bool,
     work_cwd = cwd or svc.project_path
     work_cwd = str(Path(work_cwd).resolve())
 
+    ghost_root = Path(work_cwd)
+    _ghosts_before = _list_root_files(ghost_root)
+
     result = await asyncio.to_thread(_run_sync, cmd, work_cwd, timeout)
 
+    swept_ghosts = _sweep_new_ghost_files(ghost_root, _ghosts_before)
+
     raw_stdout = result["stdout"]
     filtered_note = ""
-    if filter_output and raw_stdout.count("\n") > _FILTER_THRESHOLD_LINES:
+    if (filter_output and raw_stdout.count("\n") > _FILTER_THRESHOLD_LINES
+            and not _GIT_DIAGNOSTIC.search(cmd)):
         try:
             filtered = await asyncio.to_thread(
                 handle_filter,
@@ -181,6 +252,11 @@ async def handle_shell(cmd: str, cwd: str, timeout: int, filter_output: bool,
         body += f"--- stderr ---\n{result['stderr'].rstrip()}\n"
     if touched_files:
         body += f"--- ledger ---\nlogged {len(touched_files)} file(s)\n"
+    if swept_ghosts:
+        body += (
+            f"--- ghost-sweep ---\nremoved {len(swept_ghosts)} stray 0-byte "
+            f"file(s): {', '.join(swept_ghosts)}\n"
+        )
 
     summary = f"shell {status} in {result['duration_ms']}ms"
     resp_tokens = count_tokens(body) if body else 0

{code_context_control-2.32.2.dist-info → code_context_control-2.34.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: code-context-control
-Version: 2.32.2
+Version: 2.34.0
 Summary: Local code-intelligence layer for AI coding tools (Claude Code, Codex, Gemini, Copilot). Retrieve less, read less, edit safer.
 Author-email: Dimitri Tselenchuk <dtselenc@gmail.com>
 License-Expression: Apache-2.0
@@ -363,7 +363,7 @@ Real-world A/B tests: same task, with and without C3 mounted. Reports include to
 
 ## Security & privacy
 
-- **Hub binds to `127.0.0.1` by default.** Setting `host` to a non-loopback interface in `~/.c3/hub_config.json` is opt-in and warned at startup. **Do not expose the Hub to a public network without auth/TLS in front of it.**
+- **All web servers (Hub, per-project UI, Oracle) bind to `127.0.0.1` by default and are guarded against browser-based attacks even on loopback** — a Host-header allowlist (defeats DNS rebinding) plus an Origin/Referer check on every request (defeats cross-origin CSRF), with scoped, non-wildcard CORS. A malicious web page you visit therefore cannot drive C3's local endpoints. There is still **no user authentication**, so do not expose these servers to an untrusted network without auth/TLS in front. Binding to a non-loopback interface in `~/.c3/hub_config.json` (`host`) or Oracle's config (`bind_host`) is opt-in and warned at startup; add externally-facing hostnames/IPs to an `allowed_hosts` list there so the guard permits them. _(Cross-origin/CSRF + DNS-rebinding hardening added in v2.33.0.)_
 - **No telemetry by default.** The OSS package collects nothing. Opt-in Sentry crash reporting requires the `[telemetry]` extra plus both `SENTRY_DSN` and `C3_TELEMETRY_OPT_IN=1`. Even when enabled, request bodies, local variables, and prompts are stripped before sending.
 - **API keys** for third-party model providers are read from environment variables and never persisted by C3.
 - See [`SECURITY.md`](SECURITY.md) for the full hardening guide and disclosure policy.

{code_context_control-2.32.2.dist-info → code_context_control-2.34.0.dist-info}/RECORD

@@ -1,6 +1,6 @@
 cli/__init__.py,sha256=ec66drCZGNMRU4V6ov0zVhYZph1us12Vn8OvG_LJyRY,22
 cli/_hook_utils.py,sha256=1_hTA-Wz62xB8jnSAH4C5TfCkrwEP0g2kq_-oRfQLm4,3724
-cli/c3.py,sha256=mv6N7y8teSwK18x0q-XLjoLTZhWzrJYIsyH8rlbwj-o,288183
+cli/c3.py,sha256=HjB3HjT9iFIy9WHLZbJx6cYruhxUs2iiWFw9T2Y1ECQ,289101
 cli/docs.html,sha256=JgtBFUuUkvmYowPREYiGhhcRbB5e2UjkRc00MIF0hsU,143653
 cli/edits.html,sha256=UjAhoCmBmQ89cklGvJqzC6eyNP2tc8H6T-e01DVkLvE,43418
 cli/hook_auto_snapshot.py,sha256=amtliVDzKUQr6KBR0pdBA8vXghAV-gKr19jBaJVnP_w,5006
@@ -9,16 +9,16 @@ cli/hook_c3read.py,sha256=B8WzSf94uG4WSNBSdVFwee10HM7tW-y960ptNid_Jjs,3860
 cli/hook_edit_ledger.py,sha256=F7QsIRF4Y3oug6FpWDuDloU_Ord288VnBntfD9CL1CM,7428
 cli/hook_edit_unlock.py,sha256=uvTpirt0GbqPtfuTawhT3Kqh3bL-r7JM948yxctfQCs,5920
 cli/hook_filter.py,sha256=dXk3kaHs87O63WUuc9mNRCxSsLybuJnXlhXFqWAi7h8,4505
-cli/hook_ghost_files.py,sha256=2FT10IlHaXCRaUtjY9oCyttjX0rkihIfA2WohAt0OiQ,9047
+cli/hook_ghost_files.py,sha256=jpSUUA59_kveSfS3BwRxryu2ehIiCW4HaT2IMvxzqDA,9356
 cli/hook_pretool_enforce.py,sha256=Mo9b6SyjlCuwPnkbNSX0RDfNkmt5u_YeEfdY9Q79RKc,12465
 cli/hook_read.py,sha256=M5l_SU899O72tZe3j4YQJJKNb1-xulvKOj8XZjJzwYU,8021
 cli/hook_session_stats.py,sha256=a1OKi9kmiXRI2qieY_Uq14xRxdXQTQu9WVzDTUlI0GQ,1897
 cli/hook_terse_advisor.py,sha256=pD7Bap7OYOKqtYz7cX8nWSRLH7ook-tSD2Ov2MNp_sA,5907
 cli/hub.html,sha256=Hl-XPZGT1mMiKrbX9c5OsEw6mXEumwIB3vp1WlWaplM,183966
-cli/hub_server.py,sha256=gnUJdCgX5ZKZHwLKLYW5ki-P_9HH9Zyi_Hb_yoSKwSI,61979
+cli/hub_server.py,sha256=L7M3PAQNiRFyqdgL0COXIzIo9lyJTaCZSk-K1I2kZtM,59725
 cli/mcp_proxy.py,sha256=92htuT-p0j-cDTbyqlIJpGoQ85_Aw7UuB8L_Toi_u20,17511
-cli/mcp_server.py,sha256=FR-FsVsRzU0H_uI504fXqPNVGbTgCukntYtL36sHxrM,32329
-cli/server.py,sha256=g9iyi_UhxvyyqIz8ihCsIpDg-fXr88vZXdLllEKsHBU,122525
+cli/mcp_server.py,sha256=5cyXOhH_CxJFCpG13AsOEvtdLZAM8_OiI9ZH1xXtZLs,32454
+cli/server.py,sha256=n8CNh444AGuYMnVSSiRK9pirGh84Ap7ZTI8wuRrJCX8,119970
 cli/ui.html,sha256=xcdt74nlFEXx-0Bx6-Okw-WSVZPAXL0iukxU0ytI6CA,5694
 cli/ui_legacy.html,sha256=cI8tC6RKmE2NIJOcsu7CY-zT4VznjcbD6NTjxb_fvUY,378460
 cli/ui_nano.html,sha256=UAwQ6bbTOXAoGq191AZ7slhngR9edJSa3IhqpynveDg,27740
@@ -33,14 +33,14 @@ cli/tools/compress.py,sha256=hgBQ6jUwvfGRmcC53vJBz_bbGD0E7T85IxD4q53rj4E,8941
 cli/tools/delegate.py,sha256=zOpa03znY27_y1u7T7wbfgQXPwCDA409z9dJ2ki4esU,46947
 cli/tools/edit.py,sha256=fVIZzBPe3ixKBxcZFU03ur2XKu9rAlBihga2-tmIuWw,13791
 cli/tools/edits.py,sha256=-Tv5eqw_X-dYc9l4kFWr_8vX1TAUb9QNMv0fpy0rXjQ,5304
-cli/tools/filter.py,sha256=0C37_Cm2YEsXp5pA4w-tWV8V_UHu5xflNp4bLMZqrbo,11501
+cli/tools/filter.py,sha256=IEjBdKrHxYVCm4cP0Ao6WZkKhbIBi1uI-mLY627zEUw,11503
 cli/tools/impact.py,sha256=jjWkFTxHu-gBpZZNd2HTdBl22itA6-wwwOZXxk_qBl8,6257
 cli/tools/memory.py,sha256=OdYBcIEFo4sr5aCG0_uO48uyJ-Kzof7LC2Ou1THGFuc,23317
 cli/tools/project.py,sha256=PKHLGRFZdwBBEgryyV440mybTeQMqnlLgHdfXDnPahw,11868
-cli/tools/read.py,sha256=z2A3UWt3MOriv2Z4-YWNvWNB07MrYT5368_ZuulNHIE,9397
+cli/tools/read.py,sha256=2UT2ICjkyUqMWujOHidEhsGuOTORLTt7na2CVdVZwpw,10868
 cli/tools/search.py,sha256=qB8C3w8yuu59aepvnuJNlzbsirtSEZA8zz4neKlE7Xs,13246
 cli/tools/session.py,sha256=LIZbmEhNdh6rAsT6Dbpb21UY8xF9oubvpjGwfnXxQK4,4573
-cli/tools/shell.py,sha256=EZs8VhqpzR8dH83gAhkleDgryuTshF7khw9ke3qeepc,6444
+cli/tools/shell.py,sha256=lTGMpT_YWnAyJzcT-WHMLjuenqq6m-p3v6uCHKCsHWM,9752
 cli/tools/status.py,sha256=yCHXskXgKzaDhJT6vHYlp3ZU5j89vhVYzf5dQOAR9yQ,12625
 cli/tools/validate.py,sha256=KJr_YKLHiThgKdPnv-7Uucv2rS3DIoKISNxSy2icw8I,11965
 cli/ui/api.js,sha256=wI9-lxGitIgZ5R6lqi1PVc2edD0b3TsYwMUGgcNWgfU,1342
@@ -57,15 +57,17 @@ cli/ui/components/memory.js,sha256=v5IsHTxLHpXX4xCsUaZ_UPprZEabdgP4jiWc298iV2U,2
 cli/ui/components/sessions.js,sha256=FIKtil76B8tCkAmcFV7hlj6GQ_DCJK2jCzvEmdK7NBE,30837
 cli/ui/components/settings.js,sha256=8LVTV2TQl9tcRXhXbtBEJOCBdiyk-x2QASoVYZUAuEA,71442
 cli/ui/components/sidebar.js,sha256=cAY_jwYB-o1X_wWn__VXlG4IegVObuE3NmVsuFWqxtg,7417
-code_context_control-2.32.2.dist-info/licenses/LICENSE,sha256=l8Kh5QCNWNvR6kIt8L0BUZvc2LAFiHv2c-FnsGnUZf4,11301
+code_context_control-2.34.0.dist-info/licenses/LICENSE,sha256=l8Kh5QCNWNvR6kIt8L0BUZvc2LAFiHv2c-FnsGnUZf4,11301
 core/__init__.py,sha256=TSDCEcM4V7gcZVM3w2ykJaqEUch4Dkon-rivV17T73s,2501
 core/config.py,sha256=0RBVni99wqJIxAYU6uweWVOmdI-FJvQ8d3IV5Mp1Muc,12818
 core/ide.py,sha256=9LzsDVK2LL8RVpL40l6oNGiasZ3D8OCU_9i9A0gJKBo,6876
+core/mcp_toml.py,sha256=nFsgDm9j0W1v-o4tBTeEYFuHyxkBNuuMjPhJX-lvfYE,4422
+core/web_security.py,sha256=WkNmoCsSWepV3XduibuQYalEJSIR_cpmumoK9bce9FM,7412
 oracle/__init__.py,sha256=-OTD7Jh4mUMA4QgPGthPLWXttgZLpkIPhGQ87ZfHBx0,63
 oracle/config.py,sha256=ErjH6Y_F51jGXpYo_4boGhdIk-AIo3rDH3xDwUGs7B8,3193
-oracle/mcp_oracle.py,sha256=VN_I-bYvawGTqcpEyVyBz8-GIEZEVJWbM1lBA7Wi1BM,5972
+oracle/mcp_oracle.py,sha256=Vts1ugITgvZP_BzKHgQN1nxHNVQNuNAEPdKgVIpRjPU,8133
 oracle/oracle.html,sha256=KW1jeqmUwvAH2mDlhCLo05nrHW8PfmCYv0iQhL5d74s,185219
-oracle/oracle_server.py,sha256=ehgjXcaea6TUbtD7-yJ0t3Vr6AttC_eyhfL35jPJo7Q,33337
+oracle/oracle_server.py,sha256=qMKLzLoV5cp-cK-l5tc0w24jis2QudNVB7S74eKijGQ,33778
 oracle/services/__init__.py,sha256=Nb4POd1_YIwLVYsGfr-DiK-iKTelkU0fh9m7wjeLQHA,23
 oracle/services/api_auth.py,sha256=1PW3pG--1DJb_F6qMhP3gBTYHxxPE2bsHmVmIhC81Y8,3566
 oracle/services/c3_bridge.py,sha256=Khj2jao2oENe4yFA31Ny0yI3fcV8XBerjsLslt4ns3U,9652
@@ -81,7 +83,7 @@ oracle/services/ollama_bridge.py,sha256=d0458HTaQO9m-Ur4bRIt9izxbJFDj1Dbea9sfo7M
 oracle/services/project_scanner.py,sha256=SGHYKU00fm57L5VyDuet-CAACfrhUZY2xvIlZR27aj4,3142
 oracle/services/review_agent.py,sha256=99PQ1oKxRDo_4COMOy3CJOawqk08MRJ4cS66_w7SWCo,7720
 oracle/services/tool_executor.py,sha256=xtAkBWkclh_FwOgzprjGkyRIV8-A7Lc3bz0UFPShrv0,1113
-oracle/services/tool_registry.py,sha256=y18ZWP1eLkCI3ZSKJDBjK1Wlp_qK7Kr4o_gm_r5gBXI,17396
+oracle/services/tool_registry.py,sha256=V7eP-UeacN3T4We_zbJ8NdFCFCKJVSKJa4zfH02LvuA,18722
 services/__init__.py,sha256=3Kn4cZweLm7at8wFdBdZ-Zwo8hHcnVIsmY5f29nzi2Y,116
 services/activity_log.py,sha256=YsW8-HBQEFh2vYTlvnzK7doNsR-XEtBbWXJ-324XigU,3370
 services/agent_base.py,sha256=a-gdSd_jtZtbjXo1WS8CnWCagXgKaGZd5ShcG6s0kT4,4809
@@ -90,7 +92,7 @@ services/auto_memory.py,sha256=v__ZS1e68533_Yv491mZtvuZnheC63q6_uTvWhBw3Lw,14290
 services/benchmark_dashboard.py,sha256=iR-DnqnoKbqHMJ4d-ZkIvJBYfzwTa7r-jzO6j2BYDfQ,27711
 services/bitbucket_client.py,sha256=v8xGEcnIEmURvcg38XwmiCGh7-_QnjhAJEb0te_yZzQ,16107
 services/bitbucket_credentials.py,sha256=2qLA9pQMol4y95y4DJMNBsBBPUsJQCKbLFo2iiCnfvI,7364
-services/claude_md.py,sha256=K3iAi6Lhllpf14k-37NzqhM8LepIlXszf0dDyvAnIC4,34966
+services/claude_md.py,sha256=iL0vUQw-5lxSQehNPvhlkUmcGPeMSCcZqP4OYG_qoYk,35092
 services/compressor.py,sha256=uSVyTYfvxFrRYupzyKj-HzkBP0RwARrGYFz_DnMSEaM,25169
 services/context_snapshot.py,sha256=upxrxcBUPX7MrOlgUo7oD9rvm2H1SJLK8FI1tgHrAjg,14045
 services/conversation_store.py,sha256=vPiMiKAE22RCBSSphgGH9Vx-lPV45SmttOwgVVWahL4,33398
@@ -153,8 +155,8 @@ tui/screens/search_view.py,sha256=MMHjVdlk3HZSuDBSvq8IGrqv_Mh5Us6YqXQ80bcWSMk,19
 tui/screens/session_view.py,sha256=eZ1eDwHTvPOck1wCCviixtOaCxIkBT_95ytNNNriGNA,5991
 tui/screens/stats.py,sha256=p81PjzdaIv7hllb8f45-rlVe4lJZwSdIMqu7e86_u5s,6223
 tui/screens/ui_view.py,sha256=1QJCgLh2YfgWIpvzRG1KOGXYEaOYX6ojN61Azjf2oX0,2125
-code_context_control-2.32.2.dist-info/METADATA,sha256=wPXVQQGc2FfMlK5H2UWOq9pPAmRY_MWXXpJjj9ALNE4,19221
-code_context_control-2.32.2.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
-code_context_control-2.32.2.dist-info/entry_points.txt,sha256=7kX_WUsDCF2hbXzvbNyscyaBb9AeA-DJY5v_5hN0DlU,93
-code_context_control-2.32.2.dist-info/top_level.txt,sha256=wRt41zBybVF3qAiNXHz9BURbkKvUvfhmWWtKMhaw6eE,29
-code_context_control-2.32.2.dist-info/RECORD,,
+code_context_control-2.34.0.dist-info/METADATA,sha256=jxMVmOACpAqMpGaXua2LZPZdLxHrkefk02mqcaRMNKI,19802
+code_context_control-2.34.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+code_context_control-2.34.0.dist-info/entry_points.txt,sha256=7kX_WUsDCF2hbXzvbNyscyaBb9AeA-DJY5v_5hN0DlU,93
+code_context_control-2.34.0.dist-info/top_level.txt,sha256=wRt41zBybVF3qAiNXHz9BURbkKvUvfhmWWtKMhaw6eE,29
+code_context_control-2.34.0.dist-info/RECORD,,

core/mcp_toml.py

@@ -0,0 +1,128 @@
+"""Shared TOML helpers for the MCP-server sections of IDE config files
+(Codex's ``config.toml``, etc.).
+
+These were duplicated — and had quietly drifted — between ``cli/server.py`` and
+``cli/hub_server.py``. Consolidating them keeps parse/write behaviour in one
+place (the same triplication pattern that once let a CORS bug live in three
+servers). The reconciled versions adopt the more robust behaviour from each
+copy: ``parse`` strips surrounding quotes from keys, and ``remove`` deletes a
+file that becomes empty instead of leaving an empty stub.
+"""
+from __future__ import annotations
+
+import re
+from pathlib import Path
+
+
+def parse_toml_mcp_servers(content: str) -> dict:
+    """Parse ``[mcp_servers.<name>]`` sections from TOML content into a dict."""
+    servers: dict = {}
+    current_server = None
+
+    for raw in content.splitlines():
+        line = raw.split("#", 1)[0].strip()
+        if not line:
+            continue
+
+        if line.startswith("[") and line.endswith("]"):
+            section = line[1:-1].strip()
+            if section.startswith("mcp_servers."):
+                current_server = section.split(".", 1)[1]
+                servers.setdefault(current_server, {})
+            else:
+                current_server = None
+            continue
+
+        if not current_server or "=" not in line:
+            continue
+
+        key, value = line.split("=", 1)
+        key = key.strip().strip('"')
+        value = value.strip()
+
+        if key == "args":
+            servers[current_server]["args"] = re.findall(r"[\"']([^\"']*)[\"']", value)
+        elif key in ("command", "type"):
+            match = re.match(r"^[\"'](.*)[\"']$", value)
+            servers[current_server][key] = match.group(1) if match else value
+        elif key == "enabled":
+            low = value.lower()
+            if low.startswith("true"):
+                servers[current_server]["enabled"] = True
+            elif low.startswith("false"):
+                servers[current_server]["enabled"] = False
+        else:
+            servers[current_server][key] = value
+
+    return servers
+
+
+def toml_escape_str(value: str) -> str:
+    """Escape a string for a double-quoted TOML value (Windows ``\\`` → ``/``)."""
+    return value.replace("\\", "/")
+
+
+def upsert_toml_section(toml_path: Path, section: str, entries: dict) -> None:
+    """Add or replace a dotted TOML section in-place."""
+    content = toml_path.read_text(encoding="utf-8") if toml_path.exists() else ""
+    header = f"[{section}]"
+
+    lines = content.splitlines()
+    new_lines = []
+    skip = False
+    for line in lines:
+        stripped = line.strip()
+        if stripped == header:
+            skip = True
+            continue
+        if skip and stripped.startswith("["):
+            skip = False
+        if not skip:
+            new_lines.append(line)
+
+    content = "\n".join(new_lines).rstrip()
+    section_lines = [f"\n\n{header}"]
+    for key, value in entries.items():
+        if isinstance(value, list):
+            items = ", ".join(f'"{toml_escape_str(str(item))}"' for item in value)
+            section_lines.append(f"{key} = [{items}]")
+        elif isinstance(value, bool):
+            section_lines.append(f'{key} = {"true" if value else "false"}')
+        else:
+            section_lines.append(f'{key} = "{toml_escape_str(str(value))}"')
+    section_lines.append("")
+
+    toml_path.parent.mkdir(parents=True, exist_ok=True)
+    toml_path.write_text(content + "\n".join(section_lines), encoding="utf-8")
+
+
+def remove_toml_section(toml_path: Path, section: str) -> bool:
+    """Remove a dotted TOML section. Deletes the file if it becomes empty.
+    Returns True if the section was found and removed."""
+    if not toml_path.exists():
+        return False
+    content = toml_path.read_text(encoding="utf-8")
+    header = f"[{section}]"
+
+    lines = content.splitlines()
+    new_lines = []
+    skip = False
+    removed = False
+    for line in lines:
+        stripped = line.strip()
+        if stripped == header:
+            skip = True
+            removed = True
+            continue
+        if skip and stripped.startswith("["):
+            skip = False
+        if not skip:
+            new_lines.append(line)
+
+    if removed:
+        remaining = "\n".join(new_lines).rstrip()
+        if remaining:
+            toml_path.write_text(remaining + "\n", encoding="utf-8")
+        else:
+            toml_path.unlink()
+    return removed

core/web_security.py

@@ -0,0 +1,174 @@
+"""Localhost-only security guard for C3's Flask dashboards (UI, Hub, Oracle).
+
+Why this exists
+---------------
+C3's web servers bind to loopback (``127.0.0.1``) by default. A loopback bind
+keeps the server off the LAN, but it does **not** protect against requests made
+by a web page running in the user's own browser. Two classic attacks defeat a
+"loopback is safe" assumption:
+
+* **Cross-origin / CSRF** — any website the user visits can ``fetch()`` against
+  ``http://localhost:<port>/...``. With no auth and a permissive CORS policy,
+  that page could drive state-changing endpoints (launch an IDE command, add a
+  malicious MCP server, downgrade permissions, wipe data).
+* **DNS rebinding** — an attacker domain re-resolves to ``127.0.0.1`` after the
+  page loads, so the browser sends requests to the local server with the
+  *attacker's* hostname in the ``Host`` header.
+
+This module adds two cheap, standard defenses that together close that gap
+without requiring the dashboard JavaScript to change (same-origin requests pass
+naturally):
+
+1. **Host-header allowlist** — defeats DNS rebinding. The rebound request
+   carries the attacker's hostname in ``Host``; anything not in the allowlist is
+   rejected.
+2. **Origin/Referer check on state-changing requests** — defeats cross-origin
+   CSRF. Browsers always attach ``Origin`` to ``POST``/``PUT``/``DELETE``/
+   ``PATCH`` (cross-origin *and* same-origin), so a mismatched origin is a
+   reliable CSRF signal.
+
+Non-browser clients (curl, the Oracle Discovery REST/MCP consumers) send no
+``Origin`` and a loopback ``Host``, so they are unaffected. Bearer-token auth
+(Oracle discovery) still applies on top of this guard.
+
+For an intentional non-loopback bind (an explicit, already-warned opt-in), pass
+the configured bind host so the user can still reach their own dashboard; remote
+hosts that need access can be added via the optional ``extra`` argument
+(wired from an ``allowed_hosts`` config list by the caller).
+"""
+from __future__ import annotations
+
+from collections.abc import Callable, Iterable
+from urllib.parse import urlsplit
+
+# Hostnames that always denote "this machine". Note: a literal ``0.0.0.0`` never
+# appears as a browser Host header, so it is intentionally excluded — binding to
+# 0.0.0.0 means the client connects by some concrete IP/name, which must be added
+# via ``extra`` (``allowed_hosts`` config) by the operator.
+_LOOPBACK_HOSTS = frozenset({"localhost", "127.0.0.1", "::1", "[::1]"})
+_MUTATING_METHODS = frozenset({"POST", "PUT", "DELETE", "PATCH"})
+
+
+def _hostname(value: str | None) -> str:
+    """Extract a bare, lowercased hostname from a Host header or Origin/Referer URL.
+
+    Handles values with or without a scheme and with or without a port, including
+    IPv6 literals like ``[::1]:3333``.
+    """
+    if not value:
+        return ""
+    value = value.strip()
+    # A bare Host header ("localhost:3333") has no scheme; prefix "//" so urlsplit
+    # parses it as a netloc rather than a path.
+    if "://" not in value:
+        value = "//" + value
+    try:
+        host = urlsplit(value).hostname or ""
+    except ValueError:
+        return ""
+    return host.lower()
+
+
+def allowed_hostnames(bind_host: str | None = None,
+                      extra: Iterable[str] | None = None) -> set[str]:
+    """Build the set of acceptable hostnames for this server.
+
+    Always includes loopback names. ``bind_host`` (unless it is the wildcard
+    ``0.0.0.0`` or empty) and any ``extra`` hosts are added so an intentional
+    non-loopback deployment remains reachable.
+    """
+    hosts = set(_LOOPBACK_HOSTS)
+    bh = (bind_host or "").strip().lower()
+    if bh and bh not in ("0.0.0.0", "::", "*"):
+        hosts.add(bh)
+    if extra:
+        for h in extra:
+            h = (h or "").strip().lower()
+            if h:
+                hosts.add(h)
+    return hosts
+
+
+def check_request(request, allowed: set[str]) -> tuple[bool, str]:
+    """Return ``(ok, reason)``. ``ok == False`` means the request must be 403'd.
+
+    ``request`` is a Flask request (anything exposing ``.host``, ``.method`` and
+    ``.headers.get``).
+    """
+    # 1) Host-header allowlist — anti DNS-rebinding.
+    host = _hostname(getattr(request, "host", "") or "")
+    if host and host not in allowed:
+        return False, f"host '{host}' is not allowlisted"
+
+    # 2) Origin check — anti cross-origin CSRF. Browsers always send Origin on
+    #    state-changing requests, so a mismatch is a reliable CSRF signal. When
+    #    Origin is absent (typical for curl / API clients), fall back to Referer
+    #    only for mutating methods; a fully header-less request is treated as a
+    #    non-browser caller and allowed (it cannot be a CSRF from a page).
+    origin = request.headers.get("Origin")
+    if origin:
+        if _hostname(origin) not in allowed:
+            return False, "cross-origin request blocked (Origin)"
+    elif request.method in _MUTATING_METHODS:
+        referer = request.headers.get("Referer")
+        if referer and _hostname(referer) not in allowed:
+            return False, "cross-origin request blocked (Referer)"
+    return True, ""
+
+
+def cors_origin(request, allowed: set[str]) -> str | None:
+    """Echo the request Origin in Access-Control-Allow-Origin only if it is
+    same-origin/allowlisted. The wildcard ``*`` is never used.
+    """
+    origin = request.headers.get("Origin")
+    if origin and _hostname(origin) in allowed:
+        return origin
+    return None
+
+
+def guard_summary() -> dict:
+    """Compact, serializable status for health endpoints — confirms to operators
+    that the localhost guard is active (it otherwise enforces silently)."""
+    return {
+        "active": True,
+        "host_allowlist": True,
+        "csrf": "origin+referer",
+        "cors": "scoped",
+    }
+
+
+def install_guard(app, get_allowed: Callable[[], set[str]]) -> None:
+    """Register the Host/Origin guard and a tightened CORS policy on a Flask app.
+
+    ``get_allowed`` is called per-request so live config changes (e.g. a hub
+    ``host`` edit or an ``allowed_hosts`` list) are honoured without a restart.
+    Registering this BEFORE any other ``before_request`` (e.g. a bearer-token
+    guard) ensures cross-origin requests are rejected first.
+    """
+    from flask import jsonify, request
+
+    @app.before_request
+    def _c3_security_guard():  # noqa: ANN202 - Flask hook
+        # Let CORS preflight through; the after_request handler answers it and
+        # only reflects an allowlisted Origin, so disallowed origins still fail.
+        if request.method == "OPTIONS":
+            return None
+        ok, reason = check_request(request, get_allowed())
+        if not ok:
+            return jsonify({"error": f"blocked: {reason}"}), 403
+        return None
+
+    @app.after_request
+    def _c3_cors(response):  # noqa: ANN202 - Flask hook
+        origin = cors_origin(request, get_allowed())
+        if origin:
+            response.headers["Access-Control-Allow-Origin"] = origin
+            response.headers["Vary"] = "Origin"
+            response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization"
+            response.headers["Access-Control-Allow-Methods"] = "GET,POST,PUT,DELETE,OPTIONS"
+        return response
+
+    import logging
+    logging.getLogger("c3.web_security").info(
+        "localhost web guard active — Host allowlist + Origin/Referer CSRF + scoped CORS"
+    )

oracle/mcp_oracle.py

@@ -23,12 +23,19 @@ from oracle.services import api_auth
 logger = logging.getLogger("oracle.mcp")
 
 _INSTRUCTIONS = (
-    "C3 Oracle Discovery — cross-project code & memory intelligence as tools. "
-    "Start with list_projects to see available projects, then use c3_search_cross "
-    "or search_facts to discover across all of them, or the per-project tools "
-    "(c3_search, c3_read, c3_compress, query_memory, read_graph) with a project_path. "
-    "suggest_action creates a PENDING suggestion for human approval; delegate_task runs "
-    "a configured Oracle agent. No code-editing tools are exposed."
+    "C3 Oracle Discovery — use C3's cross-project code & memory intelligence as tools.\n"
+    "\n"
+    "Recommended workflow:\n"
+    "1. list_projects — see which C3 projects exist (names + absolute paths).\n"
+    "2. Discover across ALL projects: search_facts (memory) or c3_search_cross (code).\n"
+    "3. Narrow to one project using its path: c3_search to find code; c3_compress "
+    "(mode='map') to see a file's shape before reading; c3_read for exact content; "
+    "query_memory / read_graph / cross_insights for that project's memory.\n"
+    "\n"
+    "Notes: per-project tools REQUIRE a `project_path` taken from list_projects. Every tool "
+    "returns JSON. suggest_action creates a PENDING suggestion for a human to approve (not a "
+    "direct write); delegate_task runs a configured Oracle agent. Read + safe-action tiers "
+    "only — no code-editing tools are exposed."
 )
 
 
@@ -99,21 +106,59 @@ class _BearerAuthMiddleware:
         await self.app(scope, receive, send)
 
 
-def build_app(registry, version: str = "", require_auth: bool = True, path: str = "/mcp"):
+class _HostGuardMiddleware:
+    """Pure-ASGI Host-header allowlist.
+
+    Rejects requests whose ``Host`` header is not loopback or the configured
+    bind host — defeating DNS-rebinding against the MCP transport. Defense in
+    depth on top of the Bearer gate (a rebound request would still need a valid
+    token, but this stops it reaching the app at all).
+    """
+
+    def __init__(self, app, allowed: set):
+        self.app = app
+        self.allowed = allowed
+
+    async def __call__(self, scope, receive, send):
+        if scope.get("type") == "http":
+            from core.web_security import _hostname
+            headers = dict(scope.get("headers") or [])
+            host = headers.get(b"host", b"").decode("latin-1")
+            if _hostname(host) not in self.allowed:
+                body = b'{"error": "forbidden host"}'
+                await send({
+                    "type": "http.response.start",
+                    "status": 403,
+                    "headers": [(b"content-type", b"application/json"),
+                                (b"content-length", str(len(body)).encode())],
+                })
+                await send({"type": "http.response.body", "body": body})
+                return
+        await self.app(scope, receive, send)
+
+
+def build_app(registry, version: str = "", require_auth: bool = True, path: str = "/mcp",
+              host: str = "127.0.0.1", allowed_hosts=None):
     """Build the Starlette ASGI app for the MCP server (auth middleware attached)."""
     mcp = build_mcp(registry, version)
     app = mcp.http_app(path=path)
     if require_auth:
         app.add_middleware(_BearerAuthMiddleware)
+    # Host-header allowlist (defense-in-depth vs DNS rebinding). Added last so it
+    # is the outermost middleware and runs before the bearer check.
+    from core.web_security import allowed_hostnames
+    app.add_middleware(_HostGuardMiddleware, allowed=allowed_hostnames(host, allowed_hosts))
     return app
 
 
 def serve_mcp(registry, host: str = "127.0.0.1", port: int = 3332,
-              version: str = "", require_auth: bool = True, path: str = "/mcp") -> None:
+              version: str = "", require_auth: bool = True, path: str = "/mcp",
+              allowed_hosts=None) -> None:
     """Blocking: serve the MCP app with uvicorn. Safe to run off the main thread."""
     import uvicorn
 
-    app = build_app(registry, version=version, require_auth=require_auth, path=path)
+    app = build_app(registry, version=version, require_auth=require_auth, path=path,
+                    host=host, allowed_hosts=allowed_hosts)
     config = uvicorn.Config(app, host=host, port=port, log_level="warning", access_log=False)
     server = uvicorn.Server(config)
     # uvicorn only installs signal handlers on the main thread; disable so this
@@ -124,13 +169,13 @@ def serve_mcp(registry, host: str = "127.0.0.1", port: int = 3332,
 
 def start_mcp_thread(registry, host: str = "127.0.0.1", port: int = 3332,
                      version: str = "", require_auth: bool = True,
-                     path: str = "/mcp") -> threading.Thread:
+                     path: str = "/mcp", allowed_hosts=None) -> threading.Thread:
     """Start :func:`serve_mcp` in a daemon thread and return the thread."""
 
     def _run():
         try:
             serve_mcp(registry, host=host, port=port, version=version,
-                      require_auth=require_auth, path=path)
+                      require_auth=require_auth, path=path, allowed_hosts=allowed_hosts)
         except Exception:
             logger.exception("Oracle MCP server crashed")
 

oracle/oracle_server.py

@@ -116,12 +116,21 @@ def _init_services():
 
 
 # ── CORS ──────────────────────────────────────────────────
-@app.after_request
-def _cors(resp):
-    resp.headers["Access-Control-Allow-Origin"] = "*"
-    resp.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization"
-    resp.headers["Access-Control-Allow-Methods"] = "GET,POST,PUT,DELETE,OPTIONS"
-    return resp
+# Localhost security guard + scoped CORS (replaces the previous wildcard CORS).
+# Host-header allowlist + Origin/Referer CSRF guard. Bearer auth on
+# /api/discovery/* (see _discovery_auth_guard below) still applies on top; this
+# guard also protects the ungated endpoints (config, chat, /api/apikey) from
+# cross-origin reads — notably the raw Discovery token returned by api_apikey_get.
+from core.web_security import (
+    allowed_hostnames as _allowed_hostnames,
+)
+from core.web_security import (
+    install_guard as _install_web_guard,
+)
+
+_install_web_guard(
+    app, lambda: _allowed_hostnames(_cfg.get("bind_host"), _cfg.get("allowed_hosts"))
+)
 
 
 # ── Discovery API auth guard ──────────────────────────────
@@ -849,6 +858,7 @@ def run_oracle(port: int = None, open_browser: bool = None):
                 port=mcp_p,
                 version=_c3_version(),
                 require_auth=cfg.get("api_require_auth", True),
+                allowed_hosts=cfg.get("allowed_hosts"),
             )
             print(f"Oracle Discovery MCP  →  {mcp_url(mcp_host, mcp_p)}  (auth: bearer)")
         except Exception as e:

oracle/services/tool_registry.py

@@ -398,8 +398,23 @@ class ToolRegistry:
             "info": {
                 "title": "C3 Oracle Discovery API",
                 "version": _c3_version(),
-                "description": "Read + safe-action discovery tools over C3's cross-project code and "
-                               "memory intelligence, for use by external LLMs.",
+                "description": (
+                    "Use C3's cross-project code & memory intelligence as tools, for external LLMs.\n\n"
+                    "**Workflow:** call `list_projects` first to get project names + absolute paths; "
+                    "discover across all projects with `search_facts` (memory) or `c3_search_cross` "
+                    "(code); then narrow to one project (pass its `project_path`) using `c3_search`, "
+                    "`c3_compress` (mode `map` to see a file's shape before reading), `c3_read` (exact "
+                    "content), `query_memory`, `read_graph`, or `cross_insights`.\n\n"
+                    "**Auth:** every request requires an `Authorization: Bearer <token>` header "
+                    "(get it from `/api/discovery/mcp-info` or by running `c3 oracle api info`).\n\n"
+                    "**Capability tiers:** `read` tools are pure discovery; `action` tools are safe and "
+                    "non-destructive — `suggest_action` creates a PENDING suggestion for human approval "
+                    "(not a direct write) and `delegate_task` runs a configured Oracle agent. No "
+                    "code-editing tools are exposed.\n\n"
+                    "**Invoke:** POST the arguments object to `/api/discovery/tools/{name}`, or POST "
+                    "`{\"tool\": \"<name>\", \"args\": {...}}` to `/api/discovery/call`. Per-project "
+                    "tools require a `project_path` from `list_projects`."
+                ),
             },
             "security": [{"bearerAuth": []}],
             "components": {

services/claude_md.py

@@ -36,7 +36,7 @@ When falling back, state which c3_* tool was attempted and why it was insufficie
 4. **IMPACT** (shared symbols): `c3_impact(target='symbol')` — blast-radius check before editing any function/class used across files
 5. **EDIT via C3**: `c3_edit(file_path, old_string, new_string, summary)` — for ALL edits. Parallel across files; `edits=[]` batch for same file
 6. **FILTER**: `c3_filter(text=...)` — for terminal output >10 lines or log files
-6.5. **SHELL via C3**: `c3_shell(cmd, cwd='', timeout=60)` — for tests, git, build, scripts. Returns structured `{exit_code, stdout, stderr, duration_ms}`. Auto-filters stdout >30 lines; auto-logs git-mutating commands (commit/add/merge/rebase/reset/restore/checkout) to the edit ledger. Blocks fork bombs and `rm -rf /` or `~`; soft-warns on `--force`, `--no-verify`, `reset --hard`. Native Bash remains the fallback for interactive/TTY commands
+6.5. **SHELL via C3**: `c3_shell(cmd, cwd='', timeout=60)` — for tests, git, build, scripts. Returns structured `{exit_code, stdout, stderr, duration_ms}`. Auto-filters stdout >30 lines; auto-logs git-mutating commands (commit/add/merge/rebase/reset/restore/checkout) to the edit ledger. Best-effort blocks the most catastrophic commands (`rm -rf` of `/`, a top-level system dir, or `$HOME`/`~`; fork bombs; whole-drive wipes) — a guard, not a sandbox; soft-warns on `--force`, `--no-verify`, `reset --hard`. Native Bash remains the fallback for interactive/TTY commands
 7. **VALIDATE**: `c3_validate(file_path)` — after edits or before reporting done. Runs deep type check (pyright/tsc) automatically if installed
 8. **LOG**: `c3_session(action='log')` for decisions. `c3_session(action='snapshot')` before /clear
 9. **DELEGATE**: `c3_delegate(task, backend='ollama|codex|gemini|claude|auto')` or `c3_agent(workflow=...)` for multi-model pipelines