code-context-control 2.32.2__tar.gz → 2.34.0__tar.gz

{code_context_control-2.32.2 → code_context_control-2.34.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: code-context-control
-Version: 2.32.2
+Version: 2.34.0
 Summary: Local code-intelligence layer for AI coding tools (Claude Code, Codex, Gemini, Copilot). Retrieve less, read less, edit safer.
 Author-email: Dimitri Tselenchuk <dtselenc@gmail.com>
 License-Expression: Apache-2.0
@@ -363,7 +363,7 @@ Real-world A/B tests: same task, with and without C3 mounted. Reports include to
 
 ## Security & privacy
 
-- **Hub binds to `127.0.0.1` by default.** Setting `host` to a non-loopback interface in `~/.c3/hub_config.json` is opt-in and warned at startup. **Do not expose the Hub to a public network without auth/TLS in front of it.**
+- **All web servers (Hub, per-project UI, Oracle) bind to `127.0.0.1` by default and are guarded against browser-based attacks even on loopback** — a Host-header allowlist (defeats DNS rebinding) plus an Origin/Referer check on every request (defeats cross-origin CSRF), with scoped, non-wildcard CORS. A malicious web page you visit therefore cannot drive C3's local endpoints. There is still **no user authentication**, so do not expose these servers to an untrusted network without auth/TLS in front. Binding to a non-loopback interface in `~/.c3/hub_config.json` (`host`) or Oracle's config (`bind_host`) is opt-in and warned at startup; add externally-facing hostnames/IPs to an `allowed_hosts` list there so the guard permits them. _(Cross-origin/CSRF + DNS-rebinding hardening added in v2.33.0.)_
 - **No telemetry by default.** The OSS package collects nothing. Opt-in Sentry crash reporting requires the `[telemetry]` extra plus both `SENTRY_DSN` and `C3_TELEMETRY_OPT_IN=1`. Even when enabled, request bodies, local variables, and prompts are stripped before sending.
 - **API keys** for third-party model providers are read from environment variables and never persisted by C3.
 - See [`SECURITY.md`](SECURITY.md) for the full hardening guide and disclosure policy.

{code_context_control-2.32.2 → code_context_control-2.34.0}/README.md

@@ -301,7 +301,7 @@ Real-world A/B tests: same task, with and without C3 mounted. Reports include to
 
 ## Security & privacy
 
-- **Hub binds to `127.0.0.1` by default.** Setting `host` to a non-loopback interface in `~/.c3/hub_config.json` is opt-in and warned at startup. **Do not expose the Hub to a public network without auth/TLS in front of it.**
+- **All web servers (Hub, per-project UI, Oracle) bind to `127.0.0.1` by default and are guarded against browser-based attacks even on loopback** — a Host-header allowlist (defeats DNS rebinding) plus an Origin/Referer check on every request (defeats cross-origin CSRF), with scoped, non-wildcard CORS. A malicious web page you visit therefore cannot drive C3's local endpoints. There is still **no user authentication**, so do not expose these servers to an untrusted network without auth/TLS in front. Binding to a non-loopback interface in `~/.c3/hub_config.json` (`host`) or Oracle's config (`bind_host`) is opt-in and warned at startup; add externally-facing hostnames/IPs to an `allowed_hosts` list there so the guard permits them. _(Cross-origin/CSRF + DNS-rebinding hardening added in v2.33.0.)_
 - **No telemetry by default.** The OSS package collects nothing. Opt-in Sentry crash reporting requires the `[telemetry]` extra plus both `SENTRY_DSN` and `C3_TELEMETRY_OPT_IN=1`. Even when enabled, request bodies, local variables, and prompts are stripped before sending.
 - **API keys** for third-party model providers are read from environment variables and never persisted by C3.
 - See [`SECURITY.md`](SECURITY.md) for the full hardening guide and disclosure policy.

{code_context_control-2.32.2 → code_context_control-2.34.0}/cli/c3.py

@@ -85,7 +85,7 @@ console = Console() if HAS_RICH else None
 # Config
 CONFIG_DIR = ".c3"
 CONFIG_FILE = ".c3/config.json"
-__version__ = "2.32.2"
+__version__ = "2.34.0"
 
 
 def _command_deps() -> CommandDeps:
@@ -4921,8 +4921,14 @@ def cmd_install_mcp(args):
         # Build hook commands using the Python executable that runs c3.
         # On Windows, Claude Code executes hooks via /usr/bin/bash (Git Bash), which cannot
         # parse Windows absolute paths containing parentheses (e.g. "(C3)"). Prefix with
-        # "cmd /c" so cmd.exe handles path resolution instead of bash.
-        _hook_prefix = "cmd /c " if sys.platform == "win32" else ""
+        # cmd.exe so it handles path resolution instead of bash.
+        #
+        # Use "cmd.exe" WITH the extension, not bare "cmd": Git Bash does not resolve bare
+        # "cmd" on PATH, so the old "cmd /c …" prefix silently failed to launch any hook
+        # (verified: under bash, "cmd.exe /c '<py>' '<hook>'" runs and writes the signal
+        # file; "cmd /c …" returns "cmd: command not found"). The single-quoted paths are
+        # correct — bash strips them and re-quotes for cmd.exe, preserving spaces/parens.
+        _hook_prefix = "cmd.exe /c " if sys.platform == "win32" else ""
         hook_filter_cmd    = f"{_hook_prefix}{shlex.quote(sys.executable)} {shlex.quote(str(cli_dir / 'hook_filter.py'))}"
         hook_read_cmd      = f"{_hook_prefix}{shlex.quote(sys.executable)} {shlex.quote(str(cli_dir / 'hook_read.py'))}"
         hook_c3read_cmd    = f"{_hook_prefix}{shlex.quote(sys.executable)} {shlex.quote(str(cli_dir / 'hook_c3read.py'))}"
@@ -4962,13 +4968,24 @@ def cmd_install_mcp(args):
             },
             {
                 "matcher": read_matcher,
-                "hooks": [{"type": "command", "command": hook_read_cmd}]
+                "hooks": [
+                    {"type": "command", "command": hook_read_cmd},
+                    {"type": "command", "command": hook_ghost_files_cmd},
+                ]
             },
             {
                 "matcher": "mcp__c3__c3_read",
                 "hooks": [
                     {"type": "command", "command": hook_c3read_cmd},
                     {"type": "command", "command": hook_c3_signal_cmd},
+                    {"type": "command", "command": hook_ghost_files_cmd},
+                ]
+            },
+            {
+                "matcher": "mcp__c3__c3_shell",
+                "hooks": [
+                    {"type": "command", "command": hook_c3_signal_cmd},
+                    {"type": "command", "command": hook_ghost_files_cmd},
                 ]
             },
             {

{code_context_control-2.32.2 → code_context_control-2.34.0}/cli/hook_ghost_files.py

@@ -212,6 +212,17 @@ def cleanup_ghost_files(ghosts: list[dict]) -> list[str]:
     return deleted
 
 
+# Tools whose output can carry shell-meta text that leaks into 0-byte files:
+# native shells, c3_shell (its `N->Mtok` filter header), and file reads whose
+# content has `-> Type` hints. A downstream shell sees `> word` and creates an
+# empty file named `word`.
+_GHOST_TRIGGER_TOOLS = (
+    "Bash", "run_shell_command",
+    "mcp__c3__c3_shell",
+    "mcp__c3__c3_read", "Read", "read_file",
+)
+
+
 def main():
     try:
         raw = sys.stdin.read()
@@ -221,8 +232,7 @@ def main():
         data = json.loads(raw)
         tool_name = data.get("tool_name", "")
 
-        # Only trigger on Bash (Claude Code) or run_shell_command (Gemini)
-        if tool_name not in ("Bash", "run_shell_command"):
+        if tool_name not in _GHOST_TRIGGER_TOOLS:
             return
 
         is_gemini = isinstance(data.get("tool_response", ""), dict)

{code_context_control-2.32.2 → code_context_control-2.34.0}/cli/hub_server.py

@@ -35,6 +35,26 @@ from services.tool_classifier import CATEGORIES
 
 app = Flask(__name__, static_folder=str(Path(__file__).parent))
 
+# Localhost-only security: Host-header allowlist + Origin/Referer CSRF guard +
+# scoped CORS. The hub manages MANY projects and exposes command-executing
+# endpoints (launch-ide, mcp-server-add, permissions), so cross-origin CSRF /
+# DNS-rebinding protection matters even though it binds loopback by default.
+# Reads bind host + optional allowed_hosts per-request from hub_config.json.
+from core.web_security import (
+    allowed_hostnames as _allowed_hostnames,
+)
+from core.web_security import (
+    install_guard as _install_web_guard,
+)
+
+
+def _hub_allowed_hosts():
+    _c = _read_hub_config()
+    return _allowed_hostnames(_c.get("host"), _c.get("allowed_hosts"))
+
+
+_install_web_guard(app, _hub_allowed_hosts)
+
 # ─── Hub config ───────────────────────────────────────────────────────────────
 
 _GLOBAL_C3_DIR = Path.home() / ".c3"
@@ -160,46 +180,12 @@ def _project_mcp_config_path(project_root: Path, profile) -> Path:
     return (Path.home() / profile.config_path) if profile.config_path_global else (project_root / profile.config_path)
 
 
-def _parse_toml_mcp_servers(content: str) -> dict:
-    servers = {}
-    current_server = None
-
-    for raw in content.splitlines():
-        line = raw.split("#", 1)[0].strip()
-        if not line:
-            continue
-
-        if line.startswith("[") and line.endswith("]"):
-            section = line[1:-1].strip()
-            if section.startswith("mcp_servers."):
-                current_server = section.split(".", 1)[1]
-                servers.setdefault(current_server, {})
-            else:
-                current_server = None
-            continue
-
-        if not current_server or "=" not in line:
-            continue
-
-        key, value = line.split("=", 1)
-        key = key.strip().strip('"')
-        value = value.strip()
-
-        if key == "args":
-            servers[current_server]["args"] = re.findall(r"[\"']([^\"']*)[\"']", value)
-        elif key in ("command", "type"):
-            match = re.match(r"^[\"'](.*)[\"']$", value)
-            servers[current_server][key] = match.group(1) if match else value
-        elif key == "enabled":
-            low = value.lower()
-            if low.startswith("true"):
-                servers[current_server]["enabled"] = True
-            elif low.startswith("false"):
-                servers[current_server]["enabled"] = False
-        else:
-            servers[current_server][key] = value
-
-    return servers
+from core.mcp_toml import (
+    parse_toml_mcp_servers as _parse_toml_mcp_servers,
+)
+from core.mcp_toml import (
+    upsert_toml_section as _upsert_toml_section,
+)
 
 
 def _read_project_mcp_servers_for_profile(profile, mcp_file: Path) -> tuple[dict, dict]:
@@ -218,73 +204,6 @@ def _read_project_mcp_servers_for_profile(profile, mcp_file: Path) -> tuple[dict
     return servers, raw_config
 
 
-def _toml_escape_str(value: str) -> str:
-    return value.replace("\\", "/")
-
-
-def _upsert_toml_section(toml_path: Path, section: str, entries: dict) -> None:
-    content = toml_path.read_text(encoding="utf-8") if toml_path.exists() else ""
-    header = f"[{section}]"
-
-    lines = content.splitlines()
-    new_lines = []
-    skip = False
-    for line in lines:
-        stripped = line.strip()
-        if stripped == header:
-            skip = True
-            continue
-        if skip and stripped.startswith("["):
-            skip = False
-        if not skip:
-            new_lines.append(line)
-
-    content = "\n".join(new_lines).rstrip()
-    section_lines = [f"\n\n{header}"]
-    for key, value in entries.items():
-        if isinstance(value, list):
-            items = ", ".join(f'"{_toml_escape_str(str(item))}"' for item in value)
-            section_lines.append(f'{key} = [{items}]')
-        elif isinstance(value, bool):
-            section_lines.append(f'{key} = {"true" if value else "false"}')
-        else:
-            section_lines.append(f'{key} = "{_toml_escape_str(str(value))}"')
-    section_lines.append("")
-
-    toml_path.parent.mkdir(parents=True, exist_ok=True)
-    toml_path.write_text(content + "\n".join(section_lines), encoding="utf-8")
-
-
-def _remove_toml_section(toml_path: Path, section: str) -> bool:
-    if not toml_path.exists():
-        return False
-    content = toml_path.read_text(encoding="utf-8")
-    header = f"[{section}]"
-
-    lines = content.splitlines()
-    new_lines = []
-    skip = False
-    removed = False
-    for line in lines:
-        stripped = line.strip()
-        if stripped == header:
-            skip = True
-            removed = True
-            continue
-        if skip and stripped.startswith("["):
-            skip = False
-        if not skip:
-            new_lines.append(line)
-
-    if removed:
-        remaining = "\n".join(new_lines).rstrip()
-        if remaining:
-            toml_path.write_text(remaining + "\n", encoding="utf-8")
-        else:
-            toml_path.unlink()
-    return removed
-
-
 def _build_mcp_cli_capabilities() -> dict:
     return {
         "commands": [
@@ -519,6 +438,11 @@ def api_projects_open():
         path = Path(path_str).resolve()
         if not path.exists():
             return jsonify({"error": f"Path does not exist: {path_str}"}), 404
+        # Only ever open directories. Opening a *file* via os.startfile would
+        # invoke its default handler (e.g. run an .exe/.bat/.lnk), so refuse
+        # anything that is not a folder.
+        if not path.is_dir():
+            return jsonify({"error": "Only directories can be opened"}), 400
 
         if sys.platform == "win32":
             os.startfile(str(path))

{code_context_control-2.32.2 → code_context_control-2.34.0}/cli/mcp_server.py

@@ -639,7 +639,9 @@ async def c3_shell(cmd: str, cwd: str = "", timeout: int = 60,
     """EXECUTE shell command — structured returns, auto-filter, ledger-aware.
     Use for tests, git, build, scripts. Returns exit_code/stdout/stderr/duration_ms.
     Auto-filters stdout >30 lines; auto-logs git mutations to the edit ledger.
-    Blocks: rm -rf / or ~, fork bombs. Soft-warns on --force, --no-verify, reset --hard.
+    Best-effort block of catastrophic commands (rm -rf of /, a top-level system dir, or
+    $HOME/~; fork bombs; whole-drive wipes) — a guard, NOT a sandbox. Soft-warns on
+    --force, --no-verify, reset --hard.
     Native Bash remains the fallback for interactive/TTY commands."""
     svc = _svc(ctx)
 

{code_context_control-2.32.2 → code_context_control-2.34.0}/cli/server.py

@@ -10,7 +10,6 @@ import csv
 import json
 import logging
 import os
-import re
 import signal
 import subprocess
 import sys
@@ -167,12 +166,21 @@ atexit.register(_cleanup_runtime)
 
 
 # ─── CORS middleware ──────────────────────────────────────
-@app.after_request
-def add_cors(response):
-    response.headers['Access-Control-Allow-Origin'] = '*'
-    response.headers['Access-Control-Allow-Headers'] = 'Content-Type'
-    response.headers['Access-Control-Allow-Methods'] = 'GET,POST,DELETE,OPTIONS'
-    return response
+# Localhost-only security: Host-header allowlist + Origin/Referer CSRF guard +
+# scoped CORS (no wildcard). This UI server always binds 127.0.0.1, so only
+# loopback origins are accepted. A loopback bind alone does NOT stop a web page
+# in the user's browser from driving these endpoints — see core/web_security.py.
+from core.web_security import (
+    allowed_hostnames as _allowed_hostnames,
+)
+from core.web_security import (
+    guard_summary as _guard_summary,
+)
+from core.web_security import (
+    install_guard as _install_web_guard,
+)
+
+_install_web_guard(app, lambda: _allowed_hostnames(None))
 
 
 # ─── Serve the UI ─────────────────────────────────────────
@@ -283,6 +291,11 @@ def api_projects_open():
         path = Path(path_str).resolve()
         if not path.exists():
             return jsonify({"error": f"Path does not exist: {path_str}"}), 404
+        # Only ever open directories. Opening a *file* via os.startfile would
+        # invoke its default handler (e.g. run an .exe/.bat/.lnk), so refuse
+        # anything that is not a folder.
+        if not path.is_dir():
+            return jsonify({"error": "Only directories can be opened"}), 400
 
         if sys.platform == "win32":
             os.startfile(str(path))
@@ -365,7 +378,8 @@ def api_health():
     except Exception:
         pass
 
-    return jsonify({"service": "c3-ui", "sources": sources, "session": session_info})
+    return jsonify({"service": "c3-ui", "sources": sources, "session": session_info,
+                    "web_guard": _guard_summary()})
 
 
 # ─── API: Session Registry ───────────────────────────────
@@ -2410,47 +2424,15 @@ def api_proxy_tools():
 
 
 # ─── API: MCP Status ─────────────────────────────────────
-def _parse_toml_mcp_servers(content: str) -> dict:
-    """Parse [mcp_servers.<name>] sections from TOML content."""
-    servers = {}
-    current_server = None
-
-    for raw in content.splitlines():
-        line = raw.split("#", 1)[0].strip()
-        if not line:
-            continue
-
-        if line.startswith("[") and line.endswith("]"):
-            section = line[1:-1].strip()
-            if section.startswith("mcp_servers."):
-                current_server = section.split(".", 1)[1]
-                servers.setdefault(current_server, {})
-            else:
-                current_server = None
-            continue
-
-        if not current_server or "=" not in line:
-            continue
-
-        key, value = line.split("=", 1)
-        key = key.strip()
-        value = value.strip()
-
-        if key == "args":
-            servers[current_server]["args"] = re.findall(r"[\"']([^\"']*)[\"']", value)
-        elif key in ("command", "type"):
-            match = re.match(r"^[\"'](.*)[\"']$", value)
-            servers[current_server][key] = match.group(1) if match else value
-        elif key == "enabled":
-            low = value.lower()
-            if low.startswith("true"):
-                servers[current_server]["enabled"] = True
-            elif low.startswith("false"):
-                servers[current_server]["enabled"] = False
-        else:
-            servers[current_server][key] = value
-
-    return servers
+from core.mcp_toml import (
+    parse_toml_mcp_servers as _parse_toml_mcp_servers,
+)
+from core.mcp_toml import (
+    remove_toml_section as _remove_toml_section,
+)
+from core.mcp_toml import (
+    upsert_toml_section as _upsert_toml_section,
+)
 
 
 def _find_server_script(servers: dict) -> bool:
@@ -2463,71 +2445,6 @@ def _find_server_script(servers: dict) -> bool:
     return False
 
 
-def _toml_escape_str(value: str) -> str:
-    return value.replace("\\", "/")
-
-
-def _upsert_toml_section(toml_path: Path, section: str, entries: dict) -> None:
-    """Add or replace a dotted TOML section in-place."""
-    content = toml_path.read_text(encoding="utf-8") if toml_path.exists() else ""
-    header = f"[{section}]"
-
-    lines = content.splitlines()
-    new_lines = []
-    skip = False
-    for line in lines:
-        stripped = line.strip()
-        if stripped == header:
-            skip = True
-            continue
-        if skip and stripped.startswith("["):
-            skip = False
-        if not skip:
-            new_lines.append(line)
-
-    content = "\n".join(new_lines).rstrip()
-    section_lines = [f"\n\n{header}"]
-    for k, v in entries.items():
-        if isinstance(v, list):
-            items = ", ".join(f'"{_toml_escape_str(str(x))}"' for x in v)
-            section_lines.append(f'{k} = [{items}]')
-        elif isinstance(v, bool):
-            section_lines.append(f'{k} = {"true" if v else "false"}')
-        else:
-            section_lines.append(f'{k} = "{_toml_escape_str(str(v))}"')
-    section_lines.append("")
-
-    toml_path.parent.mkdir(parents=True, exist_ok=True)
-    toml_path.write_text(content + "\n".join(section_lines), encoding="utf-8")
-
-
-def _remove_toml_section(toml_path: Path, section: str) -> bool:
-    """Remove a dotted TOML section. Returns True if removed."""
-    if not toml_path.exists():
-        return False
-    content = toml_path.read_text(encoding="utf-8")
-    header = f"[{section}]"
-
-    lines = content.splitlines()
-    new_lines = []
-    skip = False
-    removed = False
-    for line in lines:
-        stripped = line.strip()
-        if stripped == header:
-            skip = True
-            removed = True
-            continue
-        if skip and stripped.startswith("["):
-            skip = False
-        if not skip:
-            new_lines.append(line)
-
-    if removed:
-        toml_path.write_text("\n".join(new_lines).rstrip() + "\n", encoding="utf-8")
-    return removed
-
-
 def _resolve_mcp_profile(ide_name: str | None):
     requested = (ide_name or "").strip().lower()
     if requested and requested != "auto":

{code_context_control-2.32.2 → code_context_control-2.34.0}/cli/tools/filter.py

@@ -64,10 +64,10 @@ def _filter_text(text: str, depth: str, svc, finalize) -> str:
     raw_tokens = res['raw_tokens']
     savings_pct = round((1 - filtered_tokens / raw_tokens) * 100, 1) if raw_tokens > 0 else 0
 
-    header = f"[filter:{method}] {raw_tokens}->{filtered_tokens}tok ({savings_pct}%saved)"
+    header = f"[filter:{method}] {raw_tokens}→{filtered_tokens}tok ({savings_pct}%saved)"
     resp = f"{header}\n{result_text}"
     return finalize("c3_filter", {"depth": depth},
-                    resp, f"{raw_tokens}->{filtered_tokens}tok",
+                    resp, f"{raw_tokens}→{filtered_tokens}tok",
                     response_tokens=filtered_tokens)
 
 

{code_context_control-2.32.2 → code_context_control-2.34.0}/cli/tools/read.py

@@ -25,13 +25,50 @@ def _coerce_list(val: Any) -> list[str] | None:
             except (json.JSONDecodeError, ValueError):
                 pass
         if val:
+            # Comma-separated symbols ("a,b,c") -> multiple targets. Function/class
+            # names never contain commas, and regex anchors (^foo$) have none either.
+            if "," in val:
+                return [s.strip() for s in val.split(",") if s.strip()]
             return [val]
     return None
 
 
+def _coerce_lines(val: Any):
+    """Coerce `lines` from MCP's string serialization into an int or list.
+
+    MCP clients sometimes serialize numbers/lists as strings (the same reason
+    `_coerce_list` exists for `symbols`). Without this, a JSON-string such as
+    "[22, 193]" or "22" falls through handle_read's range logic and the tool
+    silently returns the file *map* instead of the requested source lines.
+    """
+    if val is None or isinstance(val, (int, list, tuple)):
+        return val
+    if isinstance(val, str):
+        val = val.strip()
+        if not val:
+            return None
+        if val.startswith("["):
+            try:
+                parsed = json.loads(val)
+            except (json.JSONDecodeError, ValueError):
+                return None
+            return parsed if isinstance(parsed, list) else None
+        try:
+            return int(val)
+        except ValueError:
+            if "-" in val:  # "start-end" like "22-40"
+                a, _, b = val.partition("-")
+                try:
+                    return [int(a.strip()), int(b.strip())]
+                except ValueError:
+                    return None
+    return None
+
+
 def handle_read(file_path: str, symbols: Any = None, lines: Any = None,
                 include_docstrings: bool = True, svc=None, finalize=None) -> str:
     symbols = _coerce_list(symbols)
+    lines = _coerce_lines(lines)
     # Multi-file dispatch (parallel)
     if "," in file_path:
         paths = [p.strip() for p in file_path.split(",") if p.strip()]