Skip to content

docs: refresh README + app guide + release notes for v2.33.0#12

Merged
drknowhow merged 1 commit into
mainfrom
docs/v2.33.0-refresh
Jun 10, 2026
Merged

docs: refresh README + app guide + release notes for v2.33.0#12
drknowhow merged 1 commit into
mainfrom
docs/v2.33.0-refresh

Conversation

@drknowhow

Copy link
Copy Markdown
Owner

Documentation-only follow-up to v2.33.0 (no code/version change).

Update the README security section, the in-app guide (guide/tools.html c3_shell safety classification, guide/oracle.html + oracle-guide config tables), and the Oracle discovery docs to reflect the v2.33.0 web-security guard (Host/Origin/CSRF), the strengthened c3_shell blocklist (best-effort guard, not a sandbox), and the new allowed_hosts config option. No code/version change.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 10, 2026 20:49
@drknowhow drknowhow merged commit 3d7b67d into main Jun 10, 2026
12 checks passed
@drknowhow drknowhow deleted the docs/v2.33.0-refresh branch June 10, 2026 20:51

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Documentation-only refresh aligned to the v2.33.0 security hardening and recent c3_shell safety messaging, updating the public README, Oracle Discovery docs, in-app HTML guides, and the Unreleased changelog entry.

Changes:

  • Annotates v2.33.0 web-security hardening (Host allowlist + Origin/Referer guard + scoped CORS) across README and Oracle Discovery docs.
  • Adds allowed_hosts to Oracle config documentation in both Markdown and the in-app Oracle guide.
  • Updates the in-app c3_shell safety classification text and adds an explicit “not a sandbox” note; adds an Unreleased changelog entry for these doc updates.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
README.md Adds v2.33.0 note and expands the loopback security explanation for local web servers.
oracle-guide/discovery-api.md Documents the additional web guard for the REST surface and adds allowed_hosts to the config table.
guide/tools.html Updates c3_shell BLOCKED label text and adds a clarifying note about the blocklist not being a sandbox.
guide/oracle.html Adds allowed_hosts to the Oracle config keys table in the in-app guide.
CHANGELOG.md Adds an Unreleased entry describing the documentation refresh.

Comment thread README.md
## Security & privacy

- **All web servers (Hub, per-project UI, Oracle) bind to `127.0.0.1` by default and are guarded against browser-based attacks even on loopback** — a Host-header allowlist (defeats DNS rebinding) plus an Origin/Referer check on every request (defeats cross-origin CSRF), with scoped, non-wildcard CORS. A malicious web page you visit therefore cannot drive C3's local endpoints. There is still **no user authentication**, so do not expose these servers to an untrusted network without auth/TLS in front. Binding to a non-loopback interface in `~/.c3/hub_config.json` (`host`) or Oracle's config (`bind_host`) is opt-in and warned at startup; add externally-facing hostnames/IPs to an `allowed_hosts` list there so the guard permits them.
- **All web servers (Hub, per-project UI, Oracle) bind to `127.0.0.1` by default and are guarded against browser-based attacks even on loopback** — a Host-header allowlist (defeats DNS rebinding) plus an Origin/Referer check on every request (defeats cross-origin CSRF), with scoped, non-wildcard CORS. A malicious web page you visit therefore cannot drive C3's local endpoints. There is still **no user authentication**, so do not expose these servers to an untrusted network without auth/TLS in front. Binding to a non-loopback interface in `~/.c3/hub_config.json` (`host`) or Oracle's config (`bind_host`) is opt-in and warned at startup; add externally-facing hostnames/IPs to an `allowed_hosts` list there so the guard permits them. _(Cross-origin/CSRF + DNS-rebinding hardening added in v2.33.0.)_
Comment on lines +16 to +17
> The REST surface is additionally protected by C3's Host-header allowlist + Origin/Referer
> CSRF guard (v2.33.0), so a web page open in a browser on the same machine cannot reach it.
| Key | Default | Meaning |
|-----|---------|---------|
| `bind_host` | `127.0.0.1` | Interface to bind (use `0.0.0.0` to expose on a network — then add TLS/firewalling). |
| `allowed_hosts` | `[]` | Extra hostnames/IPs the Host-header + Origin guard accepts. Needed when `bind_host` is non-loopback so legitimate browsers/clients are not blocked (v2.33.0). |
Comment thread guide/oracle.html
<h2><code>~/.c3/oracle/config.json</code> keys</h2>
<table class="kv-table">
<tr><td><code>bind_host</code></td> <td>Interface to bind. Default <code>127.0.0.1</code>. Use <code>0.0.0.0</code> to expose on a network (add TLS/firewall).</td></tr>
<tr><td><code>allowed_hosts</code></td> <td>Extra hostnames/IPs the Host + Origin guard accepts. Needed when <code>bind_host</code> is non-loopback so legitimate browsers/clients aren't blocked (v2.33.0).</td></tr>
Comment thread guide/tools.html
<h4>Safety classification</h4>
<div class="tag-row">
<span class="badge badge-red">BLOCKED — rm -rf / or ~, fork bombs</span>
<span class="badge badge-red">BLOCKED — rm -rf of /, a top-level system dir, $HOME/~; fork bombs; whole-drive wipes</span>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants