docs: refresh README + app guide + release notes for v2.33.0#12
Merged
Conversation
Update the README security section, the in-app guide (guide/tools.html c3_shell safety classification, guide/oracle.html + oracle-guide config tables), and the Oracle discovery docs to reflect the v2.33.0 web-security guard (Host/Origin/CSRF), the strengthened c3_shell blocklist (best-effort guard, not a sandbox), and the new allowed_hosts config option. No code/version change. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Documentation-only refresh aligned to the v2.33.0 security hardening and recent c3_shell safety messaging, updating the public README, Oracle Discovery docs, in-app HTML guides, and the Unreleased changelog entry.
Changes:
- Annotates v2.33.0 web-security hardening (Host allowlist + Origin/Referer guard + scoped CORS) across README and Oracle Discovery docs.
- Adds
allowed_hoststo Oracle config documentation in both Markdown and the in-app Oracle guide. - Updates the in-app
c3_shellsafety classification text and adds an explicit “not a sandbox” note; adds an Unreleased changelog entry for these doc updates.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Adds v2.33.0 note and expands the loopback security explanation for local web servers. |
| oracle-guide/discovery-api.md | Documents the additional web guard for the REST surface and adds allowed_hosts to the config table. |
| guide/tools.html | Updates c3_shell BLOCKED label text and adds a clarifying note about the blocklist not being a sandbox. |
| guide/oracle.html | Adds allowed_hosts to the Oracle config keys table in the in-app guide. |
| CHANGELOG.md | Adds an Unreleased entry describing the documentation refresh. |
| ## Security & privacy | ||
|
|
||
| - **All web servers (Hub, per-project UI, Oracle) bind to `127.0.0.1` by default and are guarded against browser-based attacks even on loopback** — a Host-header allowlist (defeats DNS rebinding) plus an Origin/Referer check on every request (defeats cross-origin CSRF), with scoped, non-wildcard CORS. A malicious web page you visit therefore cannot drive C3's local endpoints. There is still **no user authentication**, so do not expose these servers to an untrusted network without auth/TLS in front. Binding to a non-loopback interface in `~/.c3/hub_config.json` (`host`) or Oracle's config (`bind_host`) is opt-in and warned at startup; add externally-facing hostnames/IPs to an `allowed_hosts` list there so the guard permits them. | ||
| - **All web servers (Hub, per-project UI, Oracle) bind to `127.0.0.1` by default and are guarded against browser-based attacks even on loopback** — a Host-header allowlist (defeats DNS rebinding) plus an Origin/Referer check on every request (defeats cross-origin CSRF), with scoped, non-wildcard CORS. A malicious web page you visit therefore cannot drive C3's local endpoints. There is still **no user authentication**, so do not expose these servers to an untrusted network without auth/TLS in front. Binding to a non-loopback interface in `~/.c3/hub_config.json` (`host`) or Oracle's config (`bind_host`) is opt-in and warned at startup; add externally-facing hostnames/IPs to an `allowed_hosts` list there so the guard permits them. _(Cross-origin/CSRF + DNS-rebinding hardening added in v2.33.0.)_ |
Comment on lines
+16
to
+17
| > The REST surface is additionally protected by C3's Host-header allowlist + Origin/Referer | ||
| > CSRF guard (v2.33.0), so a web page open in a browser on the same machine cannot reach it. |
| | Key | Default | Meaning | | ||
| |-----|---------|---------| | ||
| | `bind_host` | `127.0.0.1` | Interface to bind (use `0.0.0.0` to expose on a network — then add TLS/firewalling). | | ||
| | `allowed_hosts` | `[]` | Extra hostnames/IPs the Host-header + Origin guard accepts. Needed when `bind_host` is non-loopback so legitimate browsers/clients are not blocked (v2.33.0). | |
| <h2><code>~/.c3/oracle/config.json</code> keys</h2> | ||
| <table class="kv-table"> | ||
| <tr><td><code>bind_host</code></td> <td>Interface to bind. Default <code>127.0.0.1</code>. Use <code>0.0.0.0</code> to expose on a network (add TLS/firewall).</td></tr> | ||
| <tr><td><code>allowed_hosts</code></td> <td>Extra hostnames/IPs the Host + Origin guard accepts. Needed when <code>bind_host</code> is non-loopback so legitimate browsers/clients aren't blocked (v2.33.0).</td></tr> |
| <h4>Safety classification</h4> | ||
| <div class="tag-row"> | ||
| <span class="badge badge-red">BLOCKED — rm -rf / or ~, fork bombs</span> | ||
| <span class="badge badge-red">BLOCKED — rm -rf of /, a top-level system dir, $HOME/~; fork bombs; whole-drive wipes</span> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Documentation-only follow-up to v2.33.0 (no code/version change).