fix: replace wildcard CORS default with explicit localhost origins

The cors_origins setting defaulted to ["*"], which passed through
unchanged in production (non-debug) mode. Now defaults to explicit
localhost origins, and _get_cors_origins() strips any wildcards in
production with a warning.

Fixes #462

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/config.py

@@ -138,7 +138,12 @@ class Settings(BaseSettings):
 
     # CORS allowed origins for the web chat interface (Gitea Pages, etc.)
     # Set CORS_ORIGINS as a comma-separated list, e.g. "http://localhost:3000,https://example.com"
-    cors_origins: list[str] = ["*"]
+    cors_origins: list[str] = [
+        "http://localhost:3000",
+        "http://localhost:8000",
+        "http://127.0.0.1:3000",
+        "http://127.0.0.1:8000",
+    ]
 
     # Trusted hosts for the Host header check (TrustedHostMiddleware).
     # Set TRUSTED_HOSTS as a comma-separated list. Wildcards supported (e.g. "*.ts.net").

src/dashboard/app.py

@@ -484,15 +484,19 @@ app = FastAPI(
 
 
 def _get_cors_origins() -> list[str]:
-    """Get CORS origins from settings, with sensible defaults."""
+    """Get CORS origins from settings, rejecting wildcards in production."""
     origins = settings.cors_origins
-    if settings.debug and origins == ["*"]:
+    if not settings.debug and "*" in origins:
-        return [
+        logger.warning(
-            "http://localhost:3000",
+            "Wildcard '*' in CORS_ORIGINS ignored in production — "
-            "http://localhost:8000",
+            "set explicit origins via CORS_ORIGINS env var"
-            "http://127.0.0.1:3000",
+        )
-            "http://127.0.0.1:8000",
+        origins = [o for o in origins if o != "*"]
-        ]
+        if not origins:
+            origins = [
+                "http://localhost:3000",
+                "http://localhost:8000",
+            ]
     return origins
 
 

src/timmy/agent.py

@@ -300,7 +300,11 @@ def create_timmy(
             max_context = 2000 if not use_tools else 8000
             if len(memory_context) > max_context:
                 memory_context = memory_context[:max_context] + "\n... [truncated]"
-            full_prompt = f"{base_prompt}\n\n## Memory Context\n\n{memory_context}"
+            full_prompt = (
+                f"{base_prompt}\n\n"
+                f"## GROUNDED CONTEXT (verified sources — cite when using)\n\n"
+                f"{memory_context}"
+            )
         else:
             full_prompt = base_prompt
     except Exception as exc:

src/timmy/prompts.py

@@ -23,6 +23,9 @@ Rules:
 - Remember what the user tells you during the conversation.
 - If you don't know something, say so honestly — never fabricate facts.
 - If a request is ambiguous, ask a brief clarifying question before guessing.
+- SOURCE DISTINCTION: When answering from memory or retrieved context, cite it.
+  When answering from your own training, use hedging: "I think", "I believe".
+  The user must be able to tell grounded claims from pattern-matching.
 - Use the user's name if you know it.
 - When you state a fact, commit to it.
 - NEVER attempt arithmetic in your head. If asked to compute anything, respond:
@@ -78,6 +81,18 @@ HONESTY:
 - Never fabricate tool output. Call the tool and wait.
 - If a tool errors, report the exact error.
 
+SOURCE DISTINCTION (SOUL requirement — non-negotiable):
+- Every claim you make comes from one of two places: a verified source you
+  can point to, or your own pattern-matching. The user must be able to tell
+  which is which.
+- When your response uses information from GROUNDED CONTEXT (memory, retrieved
+  documents, tool output), cite it: "From memory:", "According to [source]:".
+- When you are generating from your training data alone, signal it naturally:
+  "I think", "My understanding is", "I believe" — never false certainty.
+- If the user asks a factual question and you have no grounded source, say so:
+  "I don't have a verified source for this — from my training I think..."
+- Prefer "I don't know" over a confident-sounding guess. Refusal over fabrication.
+
 MEMORY (three tiers):
 - Tier 1: MEMORY.md (hot, always loaded)
 - Tier 2: memory/ vault (structured, append-only, date-stamped)