Architecture Overview
Understand how C3 keeps your code and data secure while enabling seamless mobile access.
How It Works
C3 creates a secure bridge between your mobile device and your development machine. When you send a message from the app, it travels directly to your computer where your AI coding agent processes it — no cloud intermediaries, no third-party servers storing your code.
Direct Connection
No middleman servers
You're In Control
Approve every action
Fully Encrypted
TLS for remote access
Your Code Never Leaves Your Machine
C3 runs entirely on your local machine. Your source code, project files, and conversation history stay on your computer. The only external connection is to your AI provider's API when your agent processes requests — the same as running the agent directly from your terminal.
Security First Design
C3 was built with security as the foundation, not an afterthought. Every feature is designed to protect your code and development environment.
Required Authentication
Every connection requires username and password authentication. There's no anonymous access — only authorized devices can connect to your backend.
Permission System
The agent can't execute file changes, run commands, or access sensitive operations without your explicit approval. You see exactly what's happening before it happens.
Isolated Sessions
Each project runs in its own isolated session. With Git Worktrees enabled, each session works on a separate branch, preventing conflicts and unintended changes.
Checkpoint & Rewind
Made a mistake? Every change is tracked with automatic checkpoints. Rewind to any previous state instantly — your code is always recoverable.
Authentication
C3 uses multiple layers of authentication to ensure only you can access your development environment.
Connection Authentication
When you start the C3 backend, you set a username and password. These credentials are required for any device to connect — without them, connection is refused.
How it works
- • Credentials are set when starting the backend server
- • The mobile app stores credentials securely in the device keychain
- • Failed authentication attempts are logged and rate-limited
- • Multiple failed attempts result in temporary IP blocking
Terminal Authentication
Terminal access uses the same authentication layer. When you open a terminal session from the app, it creates an authenticated connection to your machine's shell — no additional login required, but still fully secured.
Strong Password Recommended
For remote access, use a strong password (12+ characters with mixed case, numbers, and symbols). Change credentials periodically, especially if you suspect they may have been compromised.
Data Privacy
Your privacy is paramount. Here's exactly what data goes where:
| Data Type | Where It Goes |
|---|---|
| Source Code | Stays on your machine — never sent to C3 servers |
| Chat Messages | Your machine → AI provider API (same as CLI) |
| Session History | Stored locally on your machine |
| Credentials | Encrypted in device keychain (never transmitted) |
Connection Security
How your connection is secured depends on your setup:
Local Network
- Direct connection over your WiFi
- Traffic never leaves your network
- Authentication still required
Remote Access (ngrok)
- TLS/SSL encryption (HTTPS)
- End-to-end encrypted tunnel
- Authentication + encryption combined
Rate Limiting & Protection
C3 includes built-in protection against unauthorized access:
- Rate limiting — Prevents brute-force attacks on credentials
- IP blocking — Temporarily blocks IPs after multiple failed attempts
- Connection logging — All connection attempts are logged for review
Public WiFi Caution
When using C3 on public WiFi (coffee shops, airports), always use remote access with ngrok enabled. This ensures your traffic is encrypted even on untrusted networks. Consider using a VPN for additional protection.