feat: tool filter infrastructure, path scoping, and Gen glTFexport (#32)

* feat(core): add tool filter infrastructure and path scoping utilities

ToolFilter/CompiledToolFilter for deny/allow pattern matching on tool inputs,
hardcoded deny lists for bash (sudo, pipe-to-shell) and web_fetch (SSRF),
path resolution with symlink handling and directory scoping.

Also adds allowed_directories to SecurityConfig, per-tool filters to
ToolsConfig, and PathDenied audit action.

* feat(cli): apply tool filters and path scoping to CLI tools

BashTool now checks commands against compiled deny/allow filters (with
hardcoded sudo, pipe-to-shell defaults) before execution. Strict mode
errors on protected file references instead of warning.

ReadFileTool, WriteFileTool, EditFileTool now resolve symlinks via
resolve_real_path(), enforce allowed_directories scoping, and audit
PathDenied violations. Filter checks run before existing sandbox and
protected-file checks.

* feat(core): apply hardcoded SSRF filters to WebFetchTool

WebFetchTool now checks URLs against compiled deny filters before
fetching. Hardcoded patterns block localhost, private IPs (10.x, 172.16-31.x,
192.168.x, 127.x), metadata endpoints, file:// and [::1].

User config under [tools.filters.web_fetch] can extend but never remove
these defaults via merge_hardcoded().

* refactor: strip xAI, Tavily, Perplexity, and SSRF code redundant with main

These features already exist on the main branch:
- XaiProvider + grok alias + native search trait methods
- TavilyProvider + PerplexityProvider + SearchUsageStats
- SSRF hardcoded filters (validate_web_fetch_url, is_private_ip)
- Hybrid native search passthrough on Anthropic/xAI providers
- Web search session tracking + status display

Remaining in this branch: tool filter infrastructure, path scoping,
bash deny patterns, allowed_directories, PathDenied audit, Gen glTF export.

* fix(ci): resolve clippy, format, and license audit failures

- Remove blank line between #[cfg] attr and struct (clippy)
- Run cargo fmt to fix line wrapping in tests (format)
- Add MIT-0 to deny.toml allow list for encase/Bevy deps (license)

Author: TranscriptionFactory

CHANGELOG.md

@@ -2,19 +2,6 @@
 
 All notable changes to LocalGPT are documented in this file.
 
-## [Unreleased]
-
-### Added
-
-- **Hybrid web search support** with configurable providers (`searxng`, `brave`, `tavily`, `perplexity`) and native-search passthrough controls.
-- **xAI provider support** (`xai/*`, `grok-*`) with native `web_search` tool passthrough.
-- **Web search docs and CLI surfaces**: `localgpt search test`, `localgpt search stats`, and a dedicated `docs/web-search.md` guide.
-
-### Changed
-
-- **`web_fetch` extraction upgraded** to use the `readability` crate with fallback text sanitization.
-- **Config templates expanded** with `providers.xai` and full `[tools.web_search]` examples in both default and example config files.
-
 ## [0.2.0] - 2026-02-14
 
 A milestone release introducing LocalGPT Gen for 3D scene generation, XDG Base Directory compliance, Docker Compose support, and workspace restructuring.

README.md

@@ -10,11 +10,10 @@ A local device focused AI assistant built in Rust — persistent memory, autonom
 - **Single binary** — no Node.js, Docker, or Python required
 - **Local device focused** — runs entirely on your machine, your memory data stays yours
 - **Persistent memory** — markdown-based knowledge store with full-text and semantic search
-- **Hybrid web search** — native provider search passthrough plus client-side fallback providers
 - **Autonomous heartbeat** — delegate tasks and let it work in the background
 - **Multiple interfaces** — CLI, web UI, desktop GUI, Telegram bot
 - **Defense-in-depth security** — signed policy files, kernel-enforced sandbox, prompt injection defenses
-- **Multiple LLM providers** — Anthropic (Claude), OpenAI, xAI (Grok), Ollama, GLM (Z.AI)
+- **Multiple LLM providers** — Anthropic (Claude), OpenAI, Ollama, GLM (Z.AI)
 - **OpenClaw compatible** — works with SOUL, MEMORY, HEARTBEAT markdown files and skills format
 
 ## Install
@@ -104,17 +103,6 @@ If you run a local server that speaks the OpenAI API (e.g., LM Studio, llamafile
 
 Tip: If you see `Failed to spawn Claude CLI`, change `agent.default_model` away from `claude-cli/*` or install the `claude` CLI.
 
-### Web Search
-
-Configure web search providers under `[tools.web_search]` and validate with:
-
-```bash
-localgpt search test "rust async runtime"
-localgpt search stats
-```
-
-Full setup guide: [`docs/web-search.md`](docs/web-search.md)
-
 ## Telegram Bot
 
 Access LocalGPT from Telegram with full chat, tool use, and memory support.
@@ -206,10 +194,6 @@ localgpt memory search "query"    # Search memory
 localgpt memory reindex           # Reindex files
 localgpt memory stats             # Show statistics
 
-# Web search
-localgpt search test "query"      # Validate search provider config
-localgpt search stats             # Show cumulative search usage/cost
-
 # Security
 localgpt md sign                  # Sign LocalGPT.md policy
 localgpt md verify                # Verify policy signature

config.example.toml

@@ -18,9 +18,6 @@
 # OpenAI API (requires OPENAI_API_KEY):
 #   - "openai/gpt-4o", "openai/gpt-4o-mini", "openai/gpt-4-turbo"
 #
-# xAI API (requires XAI_API_KEY):
-#   - "xai/grok-3-mini", "xai/grok-3"
-#
 # GLM / Z.AI API (requires GLM API key):
 #   - "glm/glm-4.7" (or use alias "glm")
 #
@@ -52,11 +49,6 @@ base_url = "https://api.anthropic.com"
 # api_key = "not-needed"
 # base_url = "http://127.0.0.1:8080/v1" # LM Studio default is http://127.0.0.1:1234/v1
 
-# xAI configuration (optional, for xai/* models)
-# [providers.xai]
-# api_key = "${XAI_API_KEY}"
-# base_url = "https://api.x.ai/v1"
-
 # Ollama configuration (for local models)
 # [providers.ollama]
 # endpoint = "http://localhost:11434"
@@ -143,11 +135,10 @@ bind = "127.0.0.1"
 
 # Web search (optional)
 # [tools.web_search]
-# provider = "searxng"            # searxng | brave | tavily | perplexity | none
+# provider = "searxng"            # searxng | brave | none
 # cache_enabled = true
 # cache_ttl = 900                 # seconds (default: 15 min)
 # max_results = 5                 # 1-10
-# prefer_native = true            # use provider-native search if available
 #
 # [tools.web_search.searxng]
 # base_url = "http://localhost:8080"
@@ -159,15 +150,6 @@ bind = "127.0.0.1"
 # api_key = "${BRAVE_API_KEY}"
 # country = ""
 # freshness = ""                  # pd | pw | pm | ""
-#
-# [tools.web_search.tavily]
-# api_key = "${TAVILY_API_KEY}"
-# search_depth = "basic"          # basic | advanced
-# include_answer = true
-#
-# [tools.web_search.perplexity]
-# api_key = "${PERPLEXITY_API_KEY}"
-# model = "sonar"                 # sonar | sonar-pro | sonar-reasoning-pro
 
 # Telegram bot (optional)
 # Create a bot via @BotFather on Telegram to get an API token

crates/cli/src/cli/chat.rs

@@ -794,18 +794,6 @@ async fn handle_command(
                     status.api_input_tokens + status.api_output_tokens
                 );
             }
-
-            if status.search_queries > 0 {
-                let cache_pct =
-                    (status.search_cached_hits as f64 / status.search_queries as f64) * 100.0;
-                println!("\nSearch:");
-                println!("  Queries: {}", status.search_queries);
-                println!(
-                    "  Cached hits: {} ({:.0}%)",
-                    status.search_cached_hits, cache_pct
-                );
-                println!("  Estimated cost: ${:.3}", status.search_cost_usd);
-            }
             println!();
             CommandResult::Continue
         }

crates/cli/src/cli/search.rs

@@ -1,7 +1,7 @@
 use anyhow::Result;
 use clap::{Args, Subcommand};
 
-use localgpt_core::agent::tools::web_search::{SearchRouter, read_search_usage_stats};
+use localgpt_core::agent::tools::web_search::SearchRouter;
 use localgpt_core::config::Config;
 
 #[derive(Args)]
@@ -17,14 +17,11 @@ pub enum SearchCommands {
         /// The search query to test
         query: String,
     },
-    /// Show cumulative web search usage statistics
-    Stats,
 }
 
 pub async fn run(args: SearchArgs) -> Result<()> {
     match args.command {
         SearchCommands::Test { query } => run_test(&query).await,
-        SearchCommands::Stats => run_stats(),
     }
 }
 
@@ -64,20 +61,3 @@ async fn run_test(query: &str) -> Result<()> {
 
     Ok(())
 }
-
-fn run_stats() -> Result<()> {
-    let stats = read_search_usage_stats()?;
-    let cache_pct = if stats.total_queries > 0 {
-        (stats.cached_hits as f64 / stats.total_queries as f64) * 100.0
-    } else {
-        0.0
-    };
-
-    println!("Search Statistics (since {}):", stats.since);
-    println!("  Provider: {}", stats.provider);
-    println!("  Total queries: {}", stats.total_queries);
-    println!("  Cached hits: {} ({:.0}%)", stats.cached_hits, cache_pct);
-    println!("  Estimated cost: ${:.3}", stats.estimated_cost_usd);
-
-    Ok(())
-}

crates/cli/src/desktop/views/status.rs

@@ -84,21 +84,6 @@ impl StatusView {
                     ));
                 });
             }
-
-            if status.search_queries > 0 {
-                ui.add_space(10.0);
-                ui.group(|ui| {
-                    ui.label(RichText::new("Web Search (Session)").strong());
-                    ui.label(format!("Queries: {}", status.search_queries));
-                    let cache_pct =
-                        (status.search_cached_hits as f32 / status.search_queries as f32) * 100.0;
-                    ui.label(format!(
-                        "Cached: {} ({:.0}%)",
-                        status.search_cached_hits, cache_pct
-                    ));
-                    ui.label(format!("Estimated cost: ${:.3}", status.search_cost_usd));
-                });
-            }
         }
 
         message_to_send