c4-mcp

The project is designed with security in mind for local network operation. Credentials (host, username, password) are loaded from a gitignored `config.json` or environment variables, with explicit warnings against committing secrets. It enforces 'safe-by-default' controls, requiring explicit environment variable (`C4_WRITES_ENABLED=true`) to enable state-changing actions, and supports allow/deny lists for tools. Network communication with the Control4 Director on the local LAN uses `aiohttp` with `ssl=False`, which disables certificate verification. This is a common practice for local systems with self-signed certificates but means it won't detect local Man-in-the-Middle attacks. The `discover_controller.py` tool performs local IP scanning, which is a discovery feature. No 'eval' or obvious malicious patterns were found. Overall, it's responsibly built for its intended local-only use case.