Security and privacy
This server is designed for local, single-developer use. It does not store credentials on disk or transmit them to third-party services.
Modes and security characteristics
Both modes are designed for local single-developer use. Docs mode has a zero credential surface. Full mode is effectively the same risk profile as your existing local SFCC workflow using dw.json for WebDAV + OCAPI access.
| Mode | Characteristics | Risk profile |
|---|---|---|
| Docs mode | No auth, static docs, scaffolding only | Minimal |
| Full mode | WebDAV + OCAPI credentials | Same as local SFCC dev |
Docs mode (default)
- No credentials required
- Static docs + scaffolding only
- Safe for discovery and AI prompt prototyping
Full mode (--dw-json)
- Uses the same credentials you already use locally
- WebDAV (logs + job logs) and OCAPI Data API tooling
- Capability-gated: tools only register if required credentials exist
Baseline hardening checklist
- Confirm sandbox hostname (never production domain).
- Add
dw.json+*.dw.jsonto.gitignore. - Use
chmod 600 dw.json(owner read/write only). - Remove unused OAuth fields if only using logs.
- Grant only required OCAPI resources (add incrementally).
- Use env vars to override secrets in CI contexts.
- Start in docs mode and validate tool surface.
- Rotate client secrets and passwords on a schedule.
Credential handling
Minimize scope: start with no Data API resources, add only what you need.
Protect files: avoid synced/shared directories, never email secrets.
Rotate & audit: remove orphaned API clients and track creation dates.
Threat model (local context)
Mitigated by design:
- Path validation and schema checks
- Read-only log operations
- Scoped tool registration based on credentials
- Memory-only caching
Your responsibilities:
- Do not run on shared multi-user servers
- Keep secrets out of version control
- Limit OCAPI resources to active feature work
- Rotate credentials regularly
Data handling
- Log tools read a bounded tail of log files
- Site preference searches mask password values
- System object tools return metadata, not record data
Reporting
If you discover a vulnerability, report it privately to the maintainers and avoid posting details in public issues.