UNPKG

sfcc-dev-mcp

Version:

MCP server for Salesforce B2C Commerce Cloud development assistance including logs, debugging, and development tools

github.com/taurgis/sfcc-dev-mcp

taurgis/sfcc-dev-mcp

148 lines (103 loc) 4.97 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# Security Policy ## Supported Versions We actively maintain and provide security updates for the following versions: | Version | Supported | | ------- | ------------------ | | 1.x.x | :white_check_mark: | | < 1.0 | :x: | ## Reporting a Vulnerability We take the security of the SFCC Development MCP Server seriously. If you discover a security vulnerability, please follow these steps: ### 🔒 Private Disclosure **Please do NOT report security vulnerabilities through public GitHub issues.** Instead, please report security vulnerabilities by: 1. **GitHub Security Advisories**: Use GitHub's private vulnerability reporting feature at [https://github.com/taurgis/sfcc-dev-mcp/security/advisories](https://github.com/taurgis/sfcc-dev-mcp/security/advisories) ### 📋 What to Include When reporting a vulnerability, please include: - **Description**: Clear description of the vulnerability - **Impact**: Potential impact and attack scenarios - **Reproduction**: Step-by-step instructions to reproduce the issue - **Environment**: Version, operating system, and configuration details - **Evidence**: Screenshots, logs, or proof-of-concept code (if applicable) ### ⏰ Response Timeline We are committed to addressing security vulnerabilities promptly: - **Initial Response**: Within 48 hours of report - **Acknowledgment**: Within 7 days with initial assessment - **Resolution**: Security patches released within 30 days for high-severity issues - **Disclosure**: Coordinated disclosure after patch is available ## Security Considerations ### 🎯 Scope This security policy covers vulnerabilities in: - **Core MCP Server**: Authentication, data handling, API access - **SFCC Integration**: OAuth flows, credential management, data exposure - **Documentation Access**: Information disclosure, access control - **Log Analysis**: Sensitive data exposure, injection vulnerabilities - **Dependencies**: Third-party package vulnerabilities ### ⚠️ What We Consider Security Issues - **Authentication bypass** in SFCC credential handling - **Sensitive data exposure** in logs or responses - **Code injection** through tool parameters - **Unauthorized access** to SFCC instances - **Credential leakage** in configuration or cache - **Path traversal** in file operations - **Denial of service** through resource exhaustion - **Dependency vulnerabilities** with exploitable impact ### ✅ What We Don't Consider Security Issues - **Rate limiting** on local development tools - **Information disclosure** of public SFCC documentation - **Resource usage** in normal operation scenarios - **Configuration errors** by end users - **Network connectivity** issues - **Feature requests** or usability improvements ## Security Best Practices ### 🔐 For Users 1. **Credential Protection**: - Store SFCC credentials securely in `dw.json` - Use environment variables for sensitive configuration - Regularly rotate API credentials - Never commit credentials to version control 2. **Network Security**: - Use HTTPS connections to SFCC instances - Verify SSL certificates in production - Restrict network access to development instances 3. **Local Security**: - Keep the MCP server updated - Review log outputs for sensitive data - Use proper file permissions on configuration files ### 🛡️ For Developers 1. **Input Validation**: - Validate all tool parameters - Sanitize user inputs before processing - Use type-safe parameter parsing 2. **Data Handling**: - Minimize sensitive data in logs - Implement proper error handling - Use secure HTTP clients with proper timeouts 3. **Dependency Management**: - Regularly update dependencies - Monitor for security advisories - Use `npm audit` to check for vulnerabilities ## Security Features ### 🔒 Built-in Security - **OAuth 2.0 Authentication** for SFCC OCAPI access - **Secure credential storage** with local file protection - **Input validation** on all tool parameters - **Rate limiting** on external API calls - **Secure HTTP clients** with proper error handling - **Minimal privilege principle** for SFCC permissions ### 📊 Security Monitoring - **Dependency scanning** via GitHub Dependabot - **Code quality checks** in CI/CD pipeline - **Security-focused linting** rules - **Regular security audits** of dependencies ## Responsible Disclosure We believe in responsible disclosure and will work with security researchers to: 1. **Acknowledge** your contribution 2. **Keep you informed** of our progress 3. **Credit you appropriately** (unless you prefer to remain anonymous) 4. **Coordinate timing** of public disclosure ## Contact For security-related questions or concerns: - **GitHub**: [@taurgis](https://github.com/taurgis) - **Project**: [sfcc-dev-mcp](https://github.com/taurgis/sfcc-dev-mcp) --- Thank you for helping keep the SFCC Development MCP Server and its users safe! 🛡️