# Security Notes for Claude Code Setup

## Database Credentials

### Current Configuration

The database password is currently configured in `.mcp.json` in the `env` section:

```json
"env": {
  "DB_PASSWORD": "1"
}
```

### ⚠️ IMPORTANT: Moving to System Environment Variables

**For production or shared repositories**, move the password to system environment variables:

#### Windows (PowerShell)
```powershell
# Set for current session
$env:DB_PASSWORD = "your-secure-password"

# Set permanently (requires restart)
[System.Environment]::SetEnvironmentVariable('DB_PASSWORD', 'your-secure-password', 'User')
```

#### Linux/Mac (Bash)
```bash
# Add to ~/.bashrc or ~/.zshrc
export DB_PASSWORD="your-secure-password"

# Then reload
source ~/.bashrc
```

#### Update .mcp.json

Remove the `env` section from the `database-server` configuration in `.mcp.json`:

```json
"database-server": {
  "command": "npx",
  "args": [
    "-y",
    "@executeautomation/database-server",
    "--sqlserver",
    "--server", "CS-UL-2560",
    "--database", "TestDB",
    "--user", "admin",
    "--password", "${DB_PASSWORD}",
    "--trustServerCertificate"
  ]
  // Remove the "env" section - use system environment variable instead
}
```

### Alternative: Use .claude/settings.local.json

For local development, you can also configure environment variables in `.claude/settings.local.json` (which is gitignored):

```json
{
  "mcpServers": {
    "database-server": {
      "env": {
        "DB_PASSWORD": "your-local-dev-password"
      }
    }
  }
}
```

## API Keys

### Context7 API Key

Currently configured in `.mcp.json`:
```json
"CONTEXT7_API_KEY": "ctx7sk-5515b694-54fc-442a-bd61-fa69fa8e6f1a"
```

**Recommendation**: For public repositories, move this to:
1. System environment variable (preferred)
2. `.claude/settings.local.json` (gitignored)

## Best Practices

1. ✅ **Never commit passwords to git**
   - Use environment variables
   - Use `.claude/settings.local.json` for local secrets
   - Add secrets to `.gitignore`

2. ✅ **Use least privilege**
   - Database: Use read-only accounts when possible
   - API Keys: Use restricted/scoped keys

3. ✅ **Rotate credentials regularly**
   - Change passwords periodically
   - Regenerate API keys if exposed

4. ✅ **Audit access**
   - Review MCP server permissions in `.claude/settings.json`
   - Log database operations
   - Monitor API usage

## Git Configuration

Ensure sensitive files are ignored:

```gitignore
# In .gitignore
.claude/settings.local.json
.env
.env.local
*.key
*.pem
credentials.json
```

## Additional Resources

- [Claude Code Security Documentation](https://docs.claude.com/en/docs/claude-code/security)
- [MCP Security Best Practices](https://modelcontextprotocol.io/security)
- [Environment Variables Guide](https://docs.claude.com/en/docs/claude-code/configuration#environment-variables)