Gowler/FoundryVTT
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5669aa75ca6656d34b3cb022e9729f6654b1707b
FoundryVTT/.claude/SECURITY_NOTES.md
Claude Code 15355c35ea Initial commit: Fresh start with current state
2025-11-06 14:04:48 +01:00

2.8 KiB
Raw Blame History

Security Notes for Claude Code Setup

Database Credentials

Current Configuration

The database password is currently configured in .mcp.json in the env section:

"env": {
  "DB_PASSWORD": "1"
}

⚠️ IMPORTANT: Moving to System Environment Variables

For production or shared repositories, move the password to system environment variables:

Windows (PowerShell)

# Set for current session
$env:DB_PASSWORD = "your-secure-password"

# Set permanently (requires restart)
[System.Environment]::SetEnvironmentVariable('DB_PASSWORD', 'your-secure-password', 'User')

Linux/Mac (Bash)

# Add to ~/.bashrc or ~/.zshrc
export DB_PASSWORD="your-secure-password"

# Then reload
source ~/.bashrc

Update .mcp.json

Remove the env section from the database-server configuration in .mcp.json:

"database-server": {
  "command": "npx",
  "args": [
    "-y",
    "@executeautomation/database-server",
    "--sqlserver",
    "--server", "CS-UL-2560",
    "--database", "TestDB",
    "--user", "admin",
    "--password", "${DB_PASSWORD}",
    "--trustServerCertificate"
  ]
  // Remove the "env" section - use system environment variable instead
}

Alternative: Use .claude/settings.local.json

For local development, you can also configure environment variables in .claude/settings.local.json (which is gitignored):

{
  "mcpServers": {
    "database-server": {
      "env": {
        "DB_PASSWORD": "your-local-dev-password"
      }
    }
  }
}

API Keys

Context7 API Key

Currently configured in .mcp.json:

"CONTEXT7_API_KEY": "ctx7sk-5515b694-54fc-442a-bd61-fa69fa8e6f1a"

Recommendation: For public repositories, move this to:

  1. System environment variable (preferred)
  2. .claude/settings.local.json (gitignored)

Best Practices

  1. Never commit passwords to git

    • Use environment variables
    • Use .claude/settings.local.json for local secrets
    • Add secrets to .gitignore

  2. Use least privilege

    • Database: Use read-only accounts when possible
    • API Keys: Use restricted/scoped keys

  3. Rotate credentials regularly

    • Change passwords periodically
    • Regenerate API keys if exposed

  4. Audit access

    • Review MCP server permissions in .claude/settings.json
    • Log database operations
    • Monitor API usage

Git Configuration

Ensure sensitive files are ignored:

# In .gitignore
.claude/settings.local.json
.env
.env.local
*.key
*.pem
credentials.json

Additional Resources

Reference in New Issue View Git Blame Copy Permalink