hostname mismatch protection on relevant config sources only

Author: clavery

.changeset/selective-hostname-mismatch.md

@@ -0,0 +1,5 @@
+---
+'@salesforce/b2c-tooling-sdk': patch
+---
+
+Fix `--server` override dropping config from non-instance-bound sources. Previously, overriding the server hostname discarded all config values including credentials from global sources like config plugins. Now only values from the source that provided the conflicting hostname are dropped.

packages/b2c-tooling-sdk/src/config/resolver.ts

@@ -162,6 +162,7 @@ export class ConfigResolver {
     const sourceInfos: ConfigSourceInfo[] = [];
     const sourceWarnings: ConfigWarning[] = [];
     const baseConfig: NormalizedConfig = {};
+    const hostnameProtection = options.hostnameProtection !== false;
 
     // Create enriched options that will be updated with accumulated config values.
     // This allows later sources (like plugins) to use values discovered by earlier sources (like dw.json).
@@ -188,6 +189,44 @@ export class ConfigResolver {
         const {config: sourceConfig, location} = result;
         const fields = getPopulatedFields(sourceConfig);
         if (fields.length > 0) {
+          // Early hostname mismatch detection: if this source provides a hostname
+          // that conflicts with the override, skip this source entirely.
+          // This prevents instance-bound sources from blocking fields in later
+          // non-instance-bound sources (e.g., password-store providing shortCode).
+          if (
+            hostnameProtection &&
+            overrides.hostname &&
+            sourceConfig.hostname &&
+            sourceConfig.hostname !== overrides.hostname
+          ) {
+            sourceWarnings.push({
+              code: 'HOSTNAME_MISMATCH',
+              message: `Server override "${overrides.hostname}" differs from config file "${sourceConfig.hostname}". Config file values ignored.`,
+              details: {
+                providedHostname: overrides.hostname,
+                configHostname: sourceConfig.hostname,
+              },
+            });
+
+            sourceInfos.push({
+              name: source.name,
+              location,
+              fields: [],
+              fieldsIgnored: fields,
+            });
+
+            const logger = getLogger();
+            logger.trace(
+              {
+                source: source.name,
+                location,
+                fieldsIgnored: fields,
+              },
+              `[${source.name}] Skipped due to hostname mismatch`,
+            );
+            continue;
+          }
+
           // Capture which credential groups are already claimed BEFORE processing this source
           // This allows a single source to provide complete credential pairs
           const claimedGroups = getClaimedCredentialGroups(baseConfig);
@@ -247,7 +286,10 @@ export class ConfigResolver {
       }
     }
 
-    // Apply overrides with hostname mismatch protection
+    // Apply overrides with hostname mismatch protection.
+    // Instance-bound sources with conflicting hostnames were already skipped above,
+    // so baseConfig only contains non-instance-bound fields. The merge handles
+    // the case where no source provided a hostname (no mismatch to detect).
     const {config, warnings: mergeWarnings} = mergeConfigsWithProtection(overrides, baseConfig, {
       hostnameProtection: options.hostnameProtection,
     });

packages/b2c-tooling-sdk/test/config/resolver.test.ts

@@ -674,6 +674,63 @@ describe('config/resolver', () => {
       expect(config.selfSigned).to.equal(true);
     });
 
+    it('preserves non-instance-bound source fields on hostname mismatch', () => {
+      const instanceSource = new MockSource('dw-json', {
+        hostname: 'prod.demandware.net',
+        username: 'admin',
+        password: 'prod-pass',
+        shortCode: 'abcdef',
+      });
+      const globalSource = new MockSource('password-store', {
+        clientId: 'my-client-id',
+        clientSecret: 'my-client-secret',
+        shortCode: 'abcdef',
+      });
+      const resolver = new ConfigResolver([instanceSource, globalSource]);
+
+      const {config, warnings, sources} = resolver.resolve(
+        {hostname: 'staging.demandware.net'},
+        {hostnameProtection: true},
+      );
+
+      expect(config.hostname).to.equal('staging.demandware.net');
+      // Instance-bound fields should be dropped
+      expect(config.username).to.be.undefined;
+      expect(config.password).to.be.undefined;
+      // Non-instance-bound fields should survive
+      expect(config.clientId).to.equal('my-client-id');
+      expect(config.clientSecret).to.equal('my-client-secret');
+      // Fields from non-instance-bound source that were previously shadowed
+      // by the instance-bound source should now be available
+      expect(config.shortCode).to.equal('abcdef');
+      expect(warnings).to.have.length(1);
+      expect(warnings[0].code).to.equal('HOSTNAME_MISMATCH');
+
+      // Source info should reflect the drop
+      const dwJsonInfo = sources.find((s) => s.name === 'dw-json');
+      expect(dwJsonInfo).to.exist;
+      expect(dwJsonInfo!.fields).to.deep.equal([]);
+      expect(dwJsonInfo!.fieldsIgnored).to.include('hostname');
+      expect(dwJsonInfo!.fieldsIgnored).to.include('username');
+      expect(dwJsonInfo!.fieldsIgnored).to.include('password');
+    });
+
+    it('drops fields from plugin source that also provides hostname on mismatch', () => {
+      const pluginSource = new MockSource('custom-plugin', {
+        hostname: 'prod.demandware.net',
+        clientId: 'plugin-client-id',
+        clientSecret: 'plugin-client-secret',
+      });
+      const resolver = new ConfigResolver([pluginSource]);
+
+      const {config} = resolver.resolve({hostname: 'staging.demandware.net'}, {hostnameProtection: true});
+
+      expect(config.hostname).to.equal('staging.demandware.net');
+      // Plugin provided hostname, so it's instance-bound — all its fields dropped
+      expect(config.clientId).to.be.undefined;
+      expect(config.clientSecret).to.be.undefined;
+    });
+
     it('discards TLS options on hostname mismatch protection', () => {
       const source = new MockSource('test', {
         hostname: 'prod.demandware.net',