@W-21461342 Adding Configurable safety levels (#235)

* @W-21461342 Configurable safety levels

* addressing review comments

* removing remnant

* addressing review comments

Author: charithaT07

docs/cli/index.md

@@ -27,6 +27,32 @@ These flags are available on all commands that interact with B2C instances:
 | `--username`, `-u` | `SFCC_USERNAME`      | Username for Basic Auth            |
 | `--password`, `-p` | `SFCC_PASSWORD`      | Password/access key for Basic Auth |
 
+### Safety Mode
+
+Safety Mode provides protection against accidental or unwanted destructive operations. This is particularly important when using the CLI in automated environments, CI/CD pipelines, or as a tool for AI agents.
+
+| Environment Variable   | Values | Description |
+| ---------------------- | ------ | ----------- |
+| `SFCC_SAFETY_LEVEL` | `NONE` (default) | No restrictions |
+| | `NO_DELETE` | Block DELETE operations |
+| | `NO_UPDATE` | Block DELETE and destructive operations (reset, stop, restart) |
+| | `READ_ONLY` | Block all write operations (GET only) |
+
+**Example:**
+```bash
+# Prevent deletions in CI/CD
+export SFCC_SAFETY_LEVEL=NO_DELETE
+b2c sandbox create --realm test  # ✅ Allowed
+b2c sandbox delete test-id       # ❌ Blocked
+
+# Read-only mode for reporting
+export SFCC_SAFETY_LEVEL=READ_ONLY
+b2c sandbox list                 # ✅ Allowed
+b2c sandbox create --realm test  # ❌ Blocked
+```
+
+Safety Mode operates at the HTTP layer and cannot be bypassed by command-line flags. See the [Security Guide](/guide/security#operational-security-safety-mode) for detailed information.
+
 ### Other Environment Variables
 
 | Environment Variable         | Description                             |

docs/guide/configuration.md

@@ -82,6 +82,7 @@ You can configure the CLI using environment variables:
 | `MRT_PROJECT`                 | MRT project slug (`SFCC_MRT_PROJECT` also supported)           |
 | `MRT_ENVIRONMENT`             | MRT environment name (`SFCC_MRT_ENVIRONMENT`, `MRT_TARGET` also supported) |
 | `MRT_CLOUD_ORIGIN`            | MRT API origin URL override (`SFCC_MRT_CLOUD_ORIGIN` also supported) |
+| `SFCC_SAFETY_LEVEL`           | Safety mode: `NONE`, `NO_DELETE`, `NO_UPDATE`, `READ_ONLY` (see [Safety Mode](/guide/security#operational-security-safety-mode)) |
 
 ## .env File
 

docs/guide/security.md

@@ -64,6 +64,44 @@ When adding a new dependency that requires build scripts:
 
 This project uses [NPM trusted publishers](https://docs.npmjs.com/trusted-publishers) for package publication. Instead of storing long-lived npm tokens, packages are published via GitHub Actions using short-lived OIDC tokens that cannot be extracted or reused.
 
+## Operational Security: Safety Mode
+
+The CLI includes a **Safety Mode** feature via CLI checks and HTTP middleware that prevents accidental or unwanted destructive operations. This is particularly important when:
+
+- Providing the CLI as a tool to AI agents/LLMs
+- Working in production environments
+- Training new team members
+- Running commands from untrusted scripts
+
+### Safety Levels
+
+Configure via the `SFCC_SAFETY_LEVEL` environment variable:
+
+| Level | Description | Blocks |
+|-------|-------------|--------|
+| `NONE` | No restrictions (default) | Nothing |
+| `NO_DELETE` | Prevent deletions | DELETE operations |
+| `NO_UPDATE` | Prevent deletions and destructive updates | DELETE + reset/stop/restart |
+| `READ_ONLY` | Read-only mode | All writes (POST/PUT/PATCH/DELETE) |
+
+### Usage
+
+```bash
+# Default - no restrictions
+export SFCC_SAFETY_LEVEL=NONE
+
+# Prevent deletions
+export SFCC_SAFETY_LEVEL=NO_DELETE
+
+# Prevent deletions and destructive updates
+export SFCC_SAFETY_LEVEL=NO_UPDATE
+
+# Read-only mode
+export SFCC_SAFETY_LEVEL=READ_ONLY
+```
+
+Environment variables are used instead of command-line flags because LLMs control commands and flags, but not the environment.
+
 ## Best Practices
 
 ### For Contributors
@@ -78,3 +116,4 @@ This project uses [NPM trusted publishers](https://docs.npmjs.com/trusted-publis
 - Keep the CLI updated to receive security patches
 - Review the `pnpm-workspace.yaml` settings if you fork or modify this project
 - Consider using similar protections in your own projects
+- **Use Safety Mode** when running CLI in automated environments or providing it as a tool to AI agents

packages/b2c-cli/src/commands/am/clients/delete.ts

@@ -27,6 +27,9 @@ export default class ClientDelete extends AmCommand<typeof ClientDelete> {
   static examples = ['<%= config.bin %> <%= command.id %> <api-client-id>'];
 
   async run(): Promise<void> {
+    // Prevent deletion in safe mode
+    this.assertDestructiveOperationAllowed('delete API client');
+
     const apiClientId = this.args['api-client-id'];
 
     this.log(t('commands.client.delete.deleting', 'Deleting API client {{id}}...', {id: apiClientId}));

packages/b2c-cli/src/commands/am/users/delete.ts

@@ -35,6 +35,9 @@ export default class UserDelete extends AmCommand<typeof UserDelete> {
   };
 
   async run(): Promise<void> {
+    // Prevent deletion in safe mode
+    this.assertDestructiveOperationAllowed('delete user');
+
     const {login} = this.args;
     const {purge} = this.flags;
 

packages/b2c-cli/src/commands/am/users/reset.ts

@@ -28,6 +28,9 @@ export default class UserReset extends AmCommand<typeof UserReset> {
   ];
 
   async run(): Promise<void> {
+    // Prevent password reset in safe mode
+    this.assertDestructiveOperationAllowed('reset user password');
+
     const {login} = this.args;
 
     this.log(t('commands.user.reset.fetching', 'Fetching user {{login}}...', {login}));

packages/b2c-cli/src/commands/code/delete.ts

@@ -60,6 +60,9 @@ export default class CodeDelete extends InstanceCommand<typeof CodeDelete> {
   };
 
   async run(): Promise<void> {
+    // Prevent deletion in safe mode
+    this.assertDestructiveOperationAllowed('delete code version');
+
     this.requireOAuthCredentials();
 
     const codeVersion = this.args.codeVersion;

packages/b2c-cli/src/commands/ecdn/certificates/delete.ts

@@ -49,6 +49,9 @@ export default class EcdnCertificatesDelete extends EcdnZoneCommand<typeof EcdnC
   };
 
   async run(): Promise<DeleteOutput> {
+    // Prevent deletion in safe mode
+    this.assertDestructiveOperationAllowed('delete certificate');
+
     this.requireOAuthCredentials();
 
     const zoneId = await this.resolveZoneId();

packages/b2c-cli/src/commands/ecdn/logpush/jobs/delete.ts

@@ -37,6 +37,9 @@ export default class EcdnLogpushJobsDelete extends EcdnZoneCommand<typeof EcdnLo
   };
 
   async run(): Promise<DeleteOutput> {
+    // Prevent deletion in safe mode
+    this.assertDestructiveOperationAllowed('delete Logpush job');
+
     this.requireOAuthCredentials();
 
     const zoneId = await this.resolveZoneId();

packages/b2c-cli/src/commands/ecdn/mrt-rules/delete.ts

@@ -39,6 +39,9 @@ export default class EcdnMrtRulesDelete extends EcdnZoneCommand<typeof EcdnMrtRu
   };
 
   async run(): Promise<DeleteOutput> {
+    // Prevent deletion in safe mode
+    this.assertDestructiveOperationAllowed('delete MRT ruleset');
+
     this.requireOAuthCredentials();
 
     const zoneId = await this.resolveZoneId();