Security

What PromptWire can access

PromptWire gives an AI agent direct read/write access to your ProcessWire site: pages, fields, templates, files, and schema. Treat it as a development tool with the same access level as a superuser in the admin.

Local mode

When running with PW_PATH only, PromptWire uses the PHP CLI on your machine. There is no network exposure. Commands execute within your local ProcessWire installation using the same permissions as the PHP process.

The MCP server communicates with Cursor over stdio (standard input/output), not over a network socket. No HTTP server is started for local-only operation.

Remote API authentication

The remote API endpoint (promptwire-api.php) authenticates every request using a shared secret sent in the X-PromptWire-Key header. The key is compared with hash_equals() to prevent timing attacks.

The key is defined in site/config-promptwire.php on the server (or via the PROMPTWIRE_API_KEY environment variable for containerised deployments). It must match the PW_REMOTE_KEY value in your local .cursor/mcp.json.

Key requirements

• Use a strong, random key. Generate one with openssl rand -hex 32.
• Use a unique key per site. Do not reuse keys across projects.
• Do not commit keys to version control. Keep config-promptwire.php out of your repo.

IP allowlisting

For an extra layer of protection, restrict the API to specific IP addresses:

define('PROMPTWIRE_ALLOWED_IPS', '1.2.3.4');

Multiple IPs can be comma-separated. The client IP is read from the X-Forwarded-For header (first hop) or REMOTE_ADDR.

If your IP changes frequently (VPN, mobile), you can leave the allowlist disabled. API key authentication is still enforced on every request.

HTTPS

Always use HTTPS for remote connections. The API key is sent in a request header; plain HTTP would expose it to anyone monitoring network traffic.

Error handling

The API suppresses PHP error output to prevent information leakage. Error details are logged server-side but not returned in API responses. The response includes only a generic error message and an HTTP status code (401, 403, 404, or 500).

Response headers

The API sends the following headers on every response:

• Cache-Control: no-store and Pragma: no-cache to prevent proxy or browser caching.
• X-Robots-Tag: noindex, nofollow to keep the endpoint out of search engines.

File access

The sync directory (site/assets/pw-mcp/) includes a .htaccess with Deny from all and a stub index.php to block direct web access. YAML files containing your content are only accessible via the filesystem, not via HTTP.

Deployment exclusions

Several PromptWire directories and files are for local development only and should not be deployed to a production server. Exclude them from any deployment tool (Duplicator, rsync, CI pipeline, etc.):

• .pw-sync/ — local schema snapshots and named site configs. The sites/ subdirectory may contain API keys. This directory has no function on a production server.
• .cursor/ — Cursor IDE configuration. The mcp.json file contains API keys and machine-specific absolute paths.
• site/assets/pw-mcp/ — local content sync files (YAML). These are working copies for the AI agent and are not used by the live site.

The only PromptWire files that belong on a production server are:

• site/modules/PromptWire/ — the module itself (required if you want remote access).
• promptwire-api.php — the API endpoint in the site root.
• site/config-promptwire.php — the API key config (keep this out of version control).

Recommendations

• Do not install PromptWire on client-facing production sites unless you understand and accept the risk.
• Always have backups in place. PromptWire can create, edit, and delete pages, fields, and templates.
• Use the hybrid setup (local reads, remote writes) so your production site only receives explicit push operations, never exploratory queries.
• Review dry-run previews before applying changes to production.