Documentation audit pass: corrected flag mismatches and missing commands

- Documented previously omitted commands: b2c sandbox ips, b2c mrt env var
  push, b2c debug
- Fixed MRT reference: project get/update/delete now show the required
  positional slug; project member roles use integer values; env invalidate
  uses --pattern; redirect create/delete/clone flag names corrected; user
  api-key and email-prefs rewritten against the real flags
- Rewrote ecdn flag tables for zones create, cache purge, security update,
  speed update, and logpush jobs create to match source
- Removed phantom flags from am users update
- Standardized Node.js requirement on >=22.16.0 across guides
- account-manager guide no longer recommends the unsupported
  client_secret_post; authentication warning reframed as guidance
- Added Copilot section to agent-skills so the homepage Copilot link lands
  on meaningful content
- Filled gaps in cli/index.md command-topic listing
- b2c debug --help now deep-links to the new docs page

Author: clavery

.changeset/cli-debug-docs-link.md

@@ -0,0 +1,5 @@
+---
+'@salesforce/b2c-cli': patch
+---
+
+`b2c debug --help` now deep-links to the Debug command reference page on the docs site.

.changeset/docs-audit-fixes.md

@@ -0,0 +1,14 @@
+---
+'@salesforce/b2c-dx-docs': patch
+---
+
+Documentation audit pass: corrected mismatched flags and missing commands across the CLI reference. Highlights:
+
+- Documented `b2c sandbox ips`, `b2c mrt env var push`, and `b2c debug` (previously omitted).
+- Fixed `mrt project get/update/delete` examples to use the required positional slug; corrected `mrt project member add/update --role` to integer values; replaced `mrt env invalidate --path` with the actual `--pattern` flag; corrected `mrt env redirect create/delete/clone` flag names; rewrote `mrt user api-key` and `mrt user email-prefs` against the real flags.
+- Rewrote `ecdn zones create`, `ecdn cache purge`, `ecdn security update`, `ecdn speed update`, and `ecdn logpush jobs create` flag tables to match source.
+- Removed phantom flags (`--display-name`, etc.) from `am users update`.
+- Standardized Node.js requirement on `>=22.16.0` across all installation guides.
+- `account-manager` guide no longer recommends the unsupported `client_secret_post`; the `authentication` warning was reframed as guidance toward `client_secret_basic`.
+- Added a Copilot section to the agent-skills guide so the homepage Copilot link points at meaningful content.
+- Filled gaps in the CLI command-topic index (`bm-roles`, `setup`, `ecdn`, `replications`, `scapi-schemas`, `cap`, `logs`).

docs/.vitepress/config.mts

@@ -108,6 +108,7 @@ const referenceSidebar = [
       {text: 'Code', link: '/cli/code'},
       {text: 'Content', link: '/cli/content'},
       {text: 'Custom APIs', link: '/cli/custom-apis'},
+      {text: 'Debug', link: '/cli/debug'},
       {text: 'Docs', link: '/cli/docs'},
       {text: 'eCDN', link: '/cli/ecdn'},
       {text: 'Jobs', link: '/cli/jobs'},

docs/api-readme.md

@@ -176,7 +176,8 @@ Used for OCAPI and can be used for WebDAV:
 const config = resolveConfig({
   clientId: 'your-client-id',
   clientSecret: 'your-client-secret',
-  scopes: ['SALESFORCE_COMMERCE_API:...:dwsid'],
+  // Scopes are tenant-specific; replace `zzxy_001` with your tenant short code.
+  scopes: ['SALESFORCE_COMMERCE_API:zzxy_001:sites_rw'],
 });
 
 const instance = config.createB2CInstance();

docs/cli/account-manager.md

@@ -256,11 +256,6 @@ b2c am users update <LOGIN> [FLAGS]
 |------|-------------|
 | `--first-name` | Update first name |
 | `--last-name` | Update last name |
-| `--display-name` | Update display name |
-| `--preferred-locale` | Update preferred locale |
-| `--business-phone` | Update business phone |
-| `--home-phone` | Update home phone |
-| `--mobile-phone` | Update mobile phone |
 | `--json` | Output results as JSON |
 
 #### Examples
@@ -269,11 +264,10 @@ b2c am users update <LOGIN> [FLAGS]
 # Update user's first name
 b2c am users update user@example.com --first-name Jane
 
-# Update multiple fields
+# Update both name fields
 b2c am users update user@example.com \
   --first-name Jane \
-  --last-name Smith \
-  --display-name "Jane Smith"
+  --last-name Smith
 
 # Output as JSON
 b2c am users update user@example.com --first-name Jane --json

docs/cli/debug.md

@@ -0,0 +1,59 @@
+---
+description: Start a DAP debug adapter for B2C Commerce server-side script debugging.
+---
+
+# Debug Command
+
+The `b2c debug` command launches a [Debug Adapter Protocol (DAP)](https://microsoft.github.io/debug-adapter-protocol/) adapter that bridges your IDE to the B2C Commerce script debugger. It's designed to be invoked by an IDE (VS Code, JetBrains, etc.) over stdio, not run directly in a shell.
+
+## Authentication
+
+The script debugger uses **Basic auth** (Business Manager username and password). OAuth credentials are not sufficient. Provide credentials via any of:
+
+- `--username` / `--password` flags
+- `SFCC_USERNAME` / `SFCC_PASSWORD` environment variables
+- `username` / `password` fields in `dw.json`
+
+See the [Authentication Guide](/guide/authentication) for details.
+
+## b2c debug
+
+Start the DAP adapter for the configured B2C instance.
+
+### Usage
+
+```bash
+b2c debug [--cartridge-path <PATH>] [--client-id <ID>]
+```
+
+### Flags
+
+| Flag | Description | Default |
+|------|-------------|---------|
+| `--cartridge-path` | Path to your cartridges directory. The adapter recursively discovers cartridges under this path and maps them to the running instance. | `.` |
+| `--client-id` | Client ID reported to the B2C script debugger API. Useful when multiple debug sessions share an instance. | `b2c-cli` |
+
+Inherits the [global instance and authentication flags](./index#global-flags) (`--server`, `--username`, `--password`, etc.).
+
+### Examples
+
+```bash
+# Run from a project root with cartridges in ./cartridges or ./
+b2c debug
+
+# Point at an explicit cartridges directory
+b2c debug --cartridge-path ./cartridges
+
+# Use a non-default debugger client ID
+b2c debug --client-id my-debugger
+```
+
+### IDE Integration
+
+Most IDEs spawn DAP adapters automatically based on a launch configuration. The adapter speaks DAP over **stdin/stdout**, so direct shell invocation will appear to hang — that's expected. Configure your IDE's debug launcher to invoke `b2c debug` and supply the appropriate environment.
+
+## Notes
+
+- A warning is emitted if no cartridges are found at `--cartridge-path`.
+- Source maps are derived from the discovered cartridge layout; ensure your local cartridge tree matches what's deployed to the instance, otherwise breakpoints may not bind.
+- The adapter exits when its stdin stream closes.

docs/cli/ecdn.md

@@ -62,48 +62,44 @@ b2c ecdn zones list --tenant-id zzxy_prd
 
 ### b2c ecdn zones create
 
-Create a new storefront zone.
+Create a new storefront CDN zone.
 
 ```bash
-b2c ecdn zones create --tenant-id zzxy_prd --storefront-hostname www.example.com --origin-hostname origin.example.com
+b2c ecdn zones create --tenant-id zzxy_prd --domain-name example.com
+b2c ecdn zones create --tenant-id zzxy_prd --domain-name store.example.com --json
 ```
 
 #### Flags
 
 | Flag | Description | Required |
 |------|-------------|----------|
-| `--storefront-hostname` | Customer-facing hostname | Yes |
-| `--origin-hostname` | Origin server hostname | Yes |
+| `--domain-name`, `-d` | Domain name for the storefront zone | Yes |
 
 ---
 
 ## Cache Management
 
 ### b2c ecdn cache purge
 
-Purge cached content from the CDN.
+Purge cached content from the CDN by path or cache tag. At least one of `--path` or `--tag` must be supplied.
 
 ```bash
-# Purge by path
-b2c ecdn cache purge --zone my-zone --path /products --path /categories
+# Purge a single path (format: hostname/path)
+b2c ecdn cache purge --zone my-zone --path "www.example.com/products"
 
-# Purge by cache tag
-b2c ecdn cache purge --zone my-zone --tag product-123
+# Purge by cache tag (repeatable)
+b2c ecdn cache purge --zone my-zone --tag product-123 --tag category-456
 
-# Purge everything
-b2c ecdn cache purge --zone my-zone --purge-everything
+# Wildcard path purge
+b2c ecdn cache purge --zone my-zone --path "www.example.com/dw/image/v2/realm_instance/*" --json
 ```
 
 #### Flags
 
 | Flag | Description |
 |------|-------------|
-| `--path` | Path to purge (can be repeated) |
-| `--tag` | Cache tag to purge (can be repeated) |
-| `--host` | Host for path purging |
-| `--purge-everything` | Purge all cached content |
-
-At least one purge method must be specified.
+| `--path`, `-p` | Path to purge in `hostname/path` format |
+| `--tag`, `-t` | Cache tag to purge (repeatable) |
 
 ---
 
@@ -180,33 +176,36 @@ b2c ecdn security get --zone my-zone
 #### Output
 
 Displays settings including:
-- SSL mode
-- Always use HTTPS
-- Minimum TLS version
-- TLS 1.3 status
-- Automatic HTTPS rewrites
-- Opportunistic encryption
+- Security level
+- Always-use-HTTPS state
+- TLS 1.3 state
+- WAF (OWASP) state
+- HSTS configuration (enabled, include subdomains, max age, preload)
 
 ---
 
 ### b2c ecdn security update
 
-Update security settings.
+Update security settings for a zone. Provide only the flags you want to change.
 
 ```bash
-b2c ecdn security update --zone my-zone --ssl-mode full --min-tls-version 1.2 --always-use-https
+b2c ecdn security update --zone my-zone --security-level medium
+b2c ecdn security update --zone my-zone --always-use-https
+b2c ecdn security update --zone my-zone --tls13 --waf
 ```
 
 #### Flags
 
 | Flag | Description | Options |
 |------|-------------|---------|
-| `--ssl-mode` | SSL/TLS mode | `off`, `flexible`, `full`, `strict` |
-| `--min-tls-version` | Minimum TLS version | `1.0`, `1.1`, `1.2`, `1.3` |
-| `--always-use-https` / `--no-always-use-https` | Force HTTPS | - |
-| `--tls-1-3` / `--no-tls-1-3` | Enable TLS 1.3 | - |
-| `--automatic-https-rewrites` / `--no-automatic-https-rewrites` | Rewrite HTTP links | - |
-| `--opportunistic-encryption` / `--no-opportunistic-encryption` | Enable opportunistic encryption | - |
+| `--security-level` | Zone security level | `off`, `essentially_off`, `low`, `medium`, `high`, `under_attack` |
+| `--always-use-https` / `--no-always-use-https` | Redirect all HTTP requests to HTTPS | — |
+| `--tls13` / `--no-tls13` | Enable TLS 1.3 | — |
+| `--waf` / `--no-waf` | Enable WAF (OWASP) protection | — |
+| `--hsts-enabled` / `--no-hsts-enabled` | Enable HSTS | — |
+| `--hsts-include-subdomains` / `--no-hsts-include-subdomains` | Include subdomains in HSTS | — |
+| `--hsts-max-age` | HSTS max age in seconds | integer |
+| `--hsts-preload` / `--no-hsts-preload` | Enable HSTS preload | — |
 
 ---
 
@@ -224,28 +223,25 @@ b2c ecdn speed get --zone my-zone
 
 ### b2c ecdn speed update
 
-Update speed optimization settings.
+Update speed optimization settings. Each flag accepts a string value (typically `on`/`off`); omitted flags default to `off` in the request body.
 
 ```bash
-b2c ecdn speed update --zone my-zone --browser-cache-ttl 14400 --auto-minify-html --auto-minify-css --auto-minify-js
+b2c ecdn speed update --zone my-zone --brotli on
+b2c ecdn speed update --zone my-zone --http3 on --early-hints on
+b2c ecdn speed update --zone my-zone --polish lossy --webp on
 ```
 
 #### Flags
 
-| Flag | Description |
-|------|-------------|
-| `--browser-cache-ttl` | Browser cache TTL in seconds |
-| `--auto-minify-html` / `--no-auto-minify-html` | Auto-minify HTML |
-| `--auto-minify-css` / `--no-auto-minify-css` | Auto-minify CSS |
-| `--auto-minify-js` / `--no-auto-minify-js` | Auto-minify JavaScript |
-| `--brotli` / `--no-brotli` | Enable Brotli compression |
-| `--early-hints` / `--no-early-hints` | Enable Early Hints |
-| `--h2-prioritization` / `--no-h2-prioritization` | HTTP/2 prioritization |
-| `--image-resizing` / `--no-image-resizing` | Enable image resizing |
-| `--mirage` / `--no-mirage` | Enable Mirage |
-| `--polish` | Polish mode (`off`, `lossless`, `lossy`) |
-| `--prefetch-preload` / `--no-prefetch-preload` | Prefetch preload |
-| `--rocket-loader` / `--no-rocket-loader` | Rocket Loader |
+| Flag | Description | Options |
+|------|-------------|---------|
+| `--brotli` | Brotli compression | `on`, `off` |
+| `--http2-prioritization` | HTTP/2 prioritization | `on`, `off` |
+| `--http2-to-origin` | HTTP/2 to origin | `on`, `off` |
+| `--http3` | HTTP/3 | `on`, `off` |
+| `--early-hints` | Early hints | `on`, `off` |
+| `--webp` | WebP image format support | `on`, `off` |
+| `--polish` | Image polish level | `off`, `lossless`, `lossy` |
 
 ---
 
@@ -410,19 +406,23 @@ b2c ecdn logpush jobs list --zone my-zone
 Create a Logpush job.
 
 ```bash
-b2c ecdn logpush jobs create --zone my-zone --name "HTTP logs" --destination-path 's3://my-bucket/logs?region=us-east-1' --log-type http_requests --log-fields ClientRequestHost,ClientRequestMethod
+b2c ecdn logpush jobs create --zone my-zone \
+  --name "HTTP logs" \
+  --destination-path 's3://my-bucket/logs/{DATE}?region=us-east-1' \
+  --log-type http_requests \
+  --log-fields ClientRequestHost,ClientRequestMethod
 ```
 
 #### Flags
 
 | Flag | Description | Required |
 |------|-------------|----------|
-| `--name` | Job name | Yes |
-| `--destination-path` | Log destination path | Yes |
-| `--log-type` | Type of logs (`http_requests`, `firewall_events`, `nel_reports`, `dns_logs`) | Yes |
-| `--log-fields` | Comma-separated log fields | No |
-| `--filter` | JSON filter expression | No |
-| `--enabled` | Enable job on creation | No |
+| `--name` | Job name (immutable after creation) | Yes |
+| `--destination-path` | Destination path, e.g. `s3://bucket/path/{DATE}?region=us-east-1` | Yes |
+| `--log-type` | Type of logs: `http_requests`, `firewall_events`, `page_shield_events` | Yes |
+| `--log-fields` | Comma-separated list of log fields to include | Yes |
+| `--filter` | JSON filter expression for log selection | No |
+| `--ownership-token` | Ownership challenge token for destination verification | No |
 
 ---
 

docs/cli/index.md

@@ -67,18 +67,26 @@ Safety Mode operates at the HTTP layer and cannot be bypassed by command-line fl
 - [Job Commands](./jobs) - Execute and monitor jobs, import/export site archives
 - [Sites Commands](./sites) - List and manage sites
 - [WebDAV Commands](./webdav) - File operations on instance WebDAV
+- [Logs Commands](./logs) - Tail and retrieve instance logs
+- [Content Commands](./content) - Export Page Designer content from a site
+- [BM Roles Commands](./bm-roles) - Manage Business Manager roles and permissions
 
 ### Services
 
 - [Sandbox Commands](./sandbox) - Create and manage On-Demand Sandboxes
 - [MRT Commands](./mrt) - Manage Managed Runtime (MRT) projects and deployments
 - [SLAS Commands](./slas) - Manage Shopper Login and Access Service (SLAS) API clients
 - [CIP Commands](./cip) - Run CIP SQL queries and curated analytics reports
+- [eCDN Commands](./ecdn) - Manage eCDN zones, certificates, WAF, Page Shield, and edge configuration
 - [Custom APIs](./custom-apis) - SCAPI Custom API endpoint status
+- [SCAPI Schemas](./scapi-schemas) - Browse and retrieve SCAPI OpenAPI schemas
+- [Granular Replications](./replications) - Trigger and monitor SCAPI granular replications
+- [CAP Commands](./cap) - Manage Commerce App Packages
 
 ### Development
 
 - [Scaffold Commands](./scaffold) - Generate cartridges, controllers, hooks, and more from templates
+- [Debug Command](./debug) - Start a DAP adapter for IDE-driven script debugging
 
 ### Account Management
 
@@ -91,10 +99,11 @@ All Account Manager commands are under the `am` topic:
 - `b2c am orgs ...` - Organization management commands
 - `b2c am clients ...` - API client management (list, get, create, update, delete, password)
 
-### Utilities
+### Setup & Utilities
 
-- [Docs Commands](./docs) - Search/read Script API docs and XSD schemas, and download docs from an instance
+- [Setup Commands](./setup) - Configure instances, install IDE integrations, and install agent skills
 - [Auth Commands](./auth) - Authentication and token management
+- [Docs Commands](./docs) - Search/read Script API docs and XSD schemas, and download docs from an instance
 - [Logging](./logging) - Log levels, output formats, and environment variables
 
 ## Getting Help