This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or setup this action to publish automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@salesforce/b2c-cli@1.9.0

Minor Changes

• #395 b947888 - Add b2c debug cli command for interactive terminal-based script debugging. Includes a REPL with commands for breakpoints, stepping, variable inspection, and expression evaluation. Use --rpc for JSONL-over-stdio mode suitable for headless scripts and agents. (Thanks @clavery!)

• #399 6be308a - Support assetQuery as a first-class config field. Set it in dw.json (per-instance), in package.json under b2c, or via SFCC_ASSET_QUERY to control which JSON dot-paths are extracted as assets during content library parsing. The VS Code Content Libraries tree and b2c content export both honor it automatically; the --asset-query flag still wins when provided, and the fallback remains ["image.path"]. (Thanks @clavery!)

• #408 a26226c - Added b2c bm users command topic for managing instance-level Business Manager users via the OCAPI Data API: list, get, search, whoami, update, and delete. Also added b2c bm users access-keys (get, create, set, delete) for provisioning and rotating WebDAV/OCAPI/SCAPI access keys for externally-managed (AM/SSO) users. The SDK now exposes a matching @salesforce/b2c-tooling-sdk/operations/bm-users module. (Thanks @clavery!)

• #408 a26226c - Added --columns and --extended flags to all list and search commands for consistent column selection across the CLI. Roughly 30 commands that previously had no column-customization support — including bm roles list, webdav ls, cap list, code list, content list, docs search, job search, logs list, sites list, slas client list, all mrt list commands, plus several setup and scaffold commands — now accept -c id,name,... to pick columns and -x to include extended fields (e.g. webdav ls --extended exposes the previously-hidden modified and contentType columns). (Thanks @clavery!)

  The SDK now exposes shared columnFlagsFor() / selectColumns() helpers (replacing 22 duplicated implementations) and a printFieldsBlock() helper for rendering "label / value" detail blocks.

• #405 b1600fa - Refresh the MRT admin API schema and add new commands: (Thanks @clavery!)

  • b2c mrt env clone — clone an environment from an existing source, optionally copying redirects, environment variables, and B2C target info
  • b2c mrt bundle delete — delete one or more bundles (uses bulk-delete when more than one ID is supplied)
  • b2c mrt org member list|add|get|update|remove — manage organization-level members
  • b2c mrt org cert list|get|create|delete|restart-validation — manage custom domain certificates referenced by environments

• #328 31e136b - ODS CLI: b2c sandbox create adds --emails for notification addresses; b2c sandbox update adds --start-scheduler, --stop-scheduler, --clear-start-scheduler, and --clear-stop-scheduler; b2c realm update adds --emails, --start-scheduler, --stop-scheduler, --clear-start-scheduler, and --clear-stop-scheduler. (Thanks @charithaT07!)

  Sandbox API: b2c sandbox operations list and b2c sandbox operations get (inspect lifecycle operations); b2c sandbox alias get (get one alias by ID, same endpoint as alias list --alias-id).

  User guide updated for scheduling flags, sandbox operations, and b2c sandbox alias get.

Patch Changes

• #407 f1a4ac0 - CLI cleanup and correctness fixes: (Thanks @clavery!)

  • b2c cip query, cip describe, cip tables, and cip report * now stream output through oclif's ux.stdout instead of writing directly to process.stdout. This restores the --json flag and makes output capturable by tests and CI.
  • Long-running commands (code:watch, logs:tail, mrt:tail-logs) now deregister their SIGINT/SIGTERM handlers when finished, so re-invocations no longer stack handlers on the same process.
  • Hook and signal-handler errors that were previously swallowed (job:run afterOperation hooks, logs:tail stop, setup:ide:prophet console fallbacks) now log at debug instead of disappearing.
  • AM list commands (am clients|roles|users list) share a single amPageSizeFlag definition.
  • Removed deprecated LocalSourceResult re-export.

• 3cefda3 - b2c debug --help now deep-links to the Debug command reference page on the docs site. (Thanks @clavery!)

• Updated dependencies [b947888, 6be308a, f1a4ac0, a26226c, a26226c, 51aed02, b53d75e, b1600fa]:

  • @salesforce/b2c-tooling-sdk@1.9.0

@salesforce/b2c-dx-mcp@1.1.0

Minor Changes

• #395 b947888 - Add script debugger MCP tools to the CARTRIDGES and STOREFRONTNEXT toolsets. Includes debug_start_session, debug_end_session, debug_list_sessions, debug_set_breakpoints, debug_wait_for_stop, debug_get_stack, debug_get_variables, debug_evaluate, debug_continue, debug_step_over, debug_step_into, debug_step_out, and debug_capture_at_breakpoint. (Thanks @clavery!)

• #395 b947888 - Add ServerContext for persistent server-scoped state across MCP tool invocations. Enables stateful tools (debug sessions, log watches) while preserving per-call config reloading for existing tools. (Thanks @clavery!)

Patch Changes

• #407 f1a4ac0 - - Telemetry send failures are no longer silently swallowed; they now log at debug level so deployment-monitoring drift is visible behind the --debug flag. (Thanks @clavery!)
  • registerToolsets() throws a clear error if invoked more than once for the same server instance (instead of producing a cryptic duplicate-tool error from the SDK).
• Updated dependencies [b947888, 6be308a, f1a4ac0, a26226c, a26226c, 51aed02, b53d75e, b1600fa]:
  • @salesforce/b2c-tooling-sdk@1.9.0

@salesforce/b2c-tooling-sdk@1.9.0

Minor Changes

• #395 b947888 - Add resolveBreakpointPath utility that normalizes user-provided file paths to SDAPI script paths. Accepts server paths, absolute/relative local paths, and cartridge-name-prefixed paths with helpful error messages on failure. (Thanks @clavery!)

• #399 6be308a - Support assetQuery as a first-class config field. Set it in dw.json (per-instance), in package.json under b2c, or via SFCC_ASSET_QUERY to control which JSON dot-paths are extracted as assets during content library parsing. The VS Code Content Libraries tree and b2c content export both honor it automatically; the --asset-query flag still wins when provided, and the fallback remains ["image.path"]. (Thanks @clavery!)

• #408 a26226c - Added b2c bm users command topic for managing instance-level Business Manager users via the OCAPI Data API: list, get, search, whoami, update, and delete. Also added b2c bm users access-keys (get, create, set, delete) for provisioning and rotating WebDAV/OCAPI/SCAPI access keys for externally-managed (AM/SSO) users. The SDK now exposes a matching @salesforce/b2c-tooling-sdk/operations/bm-users module. (Thanks @clavery!)

• #408 a26226c - Added --columns and --extended flags to all list and search commands for consistent column selection across the CLI. Roughly 30 commands that previously had no column-customization support — including bm roles list, webdav ls, cap list, code list, content list, docs search, job search, logs list, sites list, slas client list, all mrt list commands, plus several setup and scaffold commands — now accept -c id,name,... to pick columns and -x to include extended fields (e.g. webdav ls --extended exposes the previously-hidden modified and contentType columns). (Thanks @clavery!)

  The SDK now exposes shared columnFlagsFor() / selectColumns() helpers (replacing 22 duplicated implementations) and a printFieldsBlock() helper for rendering "label / value" detail blocks.

• #405 b1600fa - Refresh the MRT admin API schema and add new commands: (Thanks @clavery!)

  • b2c mrt env clone — clone an environment from an existing source, optionally copying redirects, environment variables, and B2C target info
  • b2c mrt bundle delete — delete one or more bundles (uses bulk-delete when more than one ID is supplied)
  • b2c mrt org member list|add|get|update|remove — manage organization-level members
  • b2c mrt org cert list|get|create|delete|restart-validation — manage custom domain certificates referenced by environments

Patch Changes

• #407 f1a4ac0 - Hardened auth and long-running operation paths: (Thanks @clavery!)

  • Token store now writes atomically (temp file + rename) so concurrent CLI invocations cannot corrupt auth-session.json.
  • OAuthStrategy.getAccessToken() coalesces concurrent refreshes onto a single in-flight request, preventing token-endpoint stampedes.
  • Debug session cleans up its keepalive/poll timers if connect() fails after starting them.
  • downloadCartridges and deployCartridges use try/finally around progress timers so an aborted or failing request can no longer leak intervals.
  • New @salesforce/b2c-tooling-sdk/ux export surfaces the canonical confirm() prompt; CLI re-exports from here.
  • New auth/jwt-utils consolidates JWT exp/scope decoding previously duplicated across three auth strategies.
  • Better error message when the implicit-OAuth port is already in use (suggests SFCC_OAUTH_LOCAL_PORT).

• #392 51aed02 - Fix active: true on configs[] instances being ignored unless the root object also has active: false (Thanks @clavery!)

• b53d75e - Fix bm users search returning only login and link fields. The underlying SDK searchBmUsers() now sends select=(**) (matching listBmUsers()), so --sort-by, --columns, and the default table now work as expected. A new select option is also exposed for callers that want a narrower projection. (Thanks @clavery!)

b2c-vs-extension@0.6.0

Minor Changes

• #399 6be308a - Support assetQuery as a first-class config field. Set it in dw.json (per-instance), in package.json under b2c, or via SFCC_ASSET_QUERY to control which JSON dot-paths are extracted as assets during content library parsing. The VS Code Content Libraries tree and b2c content export both honor it automatically; the --asset-query flag still wins when provided, and the fallback remains ["image.path"]. (Thanks @clavery!)

• #399 6be308a - Enforce Safety Mode in the VS Code extension. Destructive operations initiated from the extension (sandbox delete/stop/restart, WebDAV writes, jobs, etc.) now honor SFCC_SAFETY_LEVEL, SFCC_SAFETY_CONFIRM, SFCC_SAFETY_CONFIG, and the per-instance safety block in dw.json, consistent with the CLI. Every extension command is also evaluated against command rules (e.g. { "command": "b2c-dx.sandbox.delete", "action": "block" }), and confirmation-mode policies surface a native VS Code modal before the command runs. (Thanks @clavery!)

Patch Changes

• #407 f1a4ac0 - VS Code extension reliability fixes: (Thanks @clavery!)

  • Swagger API Browser webview no longer attempts postMessage after the panel has been disposed (previously could throw on token refresh or proxy responses arriving after close).
  • Sandbox tree polling no longer stacks "stop-check" timers when the configured polling interval is shorter than the 3-second stabilization window.
  • Code Sync now drains pending uploads/deletes before tearing down its file watchers, so saves immediately preceding a stop are no longer dropped.

• #399 6be308a - Fix Content Libraries tree not updating when switching instances. The tree previously kept libraries from the old instance; it now re-seeds from the newly active instance's configured contentLibrary on switch. (Thanks @clavery!)

• Updated dependencies [b947888, 6be308a, f1a4ac0, a26226c, a26226c, 51aed02, b53d75e, b1600fa]:

  • @salesforce/b2c-tooling-sdk@1.9.0

@salesforce/mrt-utilities@0.1.7

Patch Changes

• #407 f1a4ac0 - - The Lambda response adapter's pipeToDestination now destroys the destination stream when the underlying pipeline rejects, so consumers fail fast instead of hanging. (Thanks @clavery!)

  • pipedDestinations cleanup is unified between the success and error paths.

• #398 18471af - Keep ACH header in request (Thanks @kieran-sf!)

@salesforce/b2c-dx-docs@0.3.0

Minor Changes

• #408 a26226c - Replaced the BM Roles docs page with a comprehensive Business Manager reference covering all b2c bm commands — bm roles (list/get/create/delete/grant/revoke + permissions), bm users (list/get/search/update/delete), bm whoami, and bm access-key (get/create/set/delete). The new page documents the user-auth requirement on whoami and access-key endpoints, the access-key scope enum, and common workflows like rotating your own WebDAV password. (Thanks @clavery!)

Patch Changes

• #395 b947888 - Add debug command documentation and b2c-debug agent skill covering interactive REPL, RPC mode, and DAP usage. (Thanks @clavery!)

• 3cefda3 - Documentation audit pass: corrected mismatched flags and missing commands across the CLI reference. Highlights: (Thanks @clavery!)

  • Documented b2c sandbox ips, b2c mrt env var push, and b2c debug (previously omitted).
  • Fixed mrt project get/update/delete examples to use the required positional slug; corrected mrt project member add/update --role to integer values; replaced mrt env invalidate --path with the actual --pattern flag; corrected mrt env redirect create/delete/clone flag names; rewrote mrt user api-key and mrt user email-prefs against the real flags.
  • Rewrote ecdn zones create, ecdn cache purge, ecdn security update, ecdn speed update, and ecdn logpush jobs create flag tables to match source.
  • Removed phantom flags (--display-name, etc.) from am users update.
  • Standardized Node.js requirement on >=22.16.0 across all installation guides.
  • account-manager guide no longer recommends the unsupported client_secret_post; the authentication warning was reframed as guidance toward client_secret_basic.
  • Added a Copilot section to the agent-skills guide so the homepage Copilot link points at meaningful content.
  • Filled gaps in the CLI command-topic index (bm-roles, setup, ecdn, replications, scapi-schemas, cap, logs).

• #389 23205eb - Updated plugin install examples to default to user scope (Thanks @amit-kumar8-sf!)

• #328 31e136b - ODS CLI: b2c sandbox create adds --emails for notification addresses; b2c sandbox update adds --start-scheduler, --stop-scheduler, --clear-start-scheduler, and --clear-stop-scheduler; b2c realm update adds --emails, --start-scheduler, --stop-scheduler, --clear-start-scheduler, and --clear-stop-scheduler. (Thanks @charithaT07!)

  Sandbox API: b2c sandbox operations list and b2c sandbox operations get (inspect lifecycle operations); b2c sandbox alias get (get one alias by ID, same endpoint as alias list --alias-id).

  User guide updated for scheduling flags, sandbox operations, and b2c sandbox alias get.

@salesforce/b2c-agent-plugins@1.3.0

Minor Changes

• #408 a26226c - Added a new b2c-bm-users-roles skill covering all b2c bm instance commands — bm roles, bm users, bm whoami, and bm access-key. The existing b2c-am skill now defers to it for Business Manager content and stays focused on Account Manager (cross-instance) administration. (Thanks @clavery!)

Patch Changes

• #395 b947888 - Add debug command documentation and b2c-debug agent skill covering interactive REPL, RPC mode, and DAP usage. (Thanks @clavery!)

• #394 5ae3691 - Improve skill trigger accuracy: rewrite b2c-scapi-admin and b2c-site-import-export descriptions, merge b2c-users-roles into b2c-am, fix weak eval prompts for b2c-job (Thanks @clavery!)

• #405 b1600fa - Document new MRT environment clone, bundle delete, organization member, and organization certificate commands in the b2c-mrt skill. (Thanks @clavery!)