This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or setup this action to publish automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@salesforce/b2c-cli@1.14.0

Minor Changes

• #452 9e44bee - Add ecdn firewall commands (list, get, create, update, delete, (Thanks @charithaT07!)
  reorder) for managing custom firewall rules on a CDN zone via the existing
  cdn-zones v1 APIs (/firewall-custom/rules). Supports partial updates,
  --json output (with table column flags on list), and routes destructive
  operations (delete, reorder) through the same safety guard the rest of
  the CLI uses.

• #484 80e63fc - b2c job import now supports --split for importing directories larger than the instance archive size limit. With --split (and optional --max-size, default 190mb), the import is broken into several smaller archives: order-sensitive metadata/XML is imported first — kept together when it fits, otherwise split at data-unit boundaries in dependency order — followed by static assets packed by compressed size. A normal import that exceeds the limit now warns and recommends --split. (Thanks @clavery!)

  Example: b2c job import ./big-site-data --split --max-size 150mb

  The SDK adds a corresponding siteArchiveImportSplit() operation.

Patch Changes

• Updated dependencies [b723939, 21bbed0, de8d40b, 80e63fc, c8e0b60]:
  • @salesforce/b2c-tooling-sdk@1.12.0

@salesforce/b2c-dx-mcp@1.2.0

Minor Changes

• #420 de8d40b - Add MCP tools for log inspection and documentation lookup. Logs: logs_list_files, logs_get_recent, and a logs_watch_start / logs_watch_poll / logs_watch_stop / logs_watch_list lifecycle that buffers entries between polls so agents don't miss logs produced between tool calls. Docs: docs_search, docs_read, docs_list, docs_schema_search, docs_schema_read, docs_schema_list for the bundled Script API and XSD schema corpora. Adds a new DIAGNOSTICS toolset that groups the script debugger and log tools; like SCAPI, it is always enabled (auto-discovered for every project type). SDK now also exports the log filter helpers (parseSinceTime, filterBySince, filterByLevel, filterBySearch, matchesLevel, matchesSearch) for reuse. (Thanks @clavery!)

  The log watch buffers logs_watch_start defaults to last_entries: 0 (capture only new entries, matching the "start before triggering" workflow), bounds the entry buffer by bytes as well as count, reports each discovered file only once per poll, stops the underlying tail if a concurrent-start hostname race loses registration, and makes logs_watch_stop truly idempotent.

Patch Changes

• Updated dependencies [b723939, 21bbed0, de8d40b, 80e63fc, c8e0b60]:
  • @salesforce/b2c-tooling-sdk@1.12.0

@salesforce/b2c-tooling-sdk@1.12.0

Minor Changes

• #420 de8d40b - Add MCP tools for log inspection and documentation lookup. Logs: logs_list_files, logs_get_recent, and a logs_watch_start / logs_watch_poll / logs_watch_stop / logs_watch_list lifecycle that buffers entries between polls so agents don't miss logs produced between tool calls. Docs: docs_search, docs_read, docs_list, docs_schema_search, docs_schema_read, docs_schema_list for the bundled Script API and XSD schema corpora. Adds a new DIAGNOSTICS toolset that groups the script debugger and log tools; like SCAPI, it is always enabled (auto-discovered for every project type). SDK now also exports the log filter helpers (parseSinceTime, filterBySince, filterByLevel, filterBySearch, matchesLevel, matchesSearch) for reuse. (Thanks @clavery!)

  The log watch buffers logs_watch_start defaults to last_entries: 0 (capture only new entries, matching the "start before triggering" workflow), bounds the entry buffer by bytes as well as count, reports each discovered file only once per poll, stops the underlying tail if a concurrent-start hostname race loses registration, and makes logs_watch_stop truly idempotent.

• #484 80e63fc - b2c job import now supports --split for importing directories larger than the instance archive size limit. With --split (and optional --max-size, default 190mb), the import is broken into several smaller archives: order-sensitive metadata/XML is imported first — kept together when it fits, otherwise split at data-unit boundaries in dependency order — followed by static assets packed by compressed size. A normal import that exceeds the limit now warns and recommends --split. (Thanks @clavery!)

  Example: b2c job import ./big-site-data --split --max-size 150mb

  The SDK adds a corresponding siteArchiveImportSplit() operation.

Patch Changes

• #473 b723939 - Documentation audit and repair pass: corrected stale CLI flag and command references across the CLI reference and guides, fixed broken examples (e.g. eCDN mTLS, sandbox --no-* flags, WebDAV get arguments), aligned SDK JSDoc with current signatures, and added the missing operations/cap typedoc entry point so the Commerce App SDK module appears in the API reference. Filled in JSDoc for previously undocumented public exports across the SDK (auth, clients, instance, logging, ods, mrt, cap, cip, debug, scaffold, schemas, skills, etc.) so the generated API docs cover the full public surface. (Thanks @clavery!)

• #474 21bbed0 - Make mTLS / self-signed client certificates robust against Node's bundled undici version. The TLS dispatcher is an undici Agent from the undici npm package, but it was handed to global.fetch, which is backed by whatever undici Node bundles internally — a version that drifts across Node releases and can be a different major than the npm package. Because undici's request-handler interface changed across majors (and the cross-version compatibility shim is removed in undici 8), pairing a foreign Agent with global.fetch can fail and silently drop the client certificate. Requests that carry a dispatcher now use undici's own fetch so the Agent and fetch always share one undici instance, regardless of Node version. Applies to all auth strategies (basic, client-credentials, JWT, implicit, API key), so staging deploys with --certificate/--selfsigned keep working as Node updates its bundled undici. (Thanks @clavery!)

• #470 c8e0b60 - Remove the CAP validation warning that flagged a root directory not matching the {id}-v{version} naming convention. This convention is no longer required, so the check has been dropped from b2c cap validate (and b2c cap install). (Thanks @clavery!)

b2c-vs-extension@0.9.0

Minor Changes

• #457 8aa076e - API Browser: right-click a Shopper schema to run pnpm sfnext scapi add in an integrated terminal. The action is only shown when the workspace is detected as a Storefront Next project. (Thanks @clavery!)

• #467 ce0c0b5 - Remove the Page Designer Assistant webview and its "Open Page Designer Assistant UI" command from the VS Code extension. (Thanks @clavery!)

Patch Changes

• #458 637df9e - Fix VS Code API Browser handling of Custom APIs and shopper-named system APIs. Custom APIs now show endpoint paths with the required /organizations/{organizationId}/... prefix, and the Shopper/Admin classification is now derived from the spec's declared security schemes (ShopperToken / AmOAuth2 / BearerToken) rather than the API family name — fixing token selection for shopper-named APIs that live under non-shopper families (e.g. product/shopper-products, checkout/shopper-baskets) and for Custom APIs which can be either type. Resolves VS Code API Browser: Custom APIs missing organization prefix #453. (Thanks @clavery!)

• #475 0363dca - Harden the extension build and packaging pipeline. The esbuild bundle now minifies, drops debugger statements, targets Node 22 (matching VS Code 1.105's runtime), and inlines require('@salesforce/b2c-tooling-sdk/package.json') at SDK source-load time so minification can no longer break the substitution. SDK data directories that the runtime expects (cip-proto, script-api, content-schemas, scaffolds) are all staged into dist/data/ instead of just scaffolds. The inject-script-types step that adds the bundled TypeScript Server plugin to the VSIX now uses pure-Node JSZip instead of shelling out to zip/unzip, removing the host-binary requirement (Windows CI compatibility) and fixing a regression where [Content_Types].xml entries for the injected plugin were emitted without their leading dot. The extension version and telemetry connection string are now injected as build-time constants, eliminating a runtime readFileSync(package.json). vscode:prepublish now builds @salesforce/b2c-script-types before the extension bundle so a stale plugin tree can no longer ship. (Thanks @clavery!)

• #475 0363dca - Correctness and UX hardening pass across the extension: (Thanks @clavery!)

  • Content libraries: ContentFileSystemProvider.stat() now returns a stable mtime instead of Date.now() per call. VS Code no longer believes content files are constantly mutating, eliminating phantom "file modified externally" prompts and silent buffer reloads that could clobber unsaved edits.
  • WebDAV explorer: F2-rename now works. The rename() method delegates to the SDK's webdav.move (already used by drag-and-drop) instead of throwing NoPermissions. Cross-root attempts and 412 conflicts are mapped to the right vscode.FileSystemError.
  • Activation performance: replaced sync fs.readFileSync / existsSync / statSync on the activation hot path (B2CExtensionConfig) and in the per-paint CAP file-decoration provider with vscode.workspace.fs async equivalents and a Set lookup, respectively. CAP decorations now answer in O(1) without filesystem syscalls.
  • Cancellation: long-running operations (sandbox clone polling, CAP install, deploy, content export, Swagger UI proxy fetches) now show a working Cancel button. Cancelling stops the local poll/wait; aborting the server-side operation requires SDK AbortSignal support which is a separate change.
  • Tree state stability: every tree provider (sandbox, WebDAV, content libraries, API browser, cartridges) now sets a stable TreeItem.id, so expand/collapse state survives refresh and treeView.reveal() works without try/catch fallback.
  • Safety + telemetry coverage: 11 contributed commands previously bypassed registerSafeCommand, including b2c-dx.sandbox.clone (a billable operation). All now route through the safety guard and feature-usage telemetry. Added a scriptTypes feature category and command-prefix mapping.
  • Dead code removal: removed an unused createDeleteAndDeployCommand, the unused tempDirs cleanup loop in cartridge-commands, the dead openExternal branch in the Page Designer webview message handler, and the never-implemented b2c-dx.codeSync.diffCartridge command.

• Updated dependencies [b723939, 21bbed0, de8d40b, 80e63fc, c8e0b60]:

  • @salesforce/b2c-tooling-sdk@1.12.0

@salesforce/b2c-dx-docs@0.3.4

Patch Changes

• #473 b723939 - Documentation audit and repair pass: corrected stale CLI flag and command references across the CLI reference and guides, fixed broken examples (e.g. eCDN mTLS, sandbox --no-* flags, WebDAV get arguments), aligned SDK JSDoc with current signatures, and added the missing operations/cap typedoc entry point so the Commerce App SDK module appears in the API reference. Filled in JSDoc for previously undocumented public exports across the SDK (auth, clients, instance, logging, ods, mrt, cap, cip, debug, scaffold, schemas, skills, etc.) so the generated API docs cover the full public surface. (Thanks @clavery!)

• #478 d19802f - Document the GitHub Actions install behavior change. The high-level actions (code-deploy, data-import, job-run, mrt-deploy, webdav-upload) now reuse an already-installed CLI and install one only when none is present — so a deploy that follows a setup step, and repeated operations on a persistent self-hosted runner, no longer trigger a redundant reinstall or an unexpected upgrade. The setup action called directly still installs the version you request (a new skip-if-present input opts into reuse). The actions no longer cache the npm download directory, which had grown to gigabytes on long-lived self-hosted runners and slowed restores. Plugin installs are skipped by exact name match. (Thanks @clavery!)

• #431 80d594f - Document deploying to staging environments (two-factor mTLS) from CI/CD. The setup GitHub Action now accepts webdav-server, certificate, certificate-passphrase, and selfsigned inputs so workflows can target staging instances that require a separate WebDAV hostname and a client certificate. The CI/CD guide includes a full GitHub Actions example using a base64-encoded .p12 secret. (Thanks @clavery!)

@salesforce/b2c-agent-plugins@1.3.3

Patch Changes

• #485 e6cec0a - Fix value-definition element order in the b2c-metadata and b2c-site-import-export skills. The B2C metadata.xsd requires <display> to appear before <value> inside each <value-definition>; the skill examples had them reversed, which caused enum/set attribute imports to fail site-archive validation with cvc-complex-type.2.4.d. Examples now use the correct order and call out the requirement. (Thanks @clavery!)

• #484 80e63fc - b2c job import now supports --split for importing directories larger than the instance archive size limit. With --split (and optional --max-size, default 190mb), the import is broken into several smaller archives: order-sensitive metadata/XML is imported first — kept together when it fits, otherwise split at data-unit boundaries in dependency order — followed by static assets packed by compressed size. A normal import that exceeds the limit now warns and recommends --split. (Thanks @clavery!)

  Example: b2c job import ./big-site-data --split --max-size 150mb

  The SDK adds a corresponding siteArchiveImportSplit() operation.