fix(mcp): stop debug tools from routinely suggesting the session cookie#545
Merged
Conversation
The dwsid session cookie is only needed in the rare multi-app-server production instance group case where a breakpoint is never hit. It was advertised in the debug_start_session/debug_list_sessions descriptions, causing coding agents to suggest setting it as a routine step. Move the cookie guidance to a troubleshooting hint on breakpoint timeout (debug_wait_for_stop, debug_capture_at_breakpoint) and remove it from the tool descriptions. Also correct the credential guidance: no separate Business Manager enablement step, and the password can be the account password or a WebDAV File Access and UX Studio access key.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
The debugger
dwsidsession cookie is only useful in a narrow scenario — certain production instance group configurations that run multiple app servers, where a triggering request can land on a different app server than the one holding the debug session and the breakpoint never fires. It never applies to sandboxes.Because
debug_start_sessionanddebug_list_sessionsadvertised the cookie in their tool descriptions ("send the request that triggers your code with this cookie…"), coding agents were suggesting users set the cookie as a routine step.This PR moves the cookie guidance to where it's actually the remedy and cleans up related credential wording.
Changes
debug_start_session/debug_list_sessions: removed the cookie instructions from the tool descriptions. Thesession_cookieoutput field is unchanged — it's still returned for the cases that need it, just no longer advertised as routine.debug_wait_for_stop/debug_capture_at_breakpoint: on breakpoint timeout, return ahintthat first tells the agent to verify the code path is actually exercised, then explains the cookie remedy scoped to multi-app-server production instance groups only (never sandboxes).WebDAV File Access and UX Studioaccess key. Applied to the MCP tool error, docs, and theb2c-debugskill.Testing
No manual testing required — behavior is unchanged; only tool/output descriptions and a timeout hint field were adjusted. Automated typecheck, lint, and the MCP test suite pass.