Skip to content

fix(mcp): stop debug tools from routinely suggesting the session cookie#545

Merged
clavery merged 1 commit into
mainfrom
chore/mcp-debug-cookie-deemphasize
Jul 6, 2026
Merged

fix(mcp): stop debug tools from routinely suggesting the session cookie#545
clavery merged 1 commit into
mainfrom
chore/mcp-debug-cookie-deemphasize

Conversation

@clavery

@clavery clavery commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

What

The debugger dwsid session cookie is only useful in a narrow scenario — certain production instance group configurations that run multiple app servers, where a triggering request can land on a different app server than the one holding the debug session and the breakpoint never fires. It never applies to sandboxes.

Because debug_start_session and debug_list_sessions advertised the cookie in their tool descriptions ("send the request that triggers your code with this cookie…"), coding agents were suggesting users set the cookie as a routine step.

This PR moves the cookie guidance to where it's actually the remedy and cleans up related credential wording.

Changes

  • debug_start_session / debug_list_sessions: removed the cookie instructions from the tool descriptions. The session_cookie output field is unchanged — it's still returned for the cases that need it, just no longer advertised as routine.
  • debug_wait_for_stop / debug_capture_at_breakpoint: on breakpoint timeout, return a hint that first tells the agent to verify the code path is actually exercised, then explains the cookie remedy scoped to multi-app-server production instance groups only (never sandboxes).
  • Credential guidance: removed the incorrect "enable the Script Debugger in Business Manager" prerequisite (it's always available) and clarified the password can be the account password or a WebDAV File Access and UX Studio access key. Applied to the MCP tool error, docs, and the b2c-debug skill.

Testing

No manual testing required — behavior is unchanged; only tool/output descriptions and a timeout hint field were adjusted. Automated typecheck, lint, and the MCP test suite pass.

The dwsid session cookie is only needed in the rare multi-app-server
production instance group case where a breakpoint is never hit. It was
advertised in the debug_start_session/debug_list_sessions descriptions,
causing coding agents to suggest setting it as a routine step.

Move the cookie guidance to a troubleshooting hint on breakpoint
timeout (debug_wait_for_stop, debug_capture_at_breakpoint) and remove it
from the tool descriptions. Also correct the credential guidance: no
separate Business Manager enablement step, and the password can be the
account password or a WebDAV File Access and UX Studio access key.
@clavery clavery merged commit ed1e214 into main Jul 6, 2026
7 checks passed
@clavery clavery deleted the chore/mcp-debug-cookie-deemphasize branch July 6, 2026 18:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant